Configuring Router
lượt xem 45
download
Tham khảo tài liệu 'configuring router', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả
Bình luận(0) Đăng nhập để gửi bình luận!
Nội dung Text: Configuring Router
- Configuring Router-to-Router Dynamic-to- Static IPSec with NAT Introduction In this sample configuration, a remote router receives an IP address through Dynamic Host Configuration Protocol (DHCP) and connects to a hub router. This configuration enables the hub router to accept dynamic IPSec connections. The remote router uses network address translation (NAT) to "join" the privately addressed devices behind it to the privately addressed network behind the hub router. The remote router can initiate connections to the hub router (it knows the end-point) but the hub router cannot initiate connections to the remote router (it does not know the endpoint). In this sample configuration, Dr_whoovie is the remote router and Sam-i-am is the hub router. Even though we know what Dr_whoovie's IP address, we configure Sam-I-am to dynamically accept connections from any router knowing the wild-card, pre-shared key, instead of specifying Dr_whoovie's key on sam-i-am. Dr_whoovie knows what traffic is to be encrypted (because it is specified by the access-list) and where the sam_i_am endpoint is located. Dr_whoovie must initiate the connection. Both sides are doing NAT overload. Hardware and Software Versions To implement this configuration, you need the following: • Cisco IOS® Software Release 12.0.7.T • Cisco 2500 routers Network Diagram Configurations Sam-i-am Configuration Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname sam-i-am ! enable secret 5 $1$7WP3$aEqtNjvRJ9Vy6i41x0RJf0
- enable password ww ! ip subnet-zero ! isdn switch-type basic-5ess isdn voice-call-failure 0 cns event-service server ! !--- IKE policies crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 !--- IPSec policies crypto ipsec transform-set rtpset esp-des esp-md5-hmac crypto dynamic-map rtpmap 10 set transform-set rtpset !--- Include the private-network-to-private-network !--- traffic in the encryption process. match address 115 crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap ! interface Ethernet0 ip address 10.2.2.3 255.255.255.0 no ip directed-broadcast ip nat inside no mop enabled ! interface Serial0 ip address 99.99.99.1 255.255.255.0 no ip directed-broadcast ip nat outside crypto map rtptrans ! !--- Except the private network from the NAT process. ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.2 no ip http server ! !--- Include the private-network-to-private-network traffic !--- in the encryption process. access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 115 deny ip 10.2.2.0 0.0.0.255 any !--- Except the private network from the NAT process. access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 120 permit ip 10.2.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit route-map nonat permit 10 match ip address 120 ! line con 0 transport input none line aux 0
- line vty 0 4 password ww login ! end Dr_whoovie Configuration Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dr_whoovie ! enable secret 5 $1$yP65$2FtxvqXPtuZy7hQBwaBoZ/ enable password ww ! ip subnet-zero ! cns event-service server ! !--- IKE Policies crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 99.99.99.1 ! !--- IPSec policies crypto ipsec transform-set rtpset esp-des esp-md5-hmac ! crypto map rtp 1 ipsec-isakmp set peer 99.99.99.1 set transform-set rtpset !--- Include the private-network-to-private-network !--- traffic in the encryption process. match address 115 ! interface Ethernet0 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast ip nat inside no mop enabled ! interface Serial0 !--- Because this example was set up in a lab, we assigned !--- an IP address. If the router was getting a DHCP !--- address, commands such as ip address negotiated and !--- ip address dhcp would be used instead of this static !--- assignment. ip address 99.99.99.2 255.255.255.0 no ip directed-broadcast ip nat outside
- no ip mroute-cache clockrate 4000000 crypto map rtp !--- Except the private network from the NAT process. ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.1 no ip http server ! !--- Include the private-network-to-private-network !--- traffic in the encryption process. access-list 115 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 115 deny ip 10.1.1.0 0.0.0.255 any !--- Except the private network from the NAT process. access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit route-map nonat permit 10 match ip address 120 ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end debug and show Commands Before attempting any debug commands, please see Important Information on Debug Commands. • debug crypto ipsec - Shows the IPSec negotiations of phase 2. • debug crypto isakmp - Shows the ISAKMP negotiations of phase 1. • debug crypto engine - Shows the traffic that is encrypted. • debug ip nat det - (Optional) Verify the operation of the NAT feature by displaying information about every packet that is translated by the router. Caution: This command generates a large amount of output; it should be used only when traffic on the IP network is low. • clear crypto isakmp - Clears the security associations related to phase 1. • clear crypto sa - Clears the security associations related to phase 2. • clear ip nat translation - Clears dynamic Network Address Translation (NAT) translations from the translation table. • show crypto ipsec sa - Shows the phase 2 security associations. • show crypto isakmp sa - Shows the phase 1 security associations.
CÓ THỂ BẠN MUỐN DOWNLOAD
-
Using Linux As A Router
7 p | 270 | 55
-
Chapter 4: Configuring Layer 1 and Layer 2 Features
198 p | 209 | 37
-
Lecture CCNA Exploration 4.0 (Kỳ 1) - Chapter 11: Configuring and testing your Network
99 p | 66 | 9
-
Cisco Systems - Router startup and configuration management
17 p | 56 | 9
-
Cisco Systems - Configuring IP access lists
24 p | 62 | 9
-
Cisco Systems - Configuring frame relay
17 p | 66 | 7
-
Lecture CCNA Exploration 4.0 (Kỳ 3) - Chapter 7: Basic Wireless Concepts and Configuration
97 p | 55 | 6
-
Cisco Systems - Configuring a Router
32 p | 50 | 5
-
Lecture Switched Networks - Chapter 6: Inter-VLAN Routing
37 p | 58 | 4
-
Lecture Routing Protocols - Chapter 5: EIGRP Advanced Configurations and Troubleshooting
47 p | 41 | 4
-
Basic command to configure a router User mode: Routerenable .Enter Enable mode Router#configure terminal .Enter global config mode Router(config)# • To rename a router use command: Router(config)#hostname newroutername • Password configuration: - Console
3 p | 51 | 4
-
Chapter 1 Introduction to Routing and Packet ForwardingRouting Protocols and Concepts quangkien@gmail.com.Topicsl Inside the Router Ÿ Routers are computers Ÿ Router CPU and Memory Ÿ Internetwork Operating System Ÿ Router Bootup Process Ÿ Router Ports
79 p | 75 | 4
-
Cisco Systems - Configuring dial-on-Demand routing
28 p | 61 | 4
-
Cisco Systems - Configuring serial point-to-point encapsulation
21 p | 63 | 4
-
Lecture Scaling Networks - Chapter 8: EIGRP Advanced Configurations and Troubleshooting
42 p | 48 | 3
-
Lecture CCNP Route: Implementing IP Routing - Chapter 3: Configuring the Open Shortest Path First Protocol
192 p | 41 | 2
-
Network+ Certification (Outline) - Chapter 11: TCP/IP configuration
4 p | 46 | 2
Chịu trách nhiệm nội dung:
Nguyễn Công Hà - Giám đốc Công ty TNHH TÀI LIỆU TRỰC TUYẾN VI NA
LIÊN HỆ
Địa chỉ: P402, 54A Nơ Trang Long, Phường 14, Q.Bình Thạnh, TP.HCM
Hotline: 093 303 0098
Email: support@tailieu.vn