扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
不支持故障切换
global (outside) 1 10.1.1.13-10.1.1.28
global (outside) 1 10.1.1.7-10.1.1.9
global (outside) 1 10.1.1.10
定义内部网络地址将要翻 译成的全局地址或地址范围
nat (inside) 0 access-list 101
使得符合访问列表为101地址不通过翻译,对外部网络是可见的
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
内部网络地址翻译成外部地址
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
DMZ区网络地址翻译成外部地址
static (inside,outside) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.12 192.168.12.158 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.3 192.168.2.4 netmask 255.255.255.255 0 0
设定固定主机与外网固定IP之间的一对一静态转换
static (dmz,outside) 10.1.1.2 192.168.19.2 netmask 255.255.255.255 0 0
设定DMZ区固定主机与外网固定IP之间的一对一静态转换
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
设定内网固定主机与DMZ IP之间的一对一静态转换
static (dmz,outside) 10.1.1.29 192.168.19.3 netmask 255.255.255.255 0 0
设定DMZ区固定主机与外网固定IP之间的一对一静态转换
access-group 120 in interface outside
access-group 120 in interface inside
access-group 120 in interface dmz
将访问列表应用于端口
conduit permit tcp host 10.1.1.2 any
conduit permit tcp host 10.1.1.3 any
conduit permit tcp host 10.1.1.12 any
conduit permit tcp host 10.1.1.29 any
设置管道:允许任何地址对全局地址进行TCP协议的访问
conduit permit icmp 192.168.99.0 255.255.255.0 any
设置管道:允许任何地址对192.168.99.0 255.255.255.0地址进行PING测试
rip outside passive version 2
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 10.1.1.1
设定默认路由到电信端
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.1.1 1
设定路由回指到内部的子网
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set myset esp-des esp-md5-hmac
定义一个名称为myset的交换集
crypto dynamic-map dynmap 10 set transform-set myset
根据myset交换集产生名称为dynmap的动态加密图集(可选)
crypto map vpn 10 ipsec-isakmp dynamic dynmap
将dynmap动态加密图集应用为IPSEC的策略模板(可选)
crypto map vpn 20 ipsec-isakmp
用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流
crypto map vpn 20 match address 110
为加密图指定列表110作为可匹配的列表
crypto map vpn 20 set peer 10.1.1.41
在加密图条目中指定IPSEC对等体
crypto map vpn 20 set transform-set myset
指定myset交换集可以被用于加密条目
crypto map vpn client configuration address initiate
指示PIX防火墙试图为每个对等体设置IP地址
crypto map vpn client configuration address respond
指示PIX防火墙接受来自任何请求对等体的IP地址请求
crypto map vpn interface outside
将加密图应用到外部接口
isakmp enable outside
在外部接口启用IKE协商
isakmp key ******** address 10.1.1.41 netmask 255.255.255.255
指定预共享密钥和远端对等体的地址
isakmp identity address
IKE身份设置成接口的IP地址
isakmp client configuration address-pool local yy outside
isakmp policy 10 authentication pre-share
指定预共享密钥作为认证手段
isakmp policy 10 encryption des
指定56位DES作为将被用于IKE策略的加密算法
isakmp policy 10 hash md5
指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法
isakmp policy 10 group 2
指定1024比特Diffie-Hellman组将被用于IKE策略
isakmp policy 10 lifetime 86400
每个安全关联的生存周期为86400秒(一天)
vpngroup cisco idle-time 1800
vpngroup pix_vpn address-pool yy
vpngroup pix_vpn idle-time 1800
vpngroup pix_vpn password ********
vpngroup 123 address-pool yy
vpngroup 123 idle-time 1800
vpngroup 123 password ********
vpngroup 456 address-pool yy
vpngroup 456 idle-time 1800
vpngroup 456 password ********
telnet 192.168.88.144 255.255.255.255 inside
telnet 192.168.88.154 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local hhyy
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
vpnclient vpngroup cisco_vpn password ********
vpnclient username pix password ********
terminal width 80
Cryptochecksum:9524a589b608c79d50f7c302b81bdfa4b
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。