I. Overview:
Ezvpn, if the address behind the hardware client, overlapping with the address behind the EZVPN server, even if the one-way access to the client mode can not be implemented, the need to configure static NAT, in order not to affect the headquarters on the public network, need to separate static NAT and dynamic PAT.
Two. Basic ideas:
A.ezvpn Client Mode:
----This is only a one-way branch office access to Headquarters, static NAT at Headquarters, so that the branch office to visit the headquarters of the host is considered to be the address of another network segment
----In order to enable the headquarters to configure static NAT can also be on the public network, the headquarters router's intranet and external network port as a pair of IP NAT enable, configure Pat; IP nat inside and IP NAT outside are configured for loopback and extranet respectively as a counterpart, Configure static NAT, at the same time in order to enable traffic to reach the loopback port, the network port configuration PBR, will need VPN traffic to hit the loopback port, traffic in the VPN before the static Nat.
B.ezvpn network-extension or Network-plus mode:
----These two ways, because both sides to the exchange of visits, in order to achieve mutual exchange between the two sides, the need for headquarters to configure the internal and external two static NAT, at the same time, in order to be able to static NAT and dynamic pat on the public network, using different NAT configuration method to achieve.
Three. Test topology:
Four. Basic configuration:
A. Headquarters Server Router:
Interface ethernet0/0
IP address 10.1.1.2 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 10.1.1.1
B. Headquarters Center Router:
Interface ethernet0/0
IP address 10.1.1.1 255.255.255.0
No shut
Interface ETHERNET0/1
IP address 202.100.1.1 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 202.100.1.10
C.internet Router:
Interface ethernet0/0
IP address 202.100.1.10 255.255.255.0
No shut
Interface ETHERNET0/1
IP address 202.100.2.10 255.255.255.0
No shut