< 100F>dis cur

#

sysname 100F

#

l2tp enable //开启l2tp功能

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

dialer-rule 1 ip permit

#

firewall statistic system enable

#

radius scheme system

#

domain system

ip pool 1 192.168.10.1 192.168.10.5 //配置×××拨入用户分配的IP地址池

#

local-user abcdefg@163.gd //配置单位ADSL拨号用户

password cipher $P(0A9$V(FSQ=^Q`MAF4&lt;1!!

service-type ppp

local-user wakem_chan //配置×××拨号用户

password simple zsdx

service-type ppp

#

ike peer 1 //配置ike peer参数

pre-shared-key qingyuan

#

ipsec proposal 1 //配置ipsec提议

encapsulation-mode transport //配置封装模式为透明模式

#

ipsec policy-template temp 1 //配置ipsec策略模板

ike-peer 1

proposal 1

#

ipsec policy 1 1 isakmp template temp

#

acl number 2000 //NAT访问控制列表

rule 0 permit source 192.168.1.0 0.0.0.255

#

interface Virtual-Template1 //配置虚拟接口模板1及其验证方式

ppp authentication-mode pap

ip address 192.168.100.254 255.255.255.0

ipsec policy 1 //在端口上启用ipsec policy

#

interface Aux0

async mode flow

#

interface Dialer1

link-protocol ppp

ppp pap local-user abcdefg@163.gd password cipher $P(0A9$V(FSQ=^Q`MAF4&lt;1!!

mtu 1492

tcp mss 1024

ip address ppp-negotiate

dialer user 100F

dialer-group 1

dialer bundle 1

nat outbound 2000

ipsec policy 1 //在端口上启用ipsec policy

#

interface Ethernet0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet1/0

pppoe-client dial-bundle-number 1 no-hostuniq

mtu 1492

tcp mss 1024

#

interface Ethernet1/1

#

interface Ethernet1/2

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

add interface Ethernet0/3

add interface Dialer1 //把拨号接口添加进入安全域

add interface Virtual-Template1 //把虚拟接口模板添加进入安全域

set priority 85

#

firewall zone untrust

add interface Ethernet1/0

add interface Ethernet1/1

add interface Ethernet1/2

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

l2tp-group 1 //配置l2tp组1

undo tunnel authentication //取消隧道验证

allow l2tp virtual-template 1 //配置使用名字的方式发起l2tp连接

#

ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60 //配置静态默认路由

# //以下为防火墙***防范配置,此处需关闭IP欺骗***

firewall defend land

firewall defend smurf

firewall defend fraggle

firewall defend winnuke

firewall defend icmp-redirect

firewall defend icmp-unreachable

firewall defend source-route

firewall defend route-record

firewall defend ping-of-death

firewall defend tcp-flag

firewall defend ip-fragment

firewall defend large-icmp

firewall defend teardrop

firewall defend ip-sweep

firewall defend port-scan

firewall defend arp-spoofing

firewall defend arp-reverse-query

firewall defend arp-flood

firewall defend frag-flood

firewall defend syn-flood enable

firewall defend udp-flood enable

firewall defend icmp-flood enable

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

#

Return