10.NAT機器配下での-ルータ設定例

構成

環境は壊しているので、ほぼそのまま載せています。
NECのブロードバンドルーター(Aterm)の後ろに、CiscoのルーターをCGW(カスタマーゲートウェイ)として設定

NECルーター(Aterm WR8750N)の設定

■基本設定
・IPアドレス:192.168.0.1

■VPN設定
・IPsecパススルー機能:有効化

■静的ルーティングエントリ
・宛先:192.168.1.0/24
・ゲートウェイ:192.168.0.254

■ポートマッピング設定
・LAN側ホスト:192.168.0.254
・プロトコル:UDP
・ポート:500と4500

カスタマーゲートウェイ(Cisco C891FJ)の設定

概要

下記設定をして、AWSのコンフィグサンプルからグローバルIPアドレスを全て「192.168.0.254」に置き換えて流し込む。

■access-list 100
・access-list 100 permit udp any any eq isakmp
・access-list 100 permit udp any any eq non500-isakmp

■GE8
・ip address 192.168.0.254 255.255.255.0
・ip access-group 100 in

■vlan10
・ip address 192.168.1.1 255.255.255.0

■GE0-7
・switchport mode access
・switchport access vlan 10

■DHCP
・ip dhcp pool local
・network 192.168.1.0 255.255.255.0
・default-router 192.168.1.1
・dns-server 8.8.8.8
・lease 0 12

コンフィグ詳細

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
memory-size iomem 15
!
!
!
!
!
!


!
!
ip dhcp pool local
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8
 lease 0 12
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL184824RF
!
!
!
!
!
!
!
!
crypto keyring keyring-vpn-06b6d3b575394e660-0
  local-address 192.168.0.254
  pre-shared-key address 35.76.128.207 key HmXGlZz55N2mHfVeyC8UfdzW8PqDSGRy
crypto keyring keyring-vpn-06b6d3b575394e660-1
  local-address 192.168.0.254
  pre-shared-key address 52.193.194.127 key qO6Uu.AbQluN4GdKz55v4o8sZavwNH3U
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-06b6d3b575394e660-0
   keyring keyring-vpn-06b6d3b575394e660-0
   match identity address 35.76.128.207 255.255.255.255
   local-address 192.168.0.254
crypto isakmp profile isakmp-vpn-06b6d3b575394e660-1
   keyring keyring-vpn-06b6d3b575394e660-1
   match identity address 52.193.194.127 255.255.255.255
   local-address 192.168.0.254
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-06b6d3b575394e660-0 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-06b6d3b575394e660-1 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-06b6d3b575394e660-0
 set transform-set ipsec-prop-vpn-06b6d3b575394e660-0
 set pfs group2
!
crypto ipsec profile ipsec-vpn-06b6d3b575394e660-1
 set transform-set ipsec-prop-vpn-06b6d3b575394e660-1
 set pfs group2
!
!
!
!
!
!
!
interface Tunnel1
 ip address 169.254.95.90 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source 192.168.0.254
 tunnel mode ipsec ipv4
 tunnel destination 35.76.128.207
 tunnel protection ipsec profile ipsec-vpn-06b6d3b575394e660-0
!
interface Tunnel2
 ip address 169.254.109.162 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source 192.168.0.254
 tunnel mode ipsec ipv4
 tunnel destination 52.193.194.127
 tunnel protection ipsec profile ipsec-vpn-06b6d3b575394e660-1
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.0.254 255.255.255.0
 ip access-group 100 in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.1.1 255.255.255.0
!
interface Async3
 no ip address
 encapsulation slip
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 169.254.95.89 remote-as 64512
 neighbor 169.254.95.89 timers 10 30 30
 neighbor 169.254.109.161 remote-as 64512
 neighbor 169.254.109.161 timers 10 30 30
 !
 address-family ipv4
  network 0.0.0.0
  neighbor 169.254.95.89 activate
  neighbor 169.254.95.89 default-originate
  neighbor 169.254.95.89 soft-reconfiguration inbound
  neighbor 169.254.109.161 activate
  neighbor 169.254.109.161 default-originate
  neighbor 169.254.109.161 soft-reconfiguration inbound
 exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

, ,