dynamic-×××(第七篇)
阿新 • • 發佈:2020-10-14
×××的應用很廣泛,也很靈活,我們要根據不同的需求建立不同的解決方案。
比如:如果分支機構的IP地址不固定,或者經常變動,或者其他原因,並且我要和總部建立IPSEC連線,這個問題怎麼解決呢?
【拓撲】
【步驟】
R1:
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.101.2
crypto isakmp key cisco address 202.102.102.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
crypto dynamic-map mymap 10
set transform-set tt
match address 100
!
crypto map cisco 1 ipsec-isakmp dynamic mymap .......加入正規圖集 interface Tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.102.2
!
!
interface Tunnel2
ip address 10.0.1.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.101.2
!
interface FastEthernet0/0
ip address 1.1.1.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.100.2 255.255.255.252 crypto map cisco ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 3.3.3.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.1.2
!
access-list 100 permit ip host 202.102.100.2 any
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100 access-list 100 permit ip host 202.102.101.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.1.1 ......一定注意
ip route 3.3.3.0 255.255.255.0 10.0.1.1...... 一定注意 interface Tunnel2
ip address 10.0.1.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 2.2.2.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.101.2 255.255.255.252
crypto map mymap ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.1.1 R3: crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100 access-list 100 permit ip host 202.102.102.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 2.2.2.0 255.255.255.0 10.0.0.2 ......一定注意 interface Tunnel1
ip address 10.0.0.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 3.3.3.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.102.2 255.255.255.252
crypto map mymap ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.0.2 【測試】 【說明】 可能還有點錯誤!你可以先試試。 這個和前面寫的不同的是R1的配置!建立dynamip *** 然後加入正規圖集!
【步驟】
R1:
crypto isakmp policy 10hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.101.2
crypto isakmp key cisco address 202.102.102.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
crypto dynamic-map mymap 10
set transform-set tt
match address 100
!
crypto map cisco 1 ipsec-isakmp dynamic mymap .......加入正規圖集 interface Tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.102.2
!
!
interface Tunnel2
ip address 10.0.1.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.101.2
!
interface FastEthernet0/0
ip address 1.1.1.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.100.2 255.255.255.252 crypto map cisco ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 3.3.3.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.1.2
!
access-list 100 permit ip host 202.102.100.2 any
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100 access-list 100 permit ip host 202.102.101.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.1.1 ......一定注意
ip route 3.3.3.0 255.255.255.0 10.0.1.1...... 一定注意 interface Tunnel2
ip address 10.0.1.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 2.2.2.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.101.2 255.255.255.252
crypto map mymap ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.1.1 R3: crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100 access-list 100 permit ip host 202.102.102.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 2.2.2.0 255.255.255.0 10.0.0.2 ......一定注意 interface Tunnel1
ip address 10.0.0.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 3.3.3.254 255.255.255.0
duplex auto
speed auto interface Serial0/0/0
ip address 202.102.102.2 255.255.255.252
crypto map mymap ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.0.2 【測試】 【說明】 可能還有點錯誤!你可以先試試。 這個和前面寫的不同的是R1的配置!建立dynamip *** 然後加入正規圖集!