Mobile IP + NAT实现VPN配置1例[ITAA网络实验室]
Mobile IP + NAT实现VPN配置1例
本实验验证Mobile IPv4的基本工作过程,企业网内部客户漫游到外网,仍犹如处于内网,达到和使用VPN一样的效果。
1、实验拓扑图如下:
 2、R1充当HA,PE2充当FA,PC3系MN。
IP地址分配:
Home Subnet: 10.10.200.0/24 (这是内网地址)
Gateway:10.10.200.1
PC2 IP :10.10.200.2
内网上网地址(NAT overload):202.96.100.20
HA配置:
!
router mobile ! ip mobile home-agent ip mobile host nai mobile001 address 10.10.200.2 interface FastEthernet0/0.20 !
ip mobile secure host nai mobile001 spi 100 key hex 12345678123456781234567812345678 algorithm hmac-md5
!
ip mobile tunnel nat inside //打开Mobile IP的NAT
!
FA配置:
!
router mobile ! ip mobile foreign-agent care-of FastEthernet0/0 ip mobile foreign-agent reverse-tunnel private-address
! !
interface FastEthernet0/0 //客户端移动到该网段 ip address 202.96.200.1 255.255.255.0 ip mobile foreign-service ip mobile foreign-service reverse-tunnel mandatory
ip irdp ip irdp maxadvertinterval 10 ip irdp minadvertinterval 7 ip irdp holdtime 30 ! MN使用Cisco Mobile IP Clinet:
 3、测试步骤
A、将客户端从Home Subnet漫游到外网
B、测试客户端的连通性,在PC2测试ping通外网:
C:\Documents and Settings\Administrator>ping 202.96.1.1
Pinging 202.96.1.1 with 32 bytes of data:
Reply from 202.96.1.1: bytes=32 time=156ms TTL=252
Reply from 202.96.1.1: bytes=32 time=123ms TTL=252 Reply from 202.96.1.1: bytes=32 time=187ms TTL=252 C、查看FA的路由表和ARP表,已经增加了对应的主机路由和ARP条目
PE2# show ip route mobile
10.0.0.0/32 is subnetted, 1 subnets M 10.10.200.2 [3/1] via 10.10.200.2, 00:00:05, FastEthernet0/0 PE2#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.100.88 27 000c.2986.681f ARPA FastEthernet0/0 Internet 202.96.200.1 - c203.0827.0000 ARPA FastEthernet0/0 Internet 202.96.12.2 - c203.0827.0001 ARPA FastEthernet0/1 Internet 202.96.12.1 53 c202.0827.0001 ARPA FastEthernet0/1 Internet 10.10.200.2 0 000c.2976.02ab ARPA FastEthernet0/0 D、查看HA的路由器表,可见已经增加1条主机路由,下一跳指向tunnel,tunnel目的地址即为CoA地址
R1#show ip ro mobile
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks M 10.10.200.2/32 [3/1] via 202.96.200.1, 00:01:22, Tunnel0 R1#show ip mobile tunnel
Mobile Tunnels: Total mobile ip tunnels 1
Tunnel0: src 202.96.100.17, dest 202.96.200.1 encap IP/IP, mode reverse-allowed, tunnel-users 2 IP MTU 1480 bytes, NAT inside Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never outbound interface FastEthernet0/1 HA created, fast switching enabled, ICMP unreachable enabled 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 drops 135 packets output, 10800 bytes R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global udp 202.96.100.18:123 10.10.100.50:123 10.10.2.2:123 10.10.2.2:123 udp 202.96.100.18:2048 10.10.100.50:2048 10.10.2.2:51628 10.10.2.2:51628 --- 202.96.100.18 10.10.100.50 --- --- icmp 202.96.100.20:768 10.10.200.2:768 202.96.1.1:768 202.96.1.1:768 4、总结
A、使用私网地址的MN,必需采用逆向隧道回到HN,否之的话在访问公网没法收到返回数据包(公网没有对应路由)。
B、FA将MN的数据包封装进隧道,返回给HA。 |
IT傻博士
博客统计信息
热门文章
最新评论
友情链接
