3) 实验的目的
通过使用Split Tunneling技术,使Client端内网的客户端PC能同时访问Server端内部网络和Internet网的WEB服务器。 4) 基 本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令以达到Server端和Clinet端能正常访问 Internet WEB服务器的效果,并用ping测试。 EZVPN-Server的基本配置 interface serial 1/2
ip address 220.1.3.2 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0 no keepalive no shutdown exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload interface fastethernet 0/0 ip nat inside exit
interface serial 1/2 ip nat outside exit
ip route 0.0.0.0 0.0.0.0 serial 1/2 EZVPN- Client的基本配置 interface serial 1/2
ip address 220.1.1.2 255.255.255.0 no shutdown
exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0 no shutdown exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload interface fastethernet 0/0 ip nat inside exit
interface serial 1/2 ip nat outside exit
ip route 0.0.0.0 0.0.0.0 serial 1/2 ISP 的基本配置 interface serial 1/0
ip address 220.1.3.1 255.255.255.0 no shutdown exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0 no shutdown exit
在 EZVPN-Client(PC)进行测试:
C:\\Documents and Settings\\cx>ping 220.1.2.2 Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=248ms TTL=126 Reply from 220.1.2.2: bytes=32 time=44ms TTL=126 Reply from 220.1.2.2: bytes=32 time=80ms TTL=126 Reply from 220.1.2.2: bytes=32 time=562ms TTL=126 Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 562ms, Average = 233ms
测试结果表明Client端内网用户通过NAT技术能够正常访问Internet WEB服务器。 在 EZVPN-Server(VPC)进行测试: VPCS 1 >ping 220.1.2.2
220.1.2.2 icmp_seq=1 time=166.000 ms 220.1.2.2 icmp_seq=2 time=208.000 ms 220.1.2.2 icmp_seq=3 time=47.000 ms 220.1.2.2 icmp_seq=4 time=165.000 ms 220.1.2.2 icmp_seq=5 time=147.000 ms
测试结果表明Server端内网用户通过NAT技术能够正常访问Internet WEB服务器。 5) Easy VPN For Split Tunneling的配置
EZVPN- Server的配置(不启用split tunneling) ip local pool Remote-Pool 172.16.1.200 172.16.1.250 username cisco password cisco aaa new-mode
aaa authentication login lab-remote-access local crypto isakmp xauth timeout 30
aaa authorization network vpn-group local crypto isakmp enable crypto isakmp policy 10 authentication pre-share encryption 3des group 2 exit
crypto isakmp client configuration group test key VPNKEY domain cisco.com pool Remote-Pool exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac exit
crypto dynamic-map Dynamic-Map 10 set transform-set VPNTRANSFORM reverse-route
exit
crypto map ClientMap client authentication list lab-remote-access crypto map ClientMap client configuration address respond crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map interface serial 1/2 crypto map ClientMap exit
crypto isakmp keepalive 20 10 EZVPN-Clinet的配 置
crypto ipsec client ezvpn test-Client group test key VPNKEY peer 220.1.3.2 mode client connect auto
username cisco password cisco xauth userid mode local exit
interface serial 1/2
crypto ipsec client ezvpn test-Client exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside exit
在EZVPN- Client端测试
EZVPN-Client#show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : test-Client
Inside interface list: FastEthernet0/0 Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 172.16.1.200 Mask: 255.255.255.255 Default Domain: cisco.com Save Password: Disallowed Current EzVPN Peer: 220.1.3.2
我们看见VPN建立成 功,接下来到PC上测试 C:\\Documents and Settings\\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) C:\\Documents and Settings\\cx>ping 220.1.2.2 Pinging 220.1.2.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
这个时候我们发现Client端内部的PC即不能访问Server端内网也不能访问外网了,这是为什么呢?那我们先来看看为什么 不能访问外网。
首先我们在Client端内部的PC上使用tracert命令跟踪一下数据包 C:\\Documents and Settings\\cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops 1 13 ms 51 ms 64 ms 192.168.10.1 2 242 ms 160 ms 107 ms 220.1.3.2 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
我 们可以看见去往外网的下一跳为220.1.3.2,这个地址刚好是Server端的公网IP地址,而并没有走正常的NAT,造这个问题的原因正是应为没有 启用隧道分离,Client端路由器把所有的数据包都放到隧道当中传输了。为了解决这个问题我们在Server端路由器上加入如下命令启用隧道分离。
access-list 100 permit ip 10.1.1.0 0.0.0.255 any crypto isakmp client configuration group test
acl 100 //定义客户端隧道 分离列表,注意源地址始终是客户端要到达你内部网络的地址,目的地址始终是any,因为这个ACL应用到客户那里后生效,所以是反过来的,即只有任意源到 目的为10.1.1.0网段时,才进入隧道。 接下来在Client端重新建立 VPN连接并测试。 clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
因为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使 用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离 EZVPN-Client#show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : test-Client
Inside interface list: FastEthernet0/0
百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,免费范文网,提供经典小说综合文库Easy VPN 实验(7)在线全文阅读。
相关推荐: