前段时间完成了防火墙的×××配置,辛苦了好长一段时间,总算是功德圆满。下面的完成的笔记,以记录。
ip local pool testpool 172.19.100.1-172.19.100.254 mask 255.255.255.0 (第一步)// 建立一个地址池名为testpool
access-list inside_nat0_outbound extended permit ip 172.19.74.0 255.255.255.0 172.19.100.0 255.255.255.0 (第二步) 建立一个用于标记流量分割的acl (只允许访问74的网段)
nat (inside) 0 access-list inside_nat0_outbound (第三步)
access-list tunnellist standard permit 172.19.100.0 255.255.255.0
access-list tunnellist standard permit 172.19.74.0 255.255.255.0 (第四步)
(只允许访问74的网段)
group-policy ra-group internal (第五步)
group-policy test_group internal /*内部组策略
group-policy test_group attributes /*组策略
***-idle-timeout 30
dns-server value 172.19.74.1
***-tunnel-protocol IPSec /*使用IPSec作为隧道协议
split-tunnel-policy tunnelspecified /*表示分割流量是acl明确标记出来的
split-tunnel-network-list value tunnellist /*acl名为tunnellist的流量需要使用加密隧道传输
default-domain value cisco.com
username test password aaaa
username test attributes
service-type remote-access (允许用户remote-access)
***-group-policy test_group
tunnel-group test_group type ipsec-ra /*(remote-access)组test_group是ipsec remote access类型的
tunnel-group test_group general-attributes /*针对该组的一般属性(地址、dns等)
address-pool testpool /*地址池使用名为testpool的
default-group-policy test_group /*该组使用的策略名叫做test_group
tunnel-group test_group ipsec-attributes /*针对该组的ipsec属性
pre-shared-key bbb /*共享密钥为" bbb ",配置好之后show run看到的共享密钥应该显示为"*"
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (第六步)
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
// 建立一个动态map SYSTEM_DEFAULT_CRYPTO_MAP调用该转换集
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
// 建立一个静态map outside_map调用动态map SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside /*在接口上应用静态map outside_map
crypto isakmp enable outside
//在outside接口上启用isakmp,默认isakmp是不启用的,这点与路由器不一样
crypto isakmp policy 10 / * 建立isakmp策略
crypto isakmp policy 10 / * 建立isakmp策略
authentication pre-share /*预共享密钥验证
encryption 3des /*加密
hash sha /*使用sha1 hash校验
group 2 /*使用DH group2
lifetime 86400 /*有效期1天(默认)
转载于:https://blog.51cto.com/379136/125375