阅微草堂笔记

CentOS 5.5 vsftp下配置虚拟用户
背景：FTP本地用户使用Linux系统用户账号时，存在安全隐患。避免一些别有用心的人员利用此账号登录到系统进行破坏造成不必要的损失。因此我们在配置FTP服务器时使用虚拟用户登录到FTP服务器进行资源下载和上
传。
 
实验环境：1. 服务器CentOS 5.5
          2. 客户端xp sp3
          3. 软件vsftpd-2.0.5-16.e15_4.1
实验步骤：
1.  建立虚拟用户口令文件
[root@ linux ~]#vi vu_li..

       接着上篇路由器的Ezvpn，下面实验中模拟ASA防火墙的远程vpn。远程移动用户通过cisco vpn client连上总部内网进行资源访问。如下拓扑图：

实验配置：
R1>en
R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#int e1/0
R1(config-if)#no sh
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#
R1(config-if)#end
R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R1(config)#
R1(config)#end
R1#
=========================防火墙====================================
lwmfw# conf t
lwmfw(config)#
lwmfw(config)# int e0/0
lwmfw(config-if)# no sh
lwmfw(config-if)# security-level 100
lwmfw(config-if)# nameif inside
lwmfw(config-if)# ip add 192.168.1.2 255.255.255.0
lwmfw(config-if)# int e0/1
lwmfw(config-if)# no sh
lwmfw(config-if)# security-level 0
lwmfw(config-if)# nameif outside
lwmfw(config-if)# ip add 118.97.225.242 255.255.255.252
lwmfw(config-if)# end

lwmfw(config)# host lwmfw
lwmfw(config)# access-list 101 permit icmp any any
lwmfw(config)# access-list 101 permit ip any any
lwmfw(config)# access-group 101 in interface outside
lwmfw(config)# route outside 0.0.0.0 0.0.0.0 118.97.225.241
lwmfw(config)# route inside 172.16.16.0 255.255.255.0 192.168.1.1
lwmfw(config)# crypto isakmp policy 10
lwmfw(config-isakmp-policy)# authentication pre
lwmfw(config-isakmp-policy)# en 3des
lwmfw(config-isakmp-policy)# hash sha
lwmfw(config-isakmp-policy)# group 2
lwmfw(config-isakmp-policy)# exit
lwmfw(config)# crypto ipsec transform-set myset esp-3des esp-sha-hmac
lwmfw(config)# crypto dynamic-map liwenming 10 set transform-set myset
lwmfw(config)# crypto map liwenming1 20 ipsec-isakmp dynamic liwenming
lwmfw(config)# crypto isakmp enable outside
lwmfw(config)# crypto map liwenming1 interface outside
lwmfw(config)# ip local pool remotevpn 192.168.100.100-192.168.100.200
lwmfw(config)# access-list split_tunnel_list extended permit ip 172.16.16.0 255.255.255.0 隧道分离
配置用户组策略
lwmfw(config)# group-policy limingya internal
lwmfw(config)# group-policy limingya attributes                     
lwmfw(config-group-policy)# address-pools value remotevpn
lwmfw(config-group-policy)# dns-server value 202.103.24.68
lwmfw(config-group-policy)# split-tunnel-policy tunnelspecified
lwmfw(config-group-policy)# split-tunnel-network-list value split_tunnel_list
配置用户隧道信息
lwmfw(config-group-policy)# tunnel-group limingya1 type ipsec-ra
lwmfw(config)# tunnel-group limingya1 general-attributes
lwmfw(config-tunnel-general)# default-group-policy limingya1
lwmfw(config-tunnel-general)# exit
lwmfw(config)# tunnel-group limingya1 ipsec-attributes
lwmfw(config-tunnel-ipsec)# pre-shared-key limingya1
lwmfw(config-tunnel-ipsec)# exit
创建远程用户名和密码
lwmfw(config)# username liwenming password liwenming
lwmfw(config)# end
lwmfw#
NAT和访问控制
lwmfw(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
lwmfw(config)# access-list 102 extended permit ip host 172.16.16.2 any
lwmfw(config)# nat (inside) 1 access-list 102 对列表102的主机NAT转换
NAT绕过vpn
lwmfw(config)#access-list nonat extended permit ip 172.16.16.0 255.255.255.0 192.168.100.0                255.255.255.0
lwmfw(config)# nat (inside) 0 access-list nonat
======================================R2=========================================
R2#conf t
R2(config)#
R2(config)#int e1/1
R2(config-if)#ino sh
R2(config-if)#ip add 202.1.1.1 255.255.255.0
R2(config-if)#int lo 0
R2(config-if)#no sh
R2(config-if)#ip add
R2(config-if)#ip add 2.2.2.2 255.255.255.0 -配置环回口测试外网
R2(config-if)#end
R2#
 
