测试效果:中间路由器模拟ISP路由器,从China路由器172.16.30.0/24网段能访问互联网地址2.2.2.2(上网正常),同时能通过VPN访问美国172.16.0.0/16、192.168.5.0/24网段。
China Router
*Mar 1 01:11:56.323: %SYS-5-CONFIG_I: Configured from console by console China#show run
Building configuration...
Current configuration : 1765 bytes !
version 12.3
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname China !
boot-start-marker boot-end-marker ! !
no aaa new-model ip subnet-zero ! ! ! ip cef
ip audit po max-events 100 no ftp-server write-enable !
crypto isakmp policy 2
encr 3des hash md5
authentication pre-share group 2
crypto isakmp key ciscolab address 63.65.14.189 ! !
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac !
crypto map SDM_CMAP_1 3 ipsec-isakmp set peer 63.65.14.189
set transform-set ESP-3DES-SHA3 match address 103
interface Loopback0
ip address 172.30.0.1 255.255.255.0 ip nat inside
no clns route-cache !
interface Loopback1
ip address 192.168.170.1 255.255.255.0 no clns route-cache !
interface Serial0/0
ip address 140.207.90.138 255.255.255.248 ip nat outside
serial restart-delay 0 no clns route-cache
crypto map SDM_CMAP_1 !
interface Serial0/1 no ip address shutdown
serial restart-delay 0 no clns route-cache !
interface Serial0/2 no ip address shutdown
serial restart-delay 0 no clns route-cache !
interface Serial0/3 no ip address
shutdown
serial restart-delay 0 no clns route-cache !
ip nat inside source list 100 interface Serial0/0 overload ip http server
no ip http secure-server ip classless
ip route 0.0.0.0 0.0.0.0 140.207.90.137 ! !
access-list 100 deny ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 100 deny ip 192.168.170.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 100 permit ip any any
access-list 103 permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255 access-list 103 permit ip 192.168.170.0 0.0.0.255 192.168.5.0 0.0.0.255 !
line con 0 line aux 0 line vty 0 4 ! ! end
==================================================================
Internet Router
Internet#show run
Building configuration...
Current configuration : 916 bytes !
version 12.3
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname Internet !
boot-start-marker boot-end-marker ! !
no aaa new-model ip subnet-zero ! ! ! ip cef
ip audit po max-events 100 no ftp-server write-enable ! !
interface Loopback0
ip address 2.2.2.2 255.255.255.255 no clns route-cache !
interface Serial0/0
ip address 63.65.14.190 255.255.255.0 serial restart-delay 0 no clns route-cache !
interface Serial0/1
ip address 140.207.90.137 255.255.255.248 serial restart-delay 0 no clns route-cache !
interface Serial0/2 no ip address shutdown
serial restart-delay 0 no clns route-cache !
interface Serial0/3 no ip address shutdown
serial restart-delay 0 no clns route-cache !
ip http server
no ip http secure-server ip classless ! line con 0 line aux 0 line vty 0 4 !
! end
==================================================================
USA Router
*Mar 1 01:11:04.547: %SYS-5-CONFIG_I: Configured from console by console USA#show run
Building configuration...
Current configuration : 1495 bytes !
version 12.3
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname USA !
boot-start-marker boot-end-marker ! !
no aaa new-model ip subnet-zero ! ! ! ip cef
ip audit po max-events 100 no ftp-server write-enable !
!
crypto isakmp policy 2 encr 3des hash md5
authentication pre-share group 2
crypto isakmp key ciscolab address 140.207.90.138 ! !