crypto isakmp policy2 encr 3des hash md5 authenticationpre-share crypto isakmp key testaddress 204.13.73.241 crypto ipsec transform-sethguoset esp-3desesp-md5-hmac! crypto maphguocrymap 1ipsec-isakmp set peer204.13.73.241 set transform-sethguoset match address100! interfaceSerial1/3crypto maphguocrymap! ip nat inside sourceroute-map hguoroutemap poolpoolname!access-list100 permit ip192.168.0.0 0.0.0.255 10.7.251.64 0.0.0.31(crypto map … 继续阅读
crypto isakmp policy2 encr 3des hash md5 authenticationpre-share crypto isakmp key testaddress 204.13.73.241 crypto ipsec transform-sethguoset esp-3desesp-md5-hmac! crypto maphguocrymap 1ipsec-isakmp set peer204.13.73.241 set transform-sethguoset match address100! interfaceSerial1/3crypto maphguocrymap! ip nat inside sourceroute-map hguoroutemap poolpoolname!access-list100 permit ip192.168.0.0 0.0.0.255 10.7.251.64 0.0.0.31(crypto map acl)access-list101deny ip192.168.0.0 0.0.0.255 10.7.251.64 0.0.0.31access-list101 permit ip192.168.0.0 0.0.0.255 any!route-maphguoroutemap permit1 match ip address101 当路由器即需要设置装备摆设ipsec,又需要使用NAT的,必然要在NAT的ACL中deny失踪ipsec呵护的流。否则需要进行ipsec呵护的流会先会被NAT的ACL匹配,进行NAT,而无法触发ipsec的成立。 如不美观Match呼吁使用了ACL,且路由与ACL中的deny操作匹配,路由并不会被过滤失踪,相反,这只是意味该路由不与Match呼吁匹配,进而按照下一条route-map呼吁进行搜检。路由映射表末尾有一个隐式拒绝一切的一句。要许可一切,可以使用permit的route-map,且不给他指定Match呼吁。
No comments:
Post a Comment