远程客户端连接调试：

       在本实验中，为了使路由器支持ssl vpn需要上传并安装SSL-VPN-Client到路由器。由此为前提来模拟ssl vpn的安全技术。ssl vpn配置下节实验做介绍。
 

在上传安装ssl-vpn-client之前，先搭建tftp服务器，本次试验用的是cisco tftp server 1.1。测试路由器和tftp server的连通性
R1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/36 ms
R1#
路由器和tftp服务器成功通信，下面我来上传ssl-vpn-client

释放disk0空间用作存储上传文件
R1#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:".  Continue? [confirm]
Format: Drive communication & 1st Sector Write OK...
Writing Monlib sectors.
.....................................................................................................................................................
Monlib write complete
          Format: All system sectors written. OK...
          Format: Total sectors in formatted partition: 130883
          Format: Total bytes in formatted partition: 67012096
          Format: Operation completed successfully.
          Format of disk0 comple

上传ssl-vpn-client
      R1#copy tftp: disk0:
     Address or name of remote host []? 192.168.1.2
     Source filename []? sslclient.pkg
     Destination filename [sslclient.pkg]?
    Accessing tftp://192.168.1.2/sslclient.pkg...
    Loading sslclient.pkg from 192.168.1.2 (via FastEthernet1/0): !!!!!!!!!
    [OK - 2208871 bytes]
    2208871 bytes copied in 56.880 secs (38834 bytes/sec)

安装ssl-vpn-client
     R1#conf t
     Enter configuration commands, one per line.  End with CNTL/Z.
     R1(config)#webvpn install svc disk0:/sslclient.pkg
     SSLVPN Package SSL-VPN-Client : installed successfully
     R1(config)#
成功上传并安装了ssl-vpn-client，这台路由器支持ssl vpn了。[/img]..

       在大中型企业中，往往由于业务的需要，员工需要长期出差办公或者因各方面原因需要在家办公。同时大家又想随时访问公司总部资源，并且，保证数据在传输过程中是保密的，不被第三方截取篡改。种种原因引起我们的思考，由此采用了目前应用的一项安全技术Ezvpn（基于ipsec vpn）。每个远程用户通过cisco vpn client 拨号软件采用不同的用户分发策略，远程连上总公司，访问公司资源。
如下图实验：

