分享
 
 
 

Ciscopix525vpdn+acs用户验证

王朝other·作者佚名  2008-05-19
窄屏简体版  字體: |||超大  

系统环境:

cisco pix 525

cisco acs server 3.2

实现功能:

远程使用cisco ipsec vpn client 3.x以上的vpn client 拨入企业网络;

远程使用ms pptp vpn拨入企业网络;

所有远程vpdn用户通过acs server 做用户验证和记帐,便于管理和实现其他pix 验证无法实现的功能,例如实现用户帐号尝试错误后锁定,访问时间等功能;

pix 525 上的配置:

jtpixfirewall# sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 perimter1 security20

nameif ethernet3 perimter2 security30

nameif ethernet4 perimter3 security40

nameif ethernet5 perimter4 security50

enable password pAvMEKYodlghdOOb7Y encrypted

passwd 1ZowQT4VG2d3TbU69 encrypted

hostname jtpixfirewall

domain-name jt.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.1.5.0 test

name 10.1.8.50 netmang

access-list inside_outbound_nat0_acl permit ip 10.1.8.0 255.255.255.0 10.1.58.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip test 255.255.255.0 10.1.58.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.252.0.0 10.1.58.0 255.255.255.0

access-list jt1_splitTunnelAcl permit ip tests 255.255.255.0 any

access-list jt1_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any

access-list acl-out permit icmp any any

pager lines 24

logging on

logging timestamp

logging trap debugging

logging history debugging

logging facility 16

logging host inside netmang

mtu outside 1500

mtu inside 1500

mtu perimter1 1500

mtu perimter2 1500

mtu perimter3 1500

mtu perimter4 1500

ip address outside 222.121.48.75 255.255.255.224

ip address inside 10.1.8.12 255.255.255.0

ip address perimter1 127.0.0.1 255.255.255.255

no ip address perimter2

no ip address perimter3

no ip address perimter4

ip audit info action alarm

ip audit attack action alarm

ip local pool local_pool 10.1.58.50-10.1.58.100

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address perimter1

no failover ip address perimter2

no failover ip address perimter3

no failover ip address perimter4

pdm location 10.1.9.50 255.255.255.255 inside

pdm location 10.1.9.0 255.255.255.0 inside

pdm location 10.1.9.0 255.255.255.0 perimter1

pdm location 10.1.1.253 255.255.255.255 inside

pdm location 10.1.0.0 255.255.0.0 inside

pdm location 10.1.1.253 255.255.255.255 perimter1

pdm location test 255.255.255.0 inside

pdm location 10.0.0.0 255.252.0.0 inside

pdm location 10.1.58.0 255.255.255.0 outside

pdm location netmang 255.255.255.255 inside

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.1.8.0 255.255.255.0 0 0

nat (inside) 0 10.0.0.0 255.252.0.0 0 0

access-group acl-out in interface inside

rip inside default version 2

route outside 0.0.0.0 0.0.0.0 222.121.48.65 1

route inside 10.1.0.0 255.255.0.0 10.1.8.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server jtacs protocol radius

#指定aaa采用radius

aaa-server jtacs (inside) host netmang ddjt2008 timeout 5

#指定radius server 的ip地址和口令(ddjt2008)

aaa proxy-limit disable

aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 jtacs

#对aaa group jtacs做radius account (记帐)

http server enable

http 10.1.9.50 255.255.255.255 inside

snmp-server host inside netmang

no snmp-server location

no snmp-server contact

snmp-server community en9fk5*37

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt radius ignore-secret

service resetinbound

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication jtacs

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

#解决 ipsec 穿透 nat 问题;

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup test1 address-pool local_pool

vpngroup test1 dns-server 10.1.2.1

vpngroup test1 wins-server 10.1.2.1

vpngroup test1 default-domain jt

vpngroup test1 split-tunnel jt1_splitTunnelAcl

vpngroup test1 idle-time 1800

vpngroup test1 secure-unit-authentication

vpngroup tset1 user-idle-timeout 18

vpngroup test1 device-pass-through

vpngroup test1 password ********

telnet 10.1.8.0 255.255.255.0 inside

telnet 10.1.9.0 255.255.255.0 inside

telnet 10.1.1.253 255.255.255.255 inside

telnet 10.1.1.253 255.255.255.255 perimter1

telnet 10.1.1.253 255.255.255.255 perimter2

telnet 10.1.1.253 255.255.255.255 perimter3

telnet 10.1.1.253 255.255.255.255 perimter4

telnet timeout 10

ssh 10.1.9.0 255.255.255.0 inside

ssh 10.1.9.0 255.255.255.0 perimter1

ssh 10.1.9.0 255.255.255.0 perimter2

ssh 10.1.9.0 255.255.255.0 perimter

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有