一.概述:
在博客中收到一位朋友的提问,经过电话沟通后,了解到大概情况是:
A.总部有一条专线到合作伙伴
B.合作伙伴侧不方便加回指路由,总部访问合作伙伴时做PAT
C.现在想要分支L2L ×××连接到总部之后,也PAT到合作伙伴
之前是用策略路由的方式将分支到合作伙伴的流量打到loopback口,并配置NAT,后来QQ群里有朋友提出使用GRE over IPSEC的方式,于是打算验证一下。

二.基本思路:
A.如果合作伙伴方便加回指路由,其实只需把合作伙伴当作总部内网即可,不需要配置PAT。
B.分支机构想要×××连接总部之后,再PAT到合作伙伴,则需要在总部路由器上配置loopback口,并且公网接口配置策略路由,将分支到合作伙伴的流量打到loopback,并进行PAT。
----这个已经在上一篇博文中验证过,http://333234.blog.51cto.com/323234/1309446
C.用SVTI的方式,在总部路由器与分支路由器直接建立L2L ×××,并且在总部路由器的tunnel接口和连接合作伙伴的专线接口配置NVI,使得分支去往合作伙伴的流量被PAT。
----因为ASA不支持VTI,所以这种方式如果分支或总部一方用的是ASA防火墙,则不适用
.测试拓扑:
分支机构L2L ××× 到总部再PAT通过专线到合作伙伴(SVTI建立×××)_PAT
四.基本配置:
A.Branch_Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
no shut
D.Center路由器:
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
no shut
interface Ethernet0/2
ip address 172.16.1.2 255.255.255.252
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 160.1.1.0 255.255.255.0 172.16.1.1
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
E.Center_Inside路由器:
interface Ethernet0/0
ip address 192.168.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.4
F.Partner路由器:
interface Loopback0
ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut
----注意:没有配置路由
五.总部内网到合作伙伴进行PAT配置:
----在Center总部路由器上配置
A.配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/2
ip nat enable
ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload
B.验证:
Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open


User Access Verification

Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00
172.16.1.2

Interface User Mode Idle Peer Address

Partner>
六.分支到总部的L2L ×××配置:
----以SVTI的方式建立site-to-site ×××
A.Branch路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4
tunnel protection ipsec profile Ipsec_prfile
ip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
B.Center路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0
C.验证:
Branch_Inside#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
七.配置分支到合作伙伴的PAT:
-----都是在Center路由器上配置
A.配置PAT:
interface Tunnel0
ip nat enable
interface Ethernet0/2
ip nat enable
ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Branch-to-partner interface Ethernet0/2 overload
D.验证:
Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open


User Access Verification

Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00
172.16.1.2

Interface User Mode Idle Peer Address

Partner>