VPN(VPNとNAT その6)

VPN(VPNとNAT その5)」の続きです。

ここでは、各ルータのコンフィグを紹介していきます。

※Router_BのE0は、「no keepalive」コマンドで、強制的にUPさせます。

各ルータの設定は、以下のようになります。

●Router_Aの設定

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 200.200.200.2
!
crypto ipsec transform-set TS-IPSEC esp-3des esp-sha-hmac
!
crypto map MAP-IPSEC 1 ipsec-isakmp
 set peer 200.200.200.2
 set transform-set TS-IPSEC
 match address 100
!
interface Ethernet0
 ip address 172.16.0.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface FastEthernet0
 ip address 200.200.200.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed auto
 crypto map MAP-IPSEC
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.3
ip route 172.17.0.0 255.255.0.0 200.200.200.2
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface FastEthernet0 overload
!
access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 110 deny   ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 110
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
end

●Router_Bの設定

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 200.200.200.1
!
!
crypto ipsec transform-set TS-IPSEC esp-3des esp-sha-hmac
!
crypto map MAP-IPSEC 1 ipsec-isakmp
 set peer 200.200.200.1
 set transform-set TS-IPSEC
 match address 100
!
interface Ethernet0
 ip address 172.17.0.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
 no keepalive
!
interface FastEthernet0
 ip address 200.200.200.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed auto
 crypto map MAP-IPSEC
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.3
ip route 172.16.0.0 255.255.0.0 200.200.200.1
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface FastEthernet0 overload
!
access-list 100 permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 172.17.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 110
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
end

●Router_Cの設定

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_C
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 25
!
ip cef
!
interface Loopback0
 ip address 20.0.0.1 255.0.0.0
!
interface Loopback1
 ip address 30.0.0.1 255.0.0.0
!
interface Loopback2
 no ip address
!
interface Ethernet0
 no ip address
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 200.200.200.3 255.255.255.0
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
end

 続きは、次の「VPN(VPNとNAT その7)」で、設定したNATとVPNを併用した構成のネットワークを検証します。