思科路由配置（NAT及IPSEC VPN)

背景：由于公司网络扩充，现新购两台路由器（cisco 1800) 和防火墙一台（CISCO ASA)

需求：配置NAT，以及VPN

以下为具体操作过程

先使网络互通

en
conf t
hostname r1
enable sec password
line vty 0 5
password password
login
exit

interface fa0/0
ip addr 202.104.66.117 255.255.255.248
duplex full
speed 100
no shut

interface fastethernet0/1
ip address 192.168.1.253 255.255.255.0
duplex full
speed 100
no shutdown
exit

ip route 192.168.5.0 255.255.255.0 192.168.1.1
ip route 192.168.9.0 255.255.255.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 202.104.66.10

------------>配置完基本配置之后，测后网络连通性，如无问题继续下一步，配置NAT

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface fastethernet0/0 overload
ip nat inside source static udp 192.168.1.10 1198  202.104.66.117 1198
ip nat inside source static udp 192.168.1.108 8091 202.104.66.117 8091
ip nat inside source static tcp 192.168.1.108 3307 202.104.66.117 3307
ip nat inside source static tcp 192.168.1.111 8010 202.104.66.117 8010
ip nat inside source static tcp 192.168.1.46 80 202.104.66.117 80
ip nat inside source static tcp 192.168.1.220 3690 202.104.66.117 3690
ip nat inside source static tcp 192.168.1.230 8181 202.104.66.117 8181

----------->NAT配置完成后，将NAT应用至端口

interface fa0/0

ip nat outside

exit

interface fa0/1

ip nat inside

--------------->以下配置为IPSEC VPN配置

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key password address 202.104.66.118

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

crypto ipsec transform-set cf ah-sha-hmac esp-des

mode tunnel

exit
crypto map test 1 ipsec-isakmp
 set peer 202.104.66.118

 set transform-set cf
 match address 100
-------------->配置map后，将map应用至外网端口

interface fa0/0

crypto map test


end

本文出自 “小白” 博客，请务必保留此出处http://9402618.blog.51cto.com/9392618/1586599