| !定义不进行NAT的传输,
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 access-list 102 permit ip 172.16.1.0 255.255.255.0 192.168.10.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 !定义IP ip address outside x.x.x.x 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.255.0 !定义分配给VPN client的IP地址池 vpnpool1 与WINDOWS client的IP地址池 ip local pool vpnpool1 192.168.10.10-192.168.10.100 ip local pool winpool 192.168.10.101-192.168.10.200 pdm history enable arp timeout 14400 !定义不需要进行NAT的传输 nat (inside) 0 access-list 102 !定放用于上网的IP池 global (outside) 1 x.x.x.x netmask 255.255.255.248 !对所有内网做NAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any conduit permit tcp any any route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 !服务器使用的协议 aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local ! floodguard enable !对于所有IPSec流量不检测允许其通过,如果不加这个命令的话,需要加上ACL到outside口以允许特定的IPSce流量通过,但会控制更加灵活。 sysopt connection permit-ipsec sysopt connection permit-pptp !定义一个变换集trmset1 crypto ipsec transform-set trmset1 esp-des esp-md5-hmac !把变换集trmset1添加到动态加密策略map2 crypto dynamic-map map2 10 set transform-set trmset1 !把动态加密策略绑定到map加密图 crypto map map1 10 ipsec-isakmp dynamic map2 !定义不需要验证服务器 ,使用的是PIX自己的用户验证。 crypto map map1 client authentication local !定义给每个客户端分配IP地址 crypto map map1 client configuration address initiate !定义PIX防火墙接受来自任何IP的请求 crypto map map1 client configuration address respond !把动态加密图vpnpeer绑定到outside口 crypto map map1 interface outside !isakmp绑定到outside口 isakmp enable outside !用地址标识isakmp,如果启用RSA的话,改为hostname isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 !VPN Client “cisco” use v3.0/4.0 vpngroup test address-pool vpnpool1 vpngroup test idle-time 1800 !VPN client中 name和password即此test名和密码 vpngroup test password ****** !可以telnet的IP telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 !Windows client use pptp,可通过定义不同的VPDN组,用不同的用户和密码分配地址 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local winpool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local !windows vpn vpdn username test password ****** vpdn enable outside : end
|
