发信人: chen_hong()
整理人: firphoenix(2002-11-17 16:10:12), 站内信件
|
Building configuration...
Current configuration : 3399 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco2621
!
logging buffered 4096 debugging
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$0uNG$FLncIG7qm909CpT9UuEkd
!
username cisco password 7 02050D48080
ip subnet-zero
no ip source-route
!
!
ip name-server X.X.X.X
!
ip audit notify log
ip audit po max-events 100
!
!---密钥交换机制
crypto isakmp policy 3
authentication pre-share
group 2
!
!---IPsec客户端配置
crypto isakmp client configuration group vpnclient
key xxxxxx
dns 192.168.1.1
wins 192.168.1.1
domain 163.com
pool vpnpool
acl 103
!
!
!---IPsec加密配置
crypto ipsec transform-set tomcatset esp-des esp-sha-hmac
!
crypto dynamic-map dymap 1
set transform-set tomcatset
!
!
!---IPsec功能映射配置
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list groupauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 1 ipsec-isakmp dynamic dymap
!
!
!
!
!
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
!
!---内部端口
interface FastEthernet0/0
ip address 172.16.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
no cdp enable
!
!---内部端口
interface Serial0/0
ip address 172.16.255.1 255.255.255.252
ip nat inside
!
!---Internet端口
interface FastEthernet0/1
ip address 10.2.0.10 255.255.255.0
ip nat outside
duplex auto
speed auto
ntp disable
no cdp enable
crypto map vpnmap
!
interface Serial0/1
no ip address
shutdown
!
ip local pool vpnpool 172.16.3.1 172.16.3.254
ip nat pool natpool 10.2.0.10 10.2.0.10 netmask 255.255.255.0
ip nat inside source route-map vpnnat pool natpool overload
ip nat inside source static tcp 172.16.0.1 80 10.2.0.10 80 extendable
ip nat inside source static tcp 172.16.0.1 25 10.2.0.10 25 extendable
ip nat inside source static tcp 172.16.0.1 110 10.2.0.10 110 extendable
ip nat inside source static tcp 172.16.0.1 21 10.2.0.10 21 extendable
ip nat inside source static 172.16.0.252 10.2.0.11
ip classless
ip route 0.0.0.0 0.0.0.0 202.103.201.1
ip route 172.16.1.0 255.255.255.0 172.16.255.2
ip route 192.168.1.0 255.255.255.0 172.16.255.2
no ip http server
ip pim bidir-enable
!
!
logging history size 30
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 2 permit 192.168.1.0 0.0.0.255
!---分离Internet和VPN
access-list 102 deny ip 172.16.3.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 172.16.3.0 0.0.0.255 any
access-list 102 deny ip 172.16.0.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
access-list 102 deny ip 172.16.1.0 0.0.0.55 172.16.3.0 0.0.0.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
!---允许内部上Internet
access-list 103 permit ip 172.16.0.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 103 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
!
route-map vpnnat permit 172
match ip address 102
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
access-class 104 in
exec-timeout 0 0
password 7 09454D0C4D4814000E0D0
logging synchronous
!
!
end<img src=null alt=null> |
|