VPN-IKEv1 L2LVPN NAT旁路

toki02

ASA1与R3配置L2LVPN实现150.1.1.1/32与150.1.3.3/32通信
同时保障150.1.1.1/32与150.1.3.3/32可以访问公网150.1.2.2/32

ASA1设置
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
!
tunnel-group 136.1.23.3 type ipsec-l2l
tunnel-group 136.1.23.3 ipsec-attributes
ikev1 pre-shared-key *****


!
access-list LAN_ACL extended permit ip host 150.1.1.1 host 150.1.3.3
!
crypto ipsec ikev1 transform-set LAN_SET esp-3des esp-sha-hmac
crypto map LAN_MAP 10 match address LAN_ACL
crypto map LAN_MAP 10 set peer 136.1.23.3
crypto map LAN_MAP 10 set ikev1 transform-set LAN_SET
crypto map LAN_MAP interface outside

!
!NAT旁路设置
!
object network R1_LOOPBACK0
host 150.1.1.1
nat (inside,outside) dynamic interface
object network R3_LOOPBACK0
host 150.1.3.3

!
nat (inside,outside) source static R1_LOOPBACK0 R1_LOOPBACK0 destination static R3_LOOPBACK0 R3_LOOPBACK0

!

R3设置
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key CISCO address 136.1.122.12
!
ip access-list extended LAN_ACL
permit ip host 150.1.3.3 host 150.1.1.1

!
crypto ipsec transform-set LAN_SET esp-3des esp-sha-hmac
crypto map LAN_MAP 10 ipsec-isakmp
set peer 136.1.122.12
set transform-set LAN_SET
match address LAN_ACL

!
interface FastEthernet0/1
ip address 136.1.23.3 255.255.255.0
crypto map LAN_MAP

!
!NAT旁路设置
!
ip access-list extended NAT_BYPASS
deny   ip host 150.1.3.3 host 150.1.1.1
permit ip host 150.1.3.3 any

!
ip nat inside source list NAT_BYPASS interface FastEthernet0/1 overload
!
interface Loopback0
ip address 150.1.3.3 255.255.255.255
ip nat inside

!
interface FastEthernet0/1
ip address 136.1.23.3 255.255.255.0
ip nat outside
crypto map LAN_MAP


验证配置
Rack1R3#ping 150.1.1.1 sou lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/42/48 ms


Rack1R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
136.1.122.12    136.1.23.3      QM_IDLE           1001    0 ACTIVE


Rack1R3#show crypto engine connections active
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Fa0/1      IPsec 3DES+SHA                  0        4 136.1.23.3
    2 Fa0/1      IPsec 3DES+SHA                  4        0 136.1.23.3
1001 Fa0/1      IKE   SHA+3DES                  0        0 136.1.23.3


Rack1R3#ping 150.1.2.2 sou lo0 re 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20

完整版参考附件