site-to-site ***

R1：主要配置：   R2 配置一样

crypto isakmp policy 10    --策略基本一样
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 200.200.200.2         --×××的**
!
!
crypto ipsec transform-set myset ah-md5-hmac esp-3des esp-md5-hmac   --转换集加密
!
crypto map mymap 10 ipsec-isakmp   --加密图设置
 set peer 200.200.200.2
 set transform-set myset
 match address ×××-192.168.10.0-to-172.24.10.0       --匹配感兴趣流量 走×××

interface FastEthernet0/0
 ip address 200.100.100.2 255.255.255.0
 ip nat outside
 crypto map mymap
!

interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 ip nat inside


interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip nat inside

ip route 0.0.0.0 0.0.0.0 200.100.100.1
!
ip nat pool NAT-POOL 200.100.100.100 200.100.100.120 netmask 255.255.255.0
ip nat inside source list inside-to-out pool NAT-POOL overload
!
!
ip access-list extended ×××-192.168.10.0-to-172.24.10.0     --×××感兴趣流量
 permit ip 192.168.10.0 0.0.0.255 172.24.10.0 0.0.0.255
ip access-list extended inside-to-out                                  --做 NAT   ACL
 deny   ip 192.168.10.0 0.0.0.255 172.24.10.0 0.0.0.255  --通过×××就不能做NAT 转换
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any