 
R1>en
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line con 0
R1(config-line)#no exec-t
R1(config-line)#exit
R1(config)#host r1
r1(config)#int f0/0
r1(config-if)#no sh
r1(config-if)#ip add 192.168.1.1 255.255.255.0
r1(config-if)#exit
r1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
r1(config)#
r1(config)#
r1(config)#int lo 0
r1(config-if)#no sh
r1(config-if)#ip add 1.1.1.1 255.255.255.0
r1(config-if)#end
r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#
r1(config-if)#line vty 0 15
r1(config-line)#password cisco
r1(config-line)#login
r1(config-line)#end
r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#end
r1#conf t
r1(config)#enable secret 5 cisco
r1(config)#end
=================================R2===================================
R2>en
R2#conf t
R2(config)#line con 0
R2(config-line)#no exec-t
R2(config-line)#exit
R2(config)#host r2
r2(config)#
r2(config)#
r2(config)#int f0/0
r2(config-if)#no sh
r2(config-if)#ip add 192.168.1.2 255.255.255..0
r2(config-if)#int f1/0
r2(config-if)#no sh
r2(config-if)#ip add 23.23.23.2 255.255.255.0
r2(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.3
r2(config)#aaa new-model
r2(config)#aaa authentication login vpn local group radius --定义本地数据库认证
r2(config)#aaa authorization network ezvpn local group radius
r2(config)#username liwenming password 7 liwenming --创建远程vpn用户名和密码
r2(config)#crypto isakmp policy 10 --配置IKE策略
r2(config-isakmp)#en 3des
r2(config-isakmp)#hash sha
r2(config-isakmp)#authentication pre-share
r2(config-isakmp)#group 2
r2(config-isakmp)#exit
r2(config)#ip local pool Ezvpn 192.168.2.1  192.168.2.200 --远程拨号自动地址池
r2(config)#crypto isakmp client configuration group remotevpn --远程客户端用户组策略
r2(config-isakmp-group)#key liwenming
r2(config-isakmp-group)#dns 202.196.209.133
r2(config-isakmp-group)#pool Ezvpn
r2(config-isakmp-group)#domain linweming.com
r2(config-isakmp-group)#exit
r2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
r2(cfg-crypto-trans)#eixt
r2(config)#crypto dynamic-map mymap 1
r2(config-crypto-map)#reverse-route
r2(config-crypto-map)#set transform-set myset
r2(config-crypto-map)#exit
r2(config)#crypto map newmap client configuration add respond
r2(config)#crypto map newmap client authentication list vpn --crypto map 调用定义的认证
r2(config)#crypto map newmap isakmp authorization list ezvpn --crypto map 调用定义的授权
r2(config)#crypto map newmap 1 ipsec-isakmp dynamic mymap
r2(config)#int f1/0
r2(config-if)#cryp
r2(config-if)#crypto map newmap
r2(config-if)#
*Mar  1 01:06:35.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r2(config-if)#exit
r2(config)#end
r2#
r2(config)#
r2(config)#aaa authorization network ezvpn group radius
r2(config)#ip route 1.1.1.1 255.255.255.255 192.168.1.1
r2(config)#end
r2(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 any --定义隧道分离
r2(config)#access-list 101 permit ip host 1.1.1.1 any
r2(config)#crypto isakmp client configuration group remotevpn
r2(config-isakmp-group)#acl 101
r2(config-isakmp-group)#end
r2#sh
===============================Internet==================================
R3>en
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#line con 0
R3(config-line)#no exec-t
R3(config-line)#exit
r3(config)#host Internet
Internet(config)#int f0/0
Internet(config-if)#no sh
Internet(config-if)#ip add 23.23.23.3 255.255.255.255.0
Internet(config)#int f1/0
Internet(config-if)#no sh
Internet(config-if)#ip add
Internet(config-if)#ip add 34.34.34.3 255.255.255.0
Internet(config-if)#int lo 0
Internet(config-if)#no sh
Internet(config-if)#ipadd 3.3.3.3 255.255.255.0
Internet(config-if)#end
=============================r4=============================================
R4>en
R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#line con 0
R4(config-line)#no exec-t
R4(config-line)#exit
R4(config)#host r4
r4(config)#int f0/0
r4(config-if)#no sh
r4(config-if)#ip add 34.34.34.4 255.255.255.0
r4(config-if)#int f1/0
r4(config-if)#no sh
r4(config-if)#ip add
r4(config-if)#ip add 45.45.45.4 255.255.255.0
r4(config-if)#
r4(config-if)#
r4(config-if)#exit
r4(config)#ip route 0.0.0.0 0.0.0.0 34.34.34.3
r4(config)#service dhcp
r4(config)#ip dhcp pool Ezvpn
r4(dhcp-config)#net
r4(dhcp-config)#netw
r4(dhcp-config)#network 45.45.45.0 255.255.255.0
r4(dhcp-config)#de
r4(dhcp-config)#default-router 45.45.45.4
r4(dhcp-config)#dns
r4(dhcp-config)#dns-server 202.103.24.68 202.103.44.150
r4(dhcp-config)#exit
r4(config)#ip dhcp excluded-address 45.45.45.4
r4(config)#end
r4(config)#access-list 1 permit any
r4(config)#ip nat inside source list 1 int f0/0 ove
r4(config)#ip nat inside source list 1 int f0/0 overload
r4(config-if)#int f0/0
r4(config-if)#ip nat outside
r4(config-if)#int f1/0
r4(config-if)#ip nat inside

