动态×××配置(ASA.PIX)

最新推荐文章于 2020-12-29 09:55:33 发布

weixin_33701251

最新推荐文章于 2020-12-29 09:55:33 发布

阅读量151

点赞数

原文链接：http://blog.51cto.com/cdong/860041

版权

郁闷了两天的动态×××配置在今天拉下帷幕咯~~满怀欣喜的上图。。。

PIX23：

interface Ethernet1
nameif outside
security-level 0
ip address 13.1.1.3 255.255.255.0

interface Ethernet0
nameif inside
security-level 100
ip address 3.3.3.254 255.255.255.0

access-list nonat extended permit ip 3.3.3.0 255.255.255.0 4.4.4.0 255.255.255.0

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dmap 5 set transform-set myset
crypto dynamic-map dmap 5 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 13.1.1.254

重头戏来啦~~~就被这东西整死了两天！！！！！！！

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key cisco

（正确的- -）

crypto isakmp key cisco address 0.0.0.0 netmask 0.0.0.0(就是他~~害我错了两天)

配完以后show run 出来的结果是一样- - 但是匹配不对- -

debug出现Removing peer from correlator table failed, no match害本菜鸟检查了半天的ACL！

=================================================================

PIX24:

vpdn group cisco request dialout pppoe
vpdn group cisco localname cisco
vpdn group cisco ppp authentication chap
vpdn username cisco password cisco 这个是题外话- - 跟×××没关系，防火墙接PPPOE上网的配置

-------------------------------------------------------------------------------------------------

interface Ethernet1
nameif outside
security-level 0
pppoe client vpdn group cisco
ip address pppoe setroute

interface Ethernet0
nameif inside
security-level 100
ip address 4.4.4.254 255.255.255.0

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address ***
crypto map mymap 10 set peer 13.1.1.3
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2

tunnel-group 13.1.1.3 type ipsec-l2l
tunnel-group 13.1.1.3 ipsec-attributes
pre-shared-key cisco

=================================================================

路由器：

vpdn-group cisco
accept-dialin
protocol pppoe
virtual-template 1

interface FastEthernet0/0
description 24pixe1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
pppoe enable

interface FastEthernet0/1
description 23pix1
ip address 13.1.1.254 255.255.255.0
duplex auto
speed auto

interface Virtual-Template1
ip address 14.1.1.254 255.255.255.0
peer default ip address pool cisco
ppp authentication chap pap
ppp pap sent-username cisco password 0 cisco

ip local pool cisco 14.1.1.1 14.1.1.10

username cisco password 0 cisco

转载于:https://blog.51cto.com/cdong/860041