I. Overview:
Lan-to-lan IPSEC VPN If both ends of the intranet address overlap, can not access each other, you need to configure static NAT, in order to achieve mutual access, reference to the following links: http://xuanbo.blog.51cto.com/499334/ 410541, address overlapping problem solved, but lead to not on the public network, after testing, with the help of Loopback port, with Policy routing, mixed use of IP Nat inside/outside and NVI (IP nat enable), can address overlap, and the internal mainframe can also be on the public network, special record down.
Two. Basic ideas:
A. Addressing the problem of overlapping addresses:
---Configure static NAT, both sides of the intranet for each other is another network segment, so that the two sides of the intranet through the host address one-to-one access.
B. Addressing the problem of inability to go to public networks:
---a mixture of two different ways of NAT, and through Policy Routing, static NAT and dynamic pat on the public network as needed
C. Characteristics of utilization:
---NAT before IPSec VPN
---Routers have two ways to configure NAT, a traditional IP Nat inside/outside mode, a NAT Virtual Interface (NVI) way, configure IP NAT enable under the interface, two ways can coexist simultaneously
---can successfully do NAT first need to exist routing, another must be from the IP Nat inside interface, from the IP Nat outside interface, or from an IP Nat enable interface to enter from another IP NAT enable interface out
---for the traditional way of l2l VPN configuration, router intranet and external network port as a pair of IP NAT enabling port, so that the flow of online public network can pat on the public network; PBR to send VPN traffic to Loopbak port, Loopbak port and external network port as a pair of IP NAT Inside/outside, Nat is done before the VPN.
---for Svti mode of L2L VPN configuration, router intranet port and external network as a pair of IP NAT enabling port, so that the flow of online public network can pat on the public network; PBR send VPN traffic to Loopbak port, Loopbak Port and tunnel port as a pair of IP Nat Inside/outside, Nat before VPN.
Three. Test topology:
Four. Basic configuration:
A. Headquarters Server Router:
Interface ethernet0/0
IP address 10.1.1.2 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 10.1.1.1
B. Headquarters Center Router:
Interface ethernet0/0
IP address 10.1.1.1 255.255.255.0
No shut
Interface ETHERNET0/1
IP address 202.100.1.1 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 202.100.1.10
C.internet Router:
Interface ethernet0/0
IP address 202.100.1.10 255.255.255.0
No shut
Interface ETHERNET0/1
IP address 202.100.2.10 255.255.255.0
No shut