Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 172.16.1.201 Mask: 255.255.255.255 Default Domain: cisco.com Save Password: Disallowed Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0
Current EzVPN Peer: 220.1.3.2
可以看见隧道建立成功并启用隧道分离,让我在到Client端的PC上测试 C:\\Documents and Settings\\cx>ping 220.1.2.2 Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=361ms TTL=126 Reply from 220.1.2.2: bytes=32 time=102ms TTL=126 Reply from 220.1.2.2: bytes=32 time=43ms TTL=126 Reply from 220.1.2.2: bytes=32 time=305ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 361ms, Average = 202ms C:\\Documents and Settings\\cx>ping 10.1.1.2 Pinging 10.1.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
从测试结果上来看我们解决了上外网的问题,但是为什么还是不能 访问Server端内部网络呢?我们在Client端使用show ip nat translation EZVPN-Client#show ip nat translation
Pro Inside global Inside local Outside local Outside global icmp 172.16.1.201:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512 从show命令当中我们发现当我们发送数据包去往10.1.1.0 段时,Client端路由器进行了PAT地址翻译,这个刚好符合我们前面所讲过的client模式下EZVPN-Client会自动创建一个 loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用
loopback接口的地址做PAT的原 理。那也证明我们去往10网段是没有问题的了,那问题是不是出在Server端呢,是不是因为Server端不能正常的把数据包送回来而导致Client 端PC不能访问Server端内部网络呢? 我们先看看Server端路由有没有问题 EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 C 220.1.3.0/24 is directly connected, Serial1/2 172.16.0.0/32 is subnetted, 1 subnets S 172.16.1.201 [1/0] via 220.1.1.2 10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 is directly connected, Serial1/2
我们发现去往172.16.1.0段的路由存 在,路由没有问题,那问题出现在哪里呢?我们再回想一下我们在Server端的配置,为了能够实现Server端内部主机能够访问Internet,我们 在Server端路由器上配置了NAT,配置命令如下: access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
我 们发现访问控制列表1中定义了源地址为10.1.1.0的所有主机都要被翻译出去,也就是说当Server端内部主机想要回应172.16.1.0这个段 的主机时,回应数据包在进入Server端路由器时因为满足被翻译的条件,所以就不能被送回给172.16.1.0的主机了,那我们怎么解决呢,我的解决 办法就是修改访问控制列表1,首先把访问控制列表1删除,然后定义扩展访问控制列表111,指定原地址为10.1.1.0的到达目的地址为 172.16.1.0的数据包不要被NAT翻译,其它所有数据包都将被翻译,具体命令如下: no access-list 1
no ip nat inside source list 1 interface serial 1/2 overload
access-list 111 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
修改完配置命令并重置VPN连接后,我们再到Client端 的PC上来做测试。 C:\\Documents and Settings\\cx>ping 10.1.1.2 Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124 Reply from 10.1.1.2: bytes=32 time=319ms TTL=124 Reply from 10.1.1.2: bytes=32 time=344ms TTL=124 Reply from 10.1.1.2: bytes=32 time=270ms TTL=124 Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms C:\\Documents and Settings\\cx>ping 220.1.2.2 Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=340ms TTL=126 Reply from 220.1.2.2: bytes=32 time=161ms TTL=126 Reply from 220.1.2.2: bytes=32 time=159ms TTL=126 Reply from 220.1.2.2: bytes=32 time=268ms TTL=126 Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 159ms, Maximum = 340ms, Average = 232ms
我们发现这个时候我们既能访问Server端内部网络又能访问外网了,哈哈实验结束! 6) 实 验扩展
接着这个实验平台我们再来看看Easy VPN Remote With Network-extension Mode下使用Split Tunneling。
EZVPN-Server的配置(同样先不启用split tunneling) interface serial 1/2
ip address 220.1.3.2 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0 no keepalive no shutdown exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload interface fastethernet 0/0 ip nat inside exit
interface serial 1/2 ip nat outside exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
ip local pool Remote-Pool 172.16.1.200 172.16.1.250 username cisco password cisco aaa new-mode
aaa authentication login lab-remote-access local crypto isakmp xauth timeout 30
aaa authorization network vpn-group local crypto isakmp enable crypto isakmp policy 10 authentication pre-share
encryption 3des group 2 exit
crypto isakmp client configuration group test key VPNKEY domain cisco.com pool Remote-Pool exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac exit
crypto dynamic-map Dynamic-Map 10 set transform-set VPNTRANSFORM reverse-route exit
crypto map ClientMap client authentication list lab-remote-access crypto map ClientMap client configuration address respond crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map interface serial 1/2 crypto map ClientMap exit
crypto isakmp keepalive 20 10 EZVPN-Client的配 置 interface serial 1/2
ip address 220.1.1.2 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0 no shutdown exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload interface fastethernet 0/0 ip nat inside exit
interface serial 1/2 ip nat outside exit
ip route 0.0.0.0 0.0.0.0 serial 1/2 crypto ipsec client ezvpn test-Client group test key VPNKEY peer 220.1.3.2
mode network-extension
connect auto
username cisco password cisco xauth userid mode local exit
interface serial 1/2
crypto ipsec client ezvpn test-Client exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside exit
ISP的配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0 no shutdown exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0 no shutdown exit
接 下来到Client路由器上检查VPN建立情况。 EZVPN-Client#show crypt ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : test-Client
Inside interface list: FastEthernet0/0 Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Default Domain: cisco.com Save Password: Disallowed Current EzVPN Peer: 220.1.3.2 在Server端查看路由表。 EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0
百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,免费范文网,提供经典小说综合文库Easy VPN 实验(8)在线全文阅读。
相关推荐: