x*********n
发帖数: 28013 | 1 你这个问题本来就不成立,问得不好,
IPSec要左右2边的router match上了,才能up,才能左右互ping,不然配置里会说要等
另一边搭上了才行。
IPSec要看3点。
access-list的 private IP有没有对上,
crypto的 WAN IP对上,WAN能不能互相ping,
然后才是crypto-map。
################################################################3
你的问题是traffic go through 某个中心center,then,
check center的nonat 部分,要把B点也nonat了,B点就行了。 |
|
j**u
发帖数: 15 | 2 jjtu nonated $38 through HK redcross website on 14 May |
|
x*********n
发帖数: 28013 | 3 比如
access-list 50 deny host10.2.2.2
这里的50是有顺序的,对吧?
平日里这个数字不好用,因为如果ACL很多的话,我们要做文字标记。
比如
access-list NoNat extended permit ip object-group StoreLan 172.25.0.0 255.
255.0.0
那么这个时候,device怎么知道先后顺序呢? |
|
x*********n
发帖数: 28013 | 4 ip access-list extended NO_NAT
deny ip 10.80.96.0 0.0.0.255 10.11.12.0 0.0.0.255
deny ip 10.80.96.0 0.0.0.255 172.31.46.0 0.0.0.255
permit ip 10.80.96.0 0.0.0.255 any
就是说这些IP不nat?其余都nat?
用在site to site VPN上,因为2边都是private IP,所以要disable nat才能顺利? |
|
s*****g
发帖数: 1055 | 5 This access-list is typically referenced by your IOS router's policy NAT/PATconfiguration, when a packet comes to NAT inside interface,if it is destined to internal address, then don't apply NAT/PAT rule, route to VPN, for other traffic NAT/PAT it, send to Internet. If the site does not need Internet access or Internet access is via a central off site, then you don't need any NAT or no-NAT configuration.
In order to be politically correct, there are situations you will NAT/PAT traffic even it is... 阅读全帖 |
|
