interface FastEthernet0/0
ip nat inside
!
interface FastEthernet1/0
ip nat outside
!
access-list 100 permit ip host 61.128.1.1 any
ip nat inside source list 100 interface FastEthernet1/0 overload
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cisco address 192.168.1.1
crypto isakmp key cisco address 172.16.1.1
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map maptest 1 ipsec-isakmp
set peer 172.16.1.1 default
set peer 192.168.1.1
set security-association idle-time 180
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
interface FastEthernet0/0
crypto map maptest
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cisco address 202.100.1.254
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map maptest 1 ipsec-isakmp
set peer 202.100.1.254
set transform-set ESP-3DES-SHA
set pfs group2
set reverse-route tag 10
match address 100
reverse-route
!
interface FastEthernet0/0
crypto map maptest
!
router ospf 10
router-id 10.1.1.1
redistribute static subnets route-map s2o
network 10.1.1.0 0.0.0.255 area 0
!
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
!
route-map s2o permit 10
match tag 10
¶ Standby
access-list ipsec extended permit udp any any eq isakmp
access-list ipsec extended permit esp any any
access-list outside_cryptomap extended permit ip host 2.2.2.2 host 1.1.1.1
access-list rri standard permit host 1.1.1.1
access-group ipsec in interface outside
route-map s2o permit 10
match ip address rri
router ospf 10
router-id 10.1.1.2
network 10.1.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets route-map s2o
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set connection-type answer-only
crypto map outside_map 1 set peer 202.100.1.254
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 202.100.1.254 type ipsec-l2l
tunnel-group 202.100.1.254 ipsec-attributes
ikev1 pre-shared-key cisco
isakmp keepalive threshold 30 retry 2
#FW放行流量
access-list out extended permit udp any any eq isakmp
access-list out extended permit esp any any
access-list out extended permit icmp any any
access-list out extended permit udp any any eq 4500
Standby#