实验调试：
在pc机上通过cisco vpn client连上总部

连接上23.23.23.2
成功连上Ezvpn server
 

    如果一个大公司他们公司在中国有几十家子公司，而这些子公司的局域网需要和总公司的内网通信，现在让你帮他们设计子公司与总公司的VPN 网络，并且希望总公司和分公司之间能够使用动态路由。由此，引出了Dynamic Multipoint VPN (DMVPN).
    完成DMVPN 的功能，需要以下两个技术来实现：
    1.multipoint GRE (mGRE)
    2.Next Hop Resolution Protocol (NHRP)        
在mGRE中，核心路由器称为Hub，而分支路由器称为s..

 
 
我们下面需要以上图的环境来演示Dynamic p2p GRE over IPsec的效果，在图中，有上海和武汉两个公司的网络，上海要和武汉的网络实现VPN通信， 并且需要通过动态路由协议EIGRP交换双方内网的网段信息，所以我们需要在两地路由器之间建立p2p GRE隧道，然后再使用p2p GRE over IPsec来保护隧道中的数据，但是两地路由器中武汉路由器连接Internet的接口没有固定公网IP地址，为DHCP动态获得的IP，这就给GRE隧道的建立带来了一定的麻烦，所以我们配置Dynamic p2p GRE over IPsec来解决其中的问题。
配置步骤：
R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.1.1 255.255.255.0
end
====================R2============================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.1.2 255.255.255.0
int f1/0
no sh
ip add 23.23.23.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 23.23.23.3
interface Tunnel2
no sh
ip address 1.1.1.2 255.255.255.0
tunnel source 23.23.23.2
tunnel destination 4.4.4.4
exit
动态vpn配置
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#en
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#au
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#ha
R2(config-isakmp)#hash sha
R2(config-isakmp)#hash sha
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#li
R2(config-isakmp)#lifetime 864000
R2(config)#crypto isakmp key 6 dvpn add 0.0.0.0 0.0.0.0
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(config)#crypto dynamic-map mymap 10
R2(config-crypto-map)#set transform-set myset
R2(config)#crypto map mymap1 10 ipsec-isakmp dynamic mymap
R2(config)#crypto map mymap1 local-address f1/0
R2(config)#int f1/0
R2(config-if)#crypto map mymap1
R2(config)#router eigrp 100
R2(config-router)#no au
R2(config-router)#net 1.1.1.2 0.0.0.0
     R2(config-router)#net 192.168.1.2 0.0.0.0
     R2(config-router)#exit
=====================Internet==========================
en
conf t
line con 0
no exec-t
exit
host Internet
int f0/0
no sh
ip add 23.23.23.3 255.255.255.0
int f1/0
no sh
ip add 34.34.34.3 255.255.255.0
Internet(config)#service dhcp
Internet(config)#ip dhcp pool TEL
Internet(dhcp-config)#network 34.34.34.0 255.255.255.0
Internet(dhcp-config)#default-router 34.34.34.3
Internet(dhcp-config)#exit
Internet(config)#ip dhcp excluded-address 34.34.34.3
Internet(config)#end
======================R4================================
en
conf t
line con 0
no exec-t
exit
host R4
int f1/0
no sh
ip add dhcp
int f0/0
no sh
ip add 192.168.2.4 255.255.255.0
int lo 0
no sh
ip add 4.4.4.4 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 34.34.34.3
interface Tunnel4
no sh
ip address 1.1.1.4 255.255.255.0
tunnel source lo 0
tunnel destination 23.23.23.2
exit
ip route 192.168.1.0 255.255.255.0 Tunnel4
静态vpn配置
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#en
R4(config-isakmp)#encryption 3de
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#au
R4(config-isakmp)#authentication pre
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#has
R4(config-isakmp)#hash sha
R4(config-isakmp)#hash sha
R4(config-isakmp)#gro
R4(config-isakmp)#group 2
R4(config-isakmp)#life
R4(config-isakmp)#lifetime 86400
R4(config-isakmp)#exit
R4(config)#
R4(config)#crypto isakmp key 6 dvpn address 23.23.23.2
R4(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R4(cfg-crypto-trans)#exit
R4(config)#access-list 100 permit gre 3.3.3.3 0.0.0.0 host 23.23.23.2
R4(config)#crypto map mymap1 10 ipsec-isakmp
R4(config-crypto-map)#set peer 23.23.23.2
R4(config-crypto-map)#set transform-set myset
R4(config-crypto-map)#match ip add 100
R4(config-crypto-map)#exit
R4(config)#crypto map mymap1 local-address f0/0
R4(config-if)#crypto map mymap1
R4(config)#exit
R4(config)#router eigrp 100
R4(config-router)#no au
R4(config-router)#net 1.1.1.2 0.0.0.0
R4(config-router)#net 192.168.2.4 0.0.0.0
R4(config-router)#exit
===========================R5==============================
en
conf t
line con 0
no exec-t
exit
host R5
int f0/0
no sh
ip add 192.168.2.5 255.255.255.0
 
