PIX配置实验之一:Enhanced Spoke-to-Client VPN…
2008-02-23 04:53:20来源:互联网 阅读 ()
一、要求
1、hub PIX 的软件版本V7.0
2、在本次实验中需要如下设备:
PIX - 515 version 7.0.1 (PIX1)
VPN Client version 4.6.02.0011
PIX - 515 version 6.3.4 (PIX3)
二、网络拓扑
网络结构如下:
三、配置:
1、PIX1的配置
PIX Version 7.0(1)
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.18.124.170 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 4
no ip address
!
interface Ethernet3
shutdown
nameif intf3
security-level 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domain-name cisco.com
boot system flash:/image.bin
ftp mode passive
!---设置IPSec数据流在同一个接口出入
same-security-traffic permit intra-interface
!--- 定义在hub(PIX1)和spoke(PIX3)之间需要加密的数据流
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
!--- 定义在VPN Client networks和spoke (PIX3) 之间需要加密的数据流
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 30.30.30.0 255.255.255.0
!--- 定义一个需要做NAT转换的地址
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
!--- 建立一个允许vpn client tunnl的标准访问列表
access-list splittunnel standard permit 10.10.10.0 255.255.255.0
access-list splittunnel standard permit 30.30.30.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
!--- 为vpn client定义一个地址池
ip local pool vpnpool 192.168.10.1-192.168.10.254
no failover
monitor-interface outside
monitor-interface inside
monitor-interface intf2
monitor-interface intf3
monitor-interface intf4
monitor-interface intf5
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
!--- IPSec透过NAT
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS protocol tacacs
aaa-server RADIUS protocol radius
!--- 设置VPN Clients组略
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
!--- 参看注释2.
!--- 启用并绑定split-tunnel的参数到组策略上
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
!--- 配置IPSec Phase 2.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!--- 为VPN Clients配置加密图
crypto dynamic-map rtpdynmap 20 set transform-set myset
本新闻共2页,当前在第1页 1 2
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇:PIX failover 实验
下一篇:小命令增加Router的安全
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
