cisco_ipsec_ez***配置

Center#sh run

Building configuration...

Current configuration : 2253 bytes

!

! Last configuration change at 13:34:02 CET Fri Apr 25 2014

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Center

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

aaa new-model

!

!

aaa authentication login noacs line none

aaa authentication login xauth-authen local

aaa authorization network mcfg-author local

!

!

!

!

!

aaa session-id common

!

clock timezone CET 1 0

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

!

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

username ipsecuser password 0 yeslabccies

username cisco privilege 0 password 0 cisco  

!设置用户，0等级没有任何权限 只能登陆EZ×××

username admin password 0 admin

!

redundancy

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group ipsecgroup

key yeslabccies

!EZ×××客户端设置的组名和密码

pool ippool

save-password

!

!

crypto ipsec transform-set ez***set esp-des esp-md5-hmac

!

!

!

crypto dynamic-map dymap 10

set transform-set ez***set

!

!

crypto map cry-map client authentication list xauth-authen

crypto map cry-map isakmp authorization list mcfg-author

crypto map cry-map client configuration address respond

crypto map cry-map 10 ipsec-isakmp dynamic dymap

!

!

!

!

!

interface Ethernet0/0

ip address 61.128.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

crypto map cry-map

!

interface Ethernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Ethernet0/2

no ip address

shutdown

!

interface Ethernet0/3

no ip address

shutdown

!

ip local pool ippool 123.1.1.100 123.1.1.200

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat inside source list natout interface Ethernet0/0 overload

ip route 0.0.0.0 0.0.0.0 61.128.1.10

!

ip access-list extended natout

deny   ip any 123.0.0.0 0.255.255.255

permit ip 10.1.1.0 0.0.0.255 any

!注意NAT 剔除访问EZ×××流量

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

login authentication noacs

line aux 0

login authentication noacs

line vty 0 4

password cisco

transport input all

!

!

end

Center#

转载于:https://blog.51cto.com/zhangshj/1592017