实验调试：
R2#sh ip int tunnel 2
Tunnel2 is up, line protocol is up
  Internet address is 1.1.1.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
R4#sh ip int tunnel 4
Tunnel4 is up, line protocol is up
  Internet address is 1.1.1.4/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
R2#sh crypto isakmp peers
Peer: 34.34.34.1 Port: 500 Local: 23.23.23.2
 Phase1 id: 34.34.34.1
R2#sh crypto ipsec sa
interface: FastEthernet1/0
    Crypto map tag: mymap1, local addr 23.23.23.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   current_peer 34.34.34.1 port 500
     PERMIT, flags={}
    #pkts encaps: 373, #pkts encrypt: 373, #pkts digest: 373
    #pkts decaps: 331, #pkts decrypt: 331, #pkts verify: 331
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 23.23.23.2, remote crypto endpt.: 34.34.34.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x30A2273A(815933242)
     inbound esp sas:
      spi: 0xFBFBD275(4227584629)
        transform: esp-3des esp-sha-hmac ,
R4#sh crypto isakmp peers
Peer: 23.23.23.2 Port: 500 Local: 34.34.34.1
 Phase1 id: 23.23.23.2
R4#sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: mymap1, local addr 34.34.34.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.23.23.2/255.255.255.255/47/0)
   current_peer 23.23.23.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
    #pkts decaps: 394, #pkts decrypt: 394, #pkts verify: 394
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 34.34.34.1, remote crypto endpt.: 23.23.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xFBFBD275(4227584629)
     inbound esp sas:
      spi: 0x30A2273A(815933242)
        transform: esp-3des esp-sha-hmac ,
实验分析测试：
R1#ping 192.168.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/234/340 ms
R5#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/264/352 ms


当两地需要实现vpn并且是通过动态路由协议交换内网信息  时，需要采用GRE 隧道，并用GRE over IPsec来保护隧道中数据


即使p2p GRE隧道接口的状态正常，也不能使用，因为当一方静态IP和一方动态IP之间建立p2p GRE接口时，如果不配置p2p GRE over Ipse，那么p2p GRE接口是不能工作的


Dynamic p2p GRE over IPsec环境下，必须先从动态IP方向静态IP方发送数据，否则GRE隧道无法建立，VPN无法完成。自己测试即可知道


 [/img]..

