在GNS3中模拟公网,利用×××进行两端私网之间的通信。即在×××不起作用的情况下,R1和R2的lo1端口(私网)无法Ping通。
Current configuration : 1503 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
crypto isakmp key cisco address 192.168.3.1
!
!
crypto ipsec transform-set benet ah-md5-hmac esp-aes
!
crypto map map1 1 ipsec-isakmp
set peer 192.168.3.1
set transform-set benet
match address 101
!
!
!
!
!
interface Loopback1
ip address 172.16.1.100 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map map1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router rip
version 2
network 192.168.2.0
!
ip nat pool nat-pool 192.168.2.1 192.168.2.1 netmask 255.255.255.0
ip nat inside source list 100 pool nat-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
!
access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip host 172.16.1.100 host 172.16.3.100
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
R3路由器的配置
Current configuration : 1503 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
crypto isakmp key cisco address 192.168.2.1
!
!
crypto ipsec transform-set benet ah-md5-hmac esp-aes
!
crypto map map1 1 ipsec-isakmp
set peer 192.168.2.1
set transform-set benet
match address 101
!
!
!
!
!
interface Loopback1
ip address 172.16.3.100 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map map1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router rip
version 2
network 192.168.3.0
!
ip nat pool nat-pool 192.168.3.1 192.168.3.1 netmask 255.255.255.0
ip nat inside source list 100 pool nat-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
!
access-list 100 deny ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 101 permit ip host 172.16.3.100 host 172.16.1.100
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
R2路由器的配置
Current configuration : 836 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp enable
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
PS:模拟器中,***连接建立后,更改共享密匙或删除映射中的变换集等破坏***连接参数后,***依旧发生作用。必须重新启动GNS3才能拆除已建立的***连接。不知道有没有手工拆除已连接***连接的方法。
参考链接: