S2S ××× NAT-T

最新推荐文章于 2025-07-20 18:39:05 发布

转载最新推荐文章于 2025-07-20 18:39:05 发布 · 120 阅读

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/q3322095/992675

本文深入探讨了NAT设备穿越的原理，重点解释了Inside1如何触发流量穿越NAT设备，以及ESP协议在PAT设备中无法正常工作的原因。通过配置NAT-T技术，实现在NAT设备上的数据包增加UDP头部，从而解决PAT失败的问题，并提供了具体的配置步骤及测试方法。

实验目的:

1.×××可以穿越NAT设备

2.Inside1可以触发×××流量

因为PAT需要转换端口号，而ESP是没有端口号的，就会造成PAT失败，不能穿越PAT设备.

使用NAT-T技术后，数据包增加UDP头部，这样就有了端口号.

配置:

Inside1:

interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 1.1.1.10

GW1:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.1.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 202.1.1.10 1
route Inside 0.0.0.0 0.0.0.0 1.1.1.1 tunneled //解密后流量送到1.1.1.1

crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ipsec ikev1 transform-set SET esp-3des esp-md5-hmac

access-list *** extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255

crypto map cisco 10 match address ***
crypto map cisco 10 set pfs group5
crypto map cisco 10 set peer 64.1.1.1
crypto map cisco 10 set ikev1 transform-set SET
crypto map cisco interface Outside

access-list out extended permit icmp any any
access-group out in interface Outside

crypto isakmp nat-traversal //开启NAT-T功能,路由器默认开启，ASA默认不开启,两端必须都开启才可以使能NAT-T功能

Internet:

interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto

GW2:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 64.1.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 64.1.1.10 1
route Inside 0.0.0.0 0.0.0.0 10.1.1.1 tunneled

object network PAT //PAT源为10.1.1.0/24
subnet 10.1.1.0 255.255.255.0
object network ***-inside-network //×××加解密点
host 10.1.1.1
object network ***4500-inside-network //×××加解密点
host 10.1.1.1

object network PAT //源为10.1.1.0/24转为外部接口地址
nat (Inside,Outside) dynamic interface
object network ***-inside-network //外网访问外部接口202.1.1.1 udp端口500时，转换为内部地址10.1.1.1 udp端口500
nat (Inside,Outside) static interface service udp isakmp isakmp
object network ***4500-inside-network //外网访问外部接口202.1.1.1 udp端口4500时，转换为内部地址10.1.1.1 udp端口4500
nat (Inside,Outside) static interface service udp 4500 4500

access-list out extended permit icmp any any
access-list out extended permit udp host 202.1.1.1 eq isakmp host 10.1.1.1 eq isakmp //放行外部202.1..11发起的IKE协商
access-list out extended permit udp host 202.1.1.1 eq 4500 host 10.1.1.1 eq 4500 //放行esp外部202.1.1.1发起的UDP头部为4500的加密流量

Inside2:

crypto keyring cisco
pre-shared-key address 202.1.1.1 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile isaprof
keyring cisco
match identity address 202.1.1.1 255.255.255.255
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set SET
set pfs group5
set isakmp-profile isaprof
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255