实验TOP：

 

 

 

RT1的配置：

==================================================

<H3C>sy                              

[H3C]int g0/1/0 [H3C-GigabitEthernet0/1/0]ip add 192.168.1.2 255.255.255.0 [H3C-GigabitEthernet0/1/0]un shu [H3C-GigabitEthernet0/1/0]quit [H3C]int s0/2/0 [H3C-Serial0/2/0]un shu [H3C-Serial0/2/0]ip add 192.168.2.1 255.255.255.0 [H3C-Serial0/2/0]quit [H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2 [H3C]rip [H3C-rip-1]net 192.168.1.0 [H3C-rip-1]net 192.168.2.0 [H3C-rip-1]quit [H3C]ike local-name rt1 [H3C]acl number 3001 [H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255 [H3C-acl-adv-3001]quit [H3C]ike pee [H3C]ike peer peer1 [H3C-ike-peer-peer1]exchange-mode aggressive [H3C-ike-peer-peer1]pre-shared-key abc [H3C-ike-peer-peer1]id-type name [H3C-ike-peer-peer1]remote-name rt2     [H3C-ike-peer-peer1]remote-address 192.168.4.2 [H3C-ike-peer-peer1]nat traversal [H3C-ike-peer-peer1]quit [H3C]ipsec proposal kalng [H3C-ipsec-proposal-kalng]encapsulation-mode tunnel [H3C-ipsec-proposal-kalng]transform esp [H3C-ipsec-proposal-kalng]esp encryption-algorithm des [H3C-ipsec-proposal-kalng]esp authentication-algorithm md5 [H3C-ipsec-proposal-kalng]quit [H3C]ipsec policy policy1 10 isakmp [H3C-ipsec-policy-isakmp-policy1-10]ike-peer peer1 [H3C-ipsec-policy-isakmp-policy1-10]security acl 3001 [H3C-ipsec-policy-isakmp-policy1-10]proposal kalng [H3C-ipsec-policy-isakmp-policy1-10]quit [H3C]int s0/2/0 [H3C-Serial0/2/0]ipsec policy policy1 [H3C-Serial0/2/0]quit

 

NAT的配置：

====================================================

<H3C>sy

[H3C]int s0/2/0 [H3C-Serial0/2/0]ip add 192.168.2.2 255.255.255.0 [H3C-Serial0/2/0]un shu [H3C-Serial0/2/0]quit [H3C]int s0/2/1 [H3C-Serial0/2/1]ip add 192.168.3.1 255.255.255.0 [H3C-Serial0/2/1]un shu [H3C-Serial0/2/1]quit [H3C]rip [H3C-rip-1]net 192.168.2.0 [H3C-rip-1]quit [H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.3.2 [H3C]acl number 2001 [H3C-acl-basic-2001]rule permit source any [H3C-acl-basic-2001]quit [H3C]nat address-group 1 192.168.3.5 192.168.3.10 [H3C]int s0/2/1 [H3C-Serial0/2/1]nat outbound 2001 address-group 1 [H3C-Serial0/2/1]quit [H3C]

 

RT2的配置：

=====================================================

<H3C>sy

[H3C]int s0/2/0 [H3C-Serial0/2/0]ip add 192.168.4.2 255.255.0 [H3C-Serial0/2/0]ip add 192.168.4.2 255.255.255.0 [H3C-Serial0/2/0]un shu [H3C-Serial0/2/0]quit [H3C]int g0/1/0 [H3C-GigabitEthernet0/1/0]ip add 192.168.5.1 255.255.255.0 [H3C-GigabitEthernet0/1/0]un shu [H3C-GigabitEthernet0/1/0]quit [H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.4.1 [H3C]ike local-name rt2 [H3C]acl number 3001 [H3C-acl-adv-3001]rule permit ip source 192.168.5.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 [H3C-acl-adv-3001]quit [H3C]ike peer peer2 [H3C-ike-peer-peer2]exchange-mode aggressive [H3C-ike-peer-peer2]pre-shared-key abc [H3C-ike-peer-peer2]id-type name [H3C-ike-peer-peer2]remote-name rt1 [H3C-ike-peer-peer2]nat traversal [H3C-ike-peer-peer2]quit [H3C]ipsec proposal kalng [H3C-ipsec-proposal-kalng]encapsulation-mode tunnel [H3C-ipsec-proposal-kalng]transform esp [H3C-ipsec-proposal-kalng]esp encryption-algorithm des [H3C-ipsec-proposal-kalng]esp authentication-algorithm md5 [H3C-ipsec-proposal-kalng]quit [H3C]ipsec policy policy2 10 isakmp [H3C-ipsec-policy-isakmp-policy2-10]ike-peer peer2 [H3C-ipsec-policy-isakmp-policy2-10]security acl 3001 [H3C-ipsec-policy-isakmp-policy2-10]proposal kalng [H3C-ipsec-policy-isakmp-policy2-10]quit [H3C]int s0/2/0 [H3C-Serial0/2/0]ipsec policy policy2 [H3C-Serial0/2/0]quit [H3C]

 

PS：当配置完成之后，先从PC2 ping PC1,会发现ping不通。

 

从PC1 ping PC2发现可以ping通。

 

这时在从PC2 ping PC1 会发现可以ping通了。

 

原因是由于在NAT上没有RT1的映射，必须先由从PC1 ping PC2 建立映射之后，PC2才可以ping通PC1。