×

关注微信公众号

免备案网站空间虚拟主机双线空间域名查询PS数码后期
photoshop互助课堂数百G视频教程下载英语培训机构初中英语如何学随时随地聆听大师开讲/课堂
酷素材!视频教程打包下手绘教程抠图教程路径专辑photoshop cs3视频教程
查看: 3373|回复: 6

关于Cisco Easy VPN Remote的三种模式

[复制链接]
发表于 2008-1-3 17:35:24 | 显示全部楼层 |阅读模式
1、Remote端配置
ezclient#sh run
Building configuration...

Current configuration : 1134 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ezclient
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
ip cef
!
crypto ipsec client ezvpn mylab
connect auto
group myezvpn key cisco1234
mode network-plus
peer 173.16.1.5
username wanglinlin password cisco
xauth userid mode local
!
interface Loopback0
ip address 192.168.1.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn mylab inside
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 173.16.1.1 255.255.255.252
clock rate 64000
crypto ipsec client ezvpn mylab
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!         
ip route 0.0.0.0 0.0.0.0 173.16.1.2
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
login
!
scheduler allocate 20000 1000
end

2、Sever端配置:
ezserver#sh run
Building configuration...

Current configuration : 1715 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ezserver
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authentication login default local
aaa authentication login ezvpn-authentication local
aaa authorization network ezvpn-authorization local
!
aaa session-id common
!         
resource policy
!
ip cef
!
username wanglinlin password 0 cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group myezvpn
key cisco1234
domain cisco.com
pool vpn-pool
acl 101
save-password
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto dynamic-map ezvpn-dynamic-map 10
set transform-set ccsp
reverse-route
!
crypto map cisco client authentication list ezvpn-authentication
crypto map cisco isakmp authorization list ezvpn-authorization
crypto map cisco client configuration address respond
crypto map cisco 10 ipsec-isakmp dynamic ezvpn-dynamic-map
!
interface FastEthernet0/0
ip address 172.30.1.2 255.255.255.0
duplex auto
speed auto
!         
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 173.16.1.5 255.255.255.252
clock rate 64000
crypto map cisco
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip local pool vpn-pool 192.168.1.1 192.168.1.50
ip route 0.0.0.0 0.0.0.0 173.16.1.6
!
no ip http server
no ip http secure-server
!         
access-list 101 permit ip 172.30.1.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
!
scheduler allocate 20000 1000
end

3、Client模式:
ezclient#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  administratively down down   
Serial0/0/0                173.16.1.1      YES manual up                    up      
Serial0/0/1                unassigned      YES unset  administratively down down   
NVI0                       unassigned      NO  unset  up                    up      
Loopback0                  192.168.1.4     YES manual up                    up      

ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4

Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.1.4
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
       Address    : 172.30.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 173.16.1.5

Easy VPN Remote端会出现loopback口,当有用户需要访问Easy VPN Server后面的主机时,Easy VPN Remote会自动用loopback接口的地址做PAT;如果Server上设置了split tunnel,当Remote后面有用户需要访问Internet主机时,Easy VPN Remote会自动用外网接口的地址做PAT。

ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 173.16.1.6 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 1 subnets
C       172.30.1.0 is directly connected, FastEthernet0/0
     173.16.0.0/30 is subnetted, 1 subnets
C       173.16.1.4 is directly connected, Serial0/0/0
     192.168.1.0/32 is subnetted, 1 subnets
S       192.168.1.4 [1/0] via 173.16.1.1
S*   0.0.0.0/0 [1/0] via 173.16.1.6

由于做了Revers-route,Server上会创建指向Remote loopback接口的静态路由。

4、network-extension模式:
ezclient#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  administratively down down   
Serial0/0/0                173.16.1.1      YES manual up                    up      
Serial0/0/1                unassigned      YES unset  administratively down down   
NVI0                       unassigned      NO  unset  up                    up      

ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4

Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
       Address    : 172.30.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 173.16.1.5

ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 173.16.1.6 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 1 subnets
C       172.30.1.0 is directly connected, FastEthernet0/0
     173.16.0.0/30 is subnetted, 1 subnets
C       173.16.1.4 is directly connected, Serial0/0/0
     10.0.0.0/24 is subnetted, 1 subnets
S       10.1.1.0 [1/0] via 173.16.1.1
S*   0.0.0.0/0 [1/0] via 173.16.1.6

由于做了Revers-route,Server上会创建指向Remote内部网络的静态路由。

6、network-plus模式:
ezclient#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  administratively down down   
Serial0/0/0                173.16.1.1      YES manual up                    up      
Serial0/0/1                unassigned      YES unset  administratively down down   
NVI0                       unassigned      NO  unset  up                    up      
Loopback0                  192.168.1.3     YES manual up                    up      

ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4

Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.1.3
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
       Address    : 172.30.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 173.16.1.5

Remote端依然会创建loopback口,但是这个接口此时仅用于troubleshooting。

ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 173.16.1.6 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 1 subnets
C       172.30.1.0 is directly connected, FastEthernet0/0
     173.16.0.0/30 is subnetted, 1 subnets
C       173.16.1.4 is directly connected, Serial0/0/0
     10.0.0.0/24 is subnetted, 1 subnets
S       10.1.1.0 [1/0] via 173.16.1.1
     192.168.1.0/32 is subnetted, 1 subnets
S       192.168.1.3 [1/0] via 173.16.1.1
S*   0.0.0.0/0 [1/0] via 173.16.1.6

由于做了Revers-route,Server上会创建指向Remote loopback接口和内部网络的静态路由。
本帖的地址:http://bbs.jcwcn.com/forum.php?mod=viewthread&tid=149430
跟着教程做一遍,做完的图要到这里评论交作业,教程有看不懂的地方,可以在贴子下面评论
发表于 2008-2-11 16:10:18 | 显示全部楼层
酷素材
真是热心人呀,顶一下,看看~~~
回复 支持 反对

使用道具 举报

发表于 2018-7-10 15:43:32 | 显示全部楼层
很不错。。。
回复 支持 反对

使用道具 举报

发表于 2018-7-10 15:38:39 | 显示全部楼层
楼主是超人
回复 支持 反对

使用道具 举报

发表于 2018-7-10 15:31:32 | 显示全部楼层
酷素材
难得一见的好帖
回复 支持 反对

使用道具 举报

发表于 2018-7-10 16:21:15 | 显示全部楼层
酷素材
学习了。。。
回复 支持 反对

使用道具 举报

发表于 2018-7-10 15:57:49 | 显示全部楼层
果断收藏了
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | [立即注册]

本版积分规则

2345