系统环境:
cisco pix 525
cisco acs server 3.2
实现功能:
远程使用cisco ipsec vpn client 3.x以上的vpn client 拨入企业网络;
远程使用ms pptp vpn拨入企业网络;
所有远程vpdn用户通过acs server 做用户验证和记帐,便于管理和实现其他pix 验证无法实现的功能,例如实现用户帐号尝试错误后锁定,访问时间等功能;
pix 525 上的配置:
jtpixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 perimter1 security20
nameif ethernet3 perimter2 security30
nameif ethernet4 perimter3 security40
nameif ethernet5 perimter4 security50
enable password pAvMEKYodlghdOOb7Y encrypted
passwd 1ZowQT4VG2d3TbU69 encrypted
hostname jtpixfirewall
domain-name jt.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.5.0 test
name 10.1.8.50 netmang
access-list inside_outbound_nat0_acl permit ip 10.1.8.0 255.255.255.0 10.1.58.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip test 255.255.255.0 10.1.58.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.252.0.0 10.1.58.0 255.255.255.0
access-list jt1_splitTunnelAcl permit ip tests 255.255.255.0 any
access-list jt1_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any
access-list acl-out permit icmp any any
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging facility 16
logging host inside netmang
mtu outside 1500
mtu inside 1500
mtu perimter1 1500
mtu perimter2 1500
mtu perimter3 1500
mtu perimter4 1500
ip address outside 222.121.48.75 255.255.255.224
ip address inside 10.1.8.12 255.255.255.0
ip address perimter1 127.0.0.1 255.255.255.255
no ip address perimter2
no ip address perimter3
no ip address perimter4
ip audit info action alarm
ip audit attack action alarm
ip local pool local_pool 10.1.58.50-10.1.58.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address perimter1
no failover ip address perimter2
no failover ip address perimter3
no failover ip address perimter4
pdm location 10.1.9.50 255.255.255.255 inside
pdm location 10.1.9.0 255.255.255.0 inside
pdm location 10.1.9.0 255.255.255.0 perimter1
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 10.1.0.0 255.255.0.0 inside
pdm location 10.1.1.253 255.255.255.255 perimter1
pdm location test 255.255.255.0 inside
pdm location 10.0.0.0 255.252.0.0 inside
pdm location 10.1.58.0 255.255.255.0 outside
pdm location netmang 255.255.255.255 inside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.8.0 255.255.255.0 0 0
nat (inside) 0 10.0.0.0 255.252.0.0 0 0
access-group acl-out in interface inside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 222.121.48.65 1
route inside 10.1.0.0 255.255.0.0 10.1.8.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server jtacs protocol radius
#指定aaa采用radius
aaa-server jtacs (inside) host netmang ddjt2008 timeout 5
#指定radius server 的ip地址和口令(ddjt2008)
aaa proxy-limit disable
aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 jtacs
#对aaa group jtacs做radius account (记帐)
http server enable
http 10.1.9.50 255.255.255.255 inside
snmp-server host inside netmang
no snmp-server location
no snmp-server contact
snmp-server community en9fk5*37
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
service resetinbound
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication jtacs
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
#解决 ipsec 穿透 nat 问题;
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup test1 address-pool local_pool
vpngroup test1 dns-server 10.1.2.1
vpngroup test1 wins-server 10.1.2.1
vpngroup test1 default-domain jt
vpngroup test1 split-tunnel jt1_splitTunnelAcl
vpngroup test1 idle-time 1800
vpngroup test1 secure-unit-authentication
vpngroup tset1 user-idle-timeout 18
vpngroup test1 device-pass-through
vpngroup test1 password ********
telnet 10.1.8.0 255.255.255.0 inside
telnet 10.1.9.0 255.255.255.0 inside
telnet 10.1.1.253 255.255.255.255 inside
telnet 10.1.1.253 255.255.255.255 perimter1
telnet 10.1.1.253 255.255.255.255 perimter2
telnet 10.1.1.253 255.255.255.255 perimter3
telnet 10.1.1.253 255.255.255.255 perimter4
telnet timeout 10
ssh 10.1.9.0 255.255.255.0 inside
ssh 10.1.9.0 255.255.255.0 perimter1
ssh 10.1.9.0 255.255.255.0 perimter2
ssh 10.1.9.0 255.255.255.0 perimter