 
 
GRE隧道传递数据包的过程分为3步：
1．接收原始IP数据包当作乘客协议，原始IP数据包包头的IP地址为私有IP地址。 
2．将原始IP数据包封装进GRE协议，GRE协议称为封装协议（Encapsulation Protocol），封装的包头IP地址为虚拟直连链路两端的IP地址。
3．将整个GRE数据包当作数据，在外层封装公网IP包头，也就是隧道的起源和终点，从而路由到隧道终点。
实验配置
R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.1.1 255.255.255.0
end
====================R2============================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.1.2 255.255.255.0
int f0/1
no sh
ip add 23.23.23.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 23.23.23.3
interface Tunnel2
no sh
ip address 1.1.1.2 255.255.255.0
tunnel source 23.23.23.2
tunnel destination 34.34.34.4
exit
ip route 192.168.2.0 255.255.255.0 tunnel2
创建GRE隧道的路由器双方将去往对方私有网段的数据包引入GRE隧道中传输
NAT配置
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/0 overload
interface FastEthernet0/0
ip nat outside
interface FastEthernet1/0
ip nat inside
=====================Internet==========================
en
conf t
line con 0
no exec-t
exit
host Internet
int f0/0
no sh
ip add 23.23.23.3 255.255.255.0
int f0/1
no sh
ip add 34.34.34.3 255.255.255.0
======================R4================================
en
conf t
line con 0
no exec-t
exit
host R4
int f0/0
no sh
ip add 34.34.34.4 255.255.255.0
int f0/1
no sh
ip add 192.168.2.4 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 34.34.34.3
interface Tunnel4
no sh
ip address 1.1.1.4 255.255.255.0
tunnel source 34.34.34.4
tunnel destination 23.23.23.2
exit
ip route 192.168.1.0 255.255.255.0 Tunnel4
创建GRE隧道的路由器双方将去往对方私有网段的数据包引入GRE隧道中传输
NAT配置
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/0 overload
interface FastEthernet0/0
ip nat outside
interface FastEthernet1/0
ip nat inside
=========================R5==============================
en
conf t
line con 0
no exec-t
exit
host R5
int f0/0
no sh
ip add 192.168.2.5 255.255.255.0
实验调试
查看R2当前的隧道接口状态：
R2#sh ip int tunnel 2
Tunnel2 is up, line protocol is up
  Internet address is 1.1.1.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
查看R4隧道状态
R4#sh ip int tunnel 4
Tunnel4 is up, line protocol is up
  Internet address is 1.1.1.4/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
 --More--
测试连通性
R1#ping 192.168.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/202/220 ms
R5#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/212/368 ms
 [/img]..

         不知不觉毕业快一年了，记得刚从学校毕业到企业里去工作，还是个秀里秀气的男生，有点儿胆小。而如今经历了一年工作的洗礼后，渐渐觉得职场的压力是多么大。人心是那么难测，总感觉身边许多人是笑里藏刀。
         我的51cto博客建立快两年了一直想写点东西，一来帮助自己复习所积累的知识。二来也想跟认识或不认识的朋友交流下学习的心得。昨天，终于摆脱了一年来的压抑，从公司正式辞职，虽然有点舍不得。可是为了自己的能够学到更多的..

R1、R2、R3模拟企业内网跑EIGRP路由协议，R3是企业网关，实现全网互通，内网通过NAT转换访问Internet，测试目标为4.4.4.4/24
R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.12.1 255.255.255.0
exit
router eigrp 100
no au
net 192.168.12.0 0.0.0.255
end
===================R2===========================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.12.2 255.255.255.0
int f1/0
no sh
ip add 192.168.23.2 255.255.255.0
exit
router eigrp 100
no au
net 192.168.12.0 0.0.0.255
net 192.168.23.0 0.0.0.255
end
================R3================================
en
conf t
line con 0
no exec-t
exit
host R3
int f0/0
no sh
ip add 192.168.23.3 255.255.255.0
int f1/0
no sh
ip add 34.34.34.3 255.255.255.0
int lo 0
ip add 3.3.3.3 255.0.0.0 
exit
router eigrp 100
no au
net 192.168.23.0 0.0.0.255
net 3.3.3.3 0.0.0.0
end
R3(config)#ip default-network 3.0.0.0
R3(config)#ip route 0.0.0.0 0.0.0.0 34.34.34.4
NAT配置
R3(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R3(config)#ip nat inside source list 1 interface FastEthernet1/0 overload      
R3(config)#interface FastEthernet0/0
R3(config-if)#ip nat inside
R3(config)#interface FastEthernet1/0
R3(config-if)#ip nat outside
===================R4===========================
en
conf t
line con 0
no exec-t
exit
host R4
int f0/0
no sh
ip add 34.34.34.4 255.255.255.0
int lo0
no sh
ip add 4.4.4.4 255.255.255.0

