Dynamic ××× //最新远程×××解决方案,默认2个授权! xp-------srx-----inside1 set system services web-management https system-generated-certificate set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ssh set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ike set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ping set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic https
edit access address-assignment pool dyn-***-address-pool edit family inet set network 123.1.1.0/24 edit range d***-range set low 123.1.1.100 set high 123.1.1.200 set xauth-attributes primary-dns 8.8.8.8/32
配置Access Profile edit profile dyn-***-access-profile set client remoteuser firewall-user password cisco set address-assignment pool dyn-***-address-pool set firewall-authentication web-authentication default-profile dyn-***-access-profile
配置第一阶段策略: edit security ike policy ike-dyn-***-policy set mode aggressive set proposal-set standard //调用系统标准的proposal set pre-shared-key ascii-text cisco
edit gaeway dyn-***-local-gw set ike-policy ike-dyn-***-policy edit dynamic set hostname dy*** set connection-limit 10 set ike-user-type group-ike-id //所有的用户都用相同的用户ID! up up
set external-interface fe-0/0/0.0 set xauth access-profile dyn-***-access-profile
配置第二阶段策略: edit ipsec policy ipsec-dyn-***-policy set proposal-set standard up edit *** dyn-*** ike set gatway dyn-***-local-gw set ipsec psec-dyn-***-policy
配置Dynamic ×××策略! edit dynamic-*** set access-profile dyn-***-access-profile edit clients all set remote-protected-resources 10/8 //类似隧道分割10.0.0.0/8 set remote-exceptions 0/0 set ipsec-*** dyn-*** //把×××关联 set user remoteuser //把相应的用户关联!
配置Security Policy //放行×××流量 edit security policies from-zone Outside to-zone Inside1 policy dyv-***-policy set match source-address any set match destination-address any set match application any set then permit tunnel ipsec-*** dyn-***
commit //提交!!! ---------------------------------------------- show security ike security-associations show security ike active-peer show security ipsec security-associations show security dynamic-*** users