左边的router：

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 202.96.15.88

!

crypto ipsec transform-s et rtpset esp-des esp-md5-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 202.96.15.88

set transform-set rtpset

match address 102

!

interface Ethernet0/0

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 61.153.158.44 255.255.255.0

no ip directed-broadcast

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map rtp

ip nat inside source route-map nonat interface Ethernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 61.153.158.4x(网关)

no ip http server

access-list 101deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map nonat permit 10

match ip address 102

右边的router：

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 61.153.158.44

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 61.153.158.44

set transform-set rtpset

match address 102

!

interface Ethernet0/0

ip address 192.168.2.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 202.96.15.88 255.255.255.0

no ip directed-broadcast

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map rtp

ip nat inside source route-map nonat interface Ethernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 202.96.15.8x(网关)

no ip http server

access-list 101deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map nonat permit 10

match ip address 102

转载地址：http://www.net130.com/CMS/Pub/Tech/tech_instance/215218.htm