实验调试
R1#sh ip route     
Gateway of last resort is 192.168.12.2 to network 3.0.0.0
C    192.168.12.0/24 is directly connected, FastEthernet0/0
D*   3.0.0.0/8 [90/158720] via 192.168.12.2, 00:00:12, FastEthernet0/0
D    192.168.23.0/24 [90/30720] via 192.168.12.2, 00:07:52, FastEthernet0/0
 
R2#sh ip route
Gateway of last resort is 192.168.23.3 to network 3.0.0.0
C    192.168.12.0/24 is directly connected, FastEthernet0/0
D*   3.0.0.0/8 [90/156160] via 192.168.23.3, 00:01:13, FastEthernet1/0
C    192.168.23.0/24 is directly connected, FastEthernet1/0
 
实验比较
在上篇文章中，RIPv 2在企业中应用，向内网注入默认路由时，R3的外接口进程未宣告进RIP协议中，而EIGRP中，必须将接口宣告进EIGRP进程中。否则无法产生EIGRP的默认路由
请看下例：
R1#sh ip route     
C    192.168.12.0/24 is directly connected, FastEthernet0/0
D    192.168.23.0/24 [90/30720] via 192.168.12.2, 00:04:29, FastEthernet0/0
R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4，
timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
当将lo 0宣告进EIGRP进程后
R1#sh ip route     
Gateway of last resort is 192.168.12.2 to network 3.0.0.0
C    192.168.12.0/24 is directly connected, FastEthernet0/0
D*   3.0.0.0/8 [90/158720] via 192.168.12.2, 00:00:12, FastEthernet0/0
D    192.168.23.0/24 [90/30720] via 192.168.12.2, 00:07:52, FastEthernet0/0
R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/197/288 ms
R1#tra        
R1#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
  1 192.168.12.2 120 msec 76 msec 156 msec
  2 192.168.23.3 172 msec 120 msec 172 msec
  3 34.34.34.4 220 msec 208 msec *
 
NAT调试
R3#debug ip nat
IP NAT debugging is on
*Mar  1 00:18:18.635: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:18:19.939: NAT: s=192.168.23.2->34.34.34.3, d=4.4.4.4 [242]
*Mar  1 00:18:22.887: NAT*: s=192.168.23.2->34.34.34.3, d=4.4.4.4 [245]
*Mar  1 00:18:23.011: NAT: s=34.34.34.4, d=34.34.34.3->192.168.23.2 [0]
*Mar  1 00:18:39.455: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [30]
*Mar  1 00:18:39.599: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [30]
*Mar  1 00:18:39.675: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [31]
*Mar  1 00:18:39.755: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [31]
*Mar  1 00:18:39.911: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [32]
*Mar  1 00:18:40.003: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [32]
*Mar  1 00:18:40.115: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [33]
*Mar  1 00:18:40.175: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [33]
*Mar  1 00:18:40.271: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [34]
*Mar  1 00:18:40.299: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [34]
*Mar  1 00:19:07.327: NAT*: s=192.168.23.2->34.34.34.3, d=4.4.4.4 [277]
*Mar  1 00:19:07.439: NAT: s=34.34.34.4, d=34.34.34.3->192.168.23.2 [6]
*Mar  1 00:19:16.523: NAT*: s=192.168.23.2->34.34.34.3, d=4.4.4.4 [285]

实验注意事项：

ip default-network 必须有类
外网接口必须有类
外接口必须宣告进EIGRP进程中
一般电信或网通营运商分给公司的ip地址是可变的无类ip，解决接口有类的方法是在路由器上启用一个环回口配制成有类IP并宣告到EIGRP进程中。[/img]..

