思科防火墙PIX8.0 L2LVPN解决地址重叠测试（2）(3)

也可以写得更详细：
access-list VPN extended permit ip host 172.16.1.2 host 10.1.2.2
④配置crypto map并应用：
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 202.100.2.1 
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口启用isakmp：
crypto isakmp enable Outside
B.PIX80_Branch防火墙：
①第一阶段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换：
crypto ipsec transform-set transet esp-des esp-md5-hmac 
③感兴趣流：
access-list VPN extended permit ip  10.1.2.0 255.255.255.0 172.16.1.0 255.255.0.0
也可以写得更详细：
access-list VPN extended permit ip host 10.1.2.2 host 172.16.1.2 
④配置crypto map并应用：
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 202.100.1.1 
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口启用isakmp：
crypto isakmp enable Outside
七.测试：
A.连接公网测试：
①ERP_HQ路由器：
ERP_HQ#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/94/292 ms
ERP_HQ#
Internet#debug ip icmp 
ICMP packet debugging is on
Internet#
*Mar  2 07:36:11.648: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:11.768: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:11.856: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:12.096: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:12.132: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
②ERP_Brach路由器：
ERP_Branch#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/92/344 ms
ERP_Branch#
Internet#debug ip icmp