< 100F>dis cur
#
sysname 100F
#
l2tp enable //开启l2tp功能
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
radius scheme system
#
domain system
ip pool 1 192.168.10.1 192.168.10.5 //配置×××拨入用户分配的IP地址池
#
local-user abcdefg@163.gd //配置单位ADSL拨号用户
password cipher $P(0A9$V(FSQ=^Q`MAF4<1!!
service-type ppp
local-user wakem_chan //配置×××拨号用户
password simple zsdx
service-type ppp
#
ike peer 1 //配置ike peer参数
pre-shared-key qingyuan
#
ipsec proposal 1 //配置ipsec提议
encapsulation-mode transport //配置封装模式为透明模式
#
ipsec policy-template temp 1 //配置ipsec策略模板
ike-peer 1
proposal 1
#
ipsec policy 1 1 isakmp template temp
#
acl number 2000 //NAT访问控制列表
rule 0 permit source 192.168.1.0 0.0.0.255
#
interface Virtual-Template1 //配置虚拟接口模板1及其验证方式
ppp authentication-mode pap
ip address 192.168.100.254 255.255.255.0
ipsec policy 1 //在端口上启用ipsec policy
#
interface Aux0
async mode flow
#
interface Dialer1
link-protocol ppp
ppp pap local-user abcdefg@163.gd password cipher $P(0A9$V(FSQ=^Q`MAF4<1!!
mtu 1492
tcp mss 1024
ip address ppp-negotiate
dialer user 100F
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy 1 //在端口上启用ipsec policy
#
interface Ethernet0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
pppoe-client dial-bundle-number 1 no-hostuniq
mtu 1492
tcp mss 1024
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Dialer1 //把拨号接口添加进入安全域
add interface Virtual-Template1 //把虚拟接口模板添加进入安全域
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
add interface Ethernet1/1
add interface Ethernet1/2
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
l2tp-group 1 //配置l2tp组1
undo tunnel authentication //取消隧道验证
allow l2tp virtual-template 1 //配置使用名字的方式发起l2tp连接
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60 //配置静态默认路由
# //以下为防火墙***防范配置,此处需关闭IP欺骗***
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
Return
转载于:https://blog.51cto.com/90844/416069