R1、R2、R3模拟企业内网跑RIPv2路由协议，R3是企业网关，实现全网互通，内网通过NAT转换访问Internet，目标为4.4.4.4/24
 
R1
en
conf t
line con 0
no exec-t
exit
host R1
int f0/0
no sh
ip add 192.168.12.1 255.255.255.0
exit
router rip
ver 2
no au
net 192.168.12.0
===================R2============================
en
conf t
line con 0
no exec-t
exit
host R2
int f0/0
no sh
ip add 192.168.12.2 255.255.255.0
int f1/0
no sh
ip add 192.168.23.2 255.255.255.0
exit
router rip
ver 2
no au
net 192.168.12.0
net 192.168.23.0
end
================R3=========================
en
conf t
line con 0
no exec-t
exit
host R3
int f0/0
no sh
ip add 192.168.23.3 255.255.255.0
int f1/0
no sh
ip add 34.34.34.3 255.255.255.0
int lo 0
ip add 3.3.3.3 255.0.0.0 
exit
router rip
ver 2
no au
net 192.168.23.0
end
R3(config)#ip default-network 3.0.0.0 向内网下发默认路由
R3(config)#ip route 0.0.0.0 0.0.0.0 34.34.34.4
NAT配置
R3(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R3(config)#ip nat inside source list 1 interface FastEthernet1/0 overload      
R3(config)#interface FastEthernet0/0
R3(config-if)#ip nat inside
R3(config)#interface FastEthernet1/0
R3(config-if)#ip nat outside
===================R4===============================
en
conf t
line con 0
no exec-t
exit
host R4
int f0/0
no sh
ip add 34.34.34.4 255.255.255.0
int lo0
no sh
ip add 4.4.4.4 255.255.255.0

 
实验调试
向内网下发默认路由后，会产生一条指向下一跳的默认路由
R1#sh ip route
Gateway of last resort is 192.168.12.2 to network 0.0.0.0
C    192.168.12.0/24 is directly connected, FastEthernet0/0
R    192.168.23.0/24 [120/1] via 192.168.12.2, 00:00:01, FastEthernet0/0
R*   0.0.0.0/0 [120/2] via 192.168.12.2, 00:00:01, FastEthernet0/0
 
R2#sh ip route
Gateway of last resort is 192.168.23.3 to network 0.0.0.0
C    192.168.12.0/24 is directly connected, FastEthernet0/0
C    192.168.23.0/24 is directly connected, FastEthernet1/0
R*   0.0.0.0/0 [120/1] via 192.168.23.3, 00:00:23, FastEthernet1/0

R3#sh ip route
Gateway of last resort is 34.34.34.4 to network 0.0.0.0
     34.0.0.0/24 is subnetted, 1 subnets
C       34.34.34.0 is directly connected, FastEthernet1/0
R    192.168.12.0/24 [120/1] via 192.168.23.2, 00:00:17, FastEthernet0/0
C*   3.0.0.0/8 is directly connected, Loopback0
C    192.168.23.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 34.34.34.4

NAT调试
R3#debug ip nat
IP NAT debugging is on
R3#
*Mar  1 00:35:16.295: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [25]
*Mar  1 00:35:16.391: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [25]
*Mar  1 00:35:16.515: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [26]
*Mar  1 00:35:16.563: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [26]
*Mar  1 00:35:16.631: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [27]
*Mar  1 00:35:16.671: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [27]
*Mar  1 00:35:16.763: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [28]
*Mar  1 00:35:16.795: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [28]
*Mar  1 00:35:16.907: NAT*: s=192.168.12.1->34.34.34.3, d=4.4.4.4 [29]
R3#
*Mar  1 00:35:16.999: NAT*: s=4.4.4.4, d=34.34.34.3->192.168.12.1 [29]
 
测试ping
R1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
R1#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
  1 192.168.12.2 128 msec 96 msec 60 msec
  2 192.168.23.3 128 msec 76 msec 140 msec
  3 34.34.34.4 252 msec *  232 msec
 
注意事项：

向rip网络中注入默认路由先ip default-network，后写指向外网的默认路由，宣告ip default-network 必须是有类
一般企业分配的公有IP是无类的，所以必须在环回口上宣告一个有类ip地址，例如本文的R3上3.3.3.3/8[/img]..