Branch L2L VPN to headquarters and PAT to partner through leased line (SVTI establishes VPN)

I. Overview:I received A friend's question in my blog. After phone communication, I learned the approximate situation:. the headquarters has a leased line to partner B. the partner side is not convenient to add a back-to-point route. When the Headquarters accesses the partner, PATC is implemented. now, if you want to connect the branch L2L VPN to the headquarters and PAT to the partner, the traffic from the branch to the partner is routed to the loopback port through a policy route, and NAT is configured, later, a friend in the QQ Group proposed the GRE over IPSEC method, so he planned to verify it.
Ii. Basic Ideas:A. if the partner can easily add A back-to-point route, you only need to treat the partner as the internal network of the headquarters and do not need to configure PAT. B. if a branch wants to connect to its headquarters through a VPN and then PAT it to its partners, it needs to configure the loopback port on the Headquarters router and configure a policy route for the public network interface to route the traffic from its branches to its partners to loopback, and PAT. ---- This has been verified in the previous blog, and NVI is configured for the tunnel interface of the Headquarters router and the leased line interface connecting the partner, so that the traffic from the branch to the partner is PAT. ---- Because ASA does not support VTI, this method is not applicable if the branch or Headquarters uses the ASA firewall.. Test topology:650) this. width = 650; "src =" http://img1.51cto.com/attachment/201310/181204696.jpg "title =" TUOPU. JPG "alt =" 181204696.jpg"/>4. Basic Configuration:A. Branch_Inside router:Interface Ethernet0/0
Ip address 10.1.1.1 255.255.255.0
No shut
Ip route 0.0.0.0 0.0.0.0 10.1.1.2B. Branch vro:Interface Ethernet0/0
Ip address 10.1.1.2 255.255.255.0
Ip nat inside
No shutinterface Ethernet0/1
Ip address 202.100.1.2 255.255.255.0
Ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.3ip access-list extended PAT
Deny ip 10.1.1.0 0.0.255 192.168.1.0 0.0.0.255
Deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
Permit ip 10.1.1.0 0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadC. Internet router:Interface Ethernet0/0
Ip address 202.100.1.3 255.255.255.0
No shutinterface Ethernet0/1
Ip address 202.100.2.3 255.255.255.0
No shutD. Center router:Interface Ethernet0/0
Ip address 192.168.1.4 255.255.255.0
Ip nat inside no shutinterface Ethernet0/1
Ip address 202.100.2.4 255.255.255.0
Ip nat outside
No shutinterface Ethernet0/2
Ip address 172.16.1.2 255.255.255.252
No shutip route 0.0.0.0 0.0.0.0 202.100.2.3ip route 160.1.1.0 route 255.255.0 172.16.1.1ip access-list extended PAT
Deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
Permit ip 192.168.1.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadE. Center_Inside router:Interface Ethernet0/0 ip address 192.168.1.5 255.255.255.0
No shutip route 0.0.0.0 0.0.0.0 192.168.1.4F. Partner router:Interface Loopback0 ip address 160.1.1.6 255.255.255.0
Interface Ethernet0/0
Ip address 172.16.1.1 255.255.255.252
No shut ---- Note: no route is configured5. Configure PAT from the Headquarters Intranet to partners:---- Configure on the Center headquarters RouterA. Configuration:Interface Ethernet0/0
Ip nat enableinterface Ethernet0/2
Ip nat enableip access-list extended Center-to-partner-PAT
Permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Center-to-partner-PAT interface Ethernet0/2 overloadB. Verification:Center_Inside # telnet 160.1.1.6
Trying 160.1.1.6... Open


User Access Verification

Password:
Partner> show users
Line User Host (s) Idle Location
0 con 0 idle 00:00:42
* 130 vty 0 idle 00:00:00 172.16.1.2

Interface User Mode Idle Peer Address

Partner>6. L2L VPN configuration from branch to Headquarters:---- Create site-to-site VPN using SVTIA. Branch vro:Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share
Group 2
Crypto isakmp key cisco address 202.100.2.4
Crypto ipsec transform-set transet esp-des esp-md5-hmac crypto ipsec profile Ipsec_prfile
Set transform-set transet
Interface Tunnel0
Ip address 123.1.1.1 255.255.255.0
Tunnel source Ethernet0/1
Tunnel destination 202.100.2.4 tunnel protection ipsec profile Ipsec_prfileip route 160.1.1.0 route 255.255.0 Tunnel0
Ip route 192.168.1.0 255.255.255.0 Tunnel0B. Center router:Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share
Group 2
Crypto isakmp key cisco address 202.100.1.2
Crypto ipsec transform-set transet esp-des esp-md5-hmaccrypto ipsec profile Ipsec_prfile
Set transform-set transet interface Tunnel0
Ip address 123.1.1.2 255.255.255.0
Tunnel source Ethernet0/1
Tunnel destination 202.100.1.2
Tunnel protection ipsec profile Ipsec_prfile
Ip route 10.1.1.0 255.255.255.0 Tunnel0C. Verification:Branch_Inside # ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 MS
Branch_Inside # Center_Inside #
* Mar 1 10:07:25. 293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
* Mar 1 10:07:25. 561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
* Mar 1 10:07:25. 701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
* Mar 1 10:07:25. 809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.17. Configure the PAT from the branch to the partner:----- All are configured on the Center RouterA. Configure PAT:Interface Tunnel0 ip nat enableinterface Ethernet0/2
Ip nat enableip access-list extended Branch-to-partner
Permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Branch-to-partner interface Ethernet0/2 overloadD. Verification:Branch_Inside # telnet 160.1.1.6
Trying 160.1.1.6... Open


User Access Verification

Password:
Partner> show users
Line User Host (s) Idle Location
0 con 0 idle 09:00:47
* 130 vty 0 idle 00:00:00 172.16.1.2

Interface User Mode Idle Peer Address

Partner>

This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1309861