Cisco技术区常用配置实例整理(2)

Cisco基于策略路由的配置实例


问题描述
　　您可以定义自己的规则来进行数据包的路由而不仅仅由目的地地址所决定。在这里
您可以学到怎么使用基于策略路由的办法来解决这一问题。
　　在具体的应用中，基于策略的路由有：
　　☆ 基于源IP地址的策略路由
　　☆ 基于数据包大小的策略路由
　　☆ 基于应用的策略路由
　　☆ 通过缺省路由平衡负载
　　这里，讲述了第一种情况的路由策略。
举例
　　在这个例子中，防火墙的作用是：把10.0.0.0/8内部网地址翻译成可路由的172.16
.255.0/24子网地址。
　　　　　　　　　
　　下面的防火墙配置是为了完整性而加进去的，它不是策略路由配置所必需的。在这
里的防火墙可以被其它类似的产品代替，如PIX或其它类似防火墙设备。这里的防火墙的
配置如下：
　　!
　　ip nat pool net-10 172.16.255.1 172.16.255.254 prefix-length 24
　　ip nat inside source list 1 pool net-10
　　!
　　interface Ethernet0
　　　ip address 172.16.20.2 255.255.255.0
　　　ip nat outside
　　!
　　interface Ethernet1
　　　ip address 172.16.39.2 255.255.255.0
　　　ip nat inside
　　!
　　router eigrp 1
　　　redistribute static
　　　network 172.16.0.0
　　　default-metric 10000 100 255 1 1500
　　!
　　ip route 172.16.255.0 255.255.255.0 Null0
　　access-list 1 permit 10.0.0.0 0.255.255.255
　　!
　　end
　　在我们的例子中，Cisco WAN路由器上运行策略路由来保证从10.0.0.0/8网络来的IP数据包被发送到防火墙去。配置中定义了两条net-10策略规则。第一条策略就定义了从10.0.0.0/8网络来的IP数据包被发送到防火墙去（我们很快会看到这里的配置有问题）。而第二条规则允许所有的其它数据包能按正常路由。这里的Cisco WAN路由器的配置如下：
　　!
　　interface Ethernet0/0
　　　ip address 172.16.187.3 255.255.255.0
　　　no ip directed-broadcast
　　!
　　interface Ethernet0/1
　　　ip address 172.16.39.3 255.255.255.0
　　　no ip directed-broadcast
　　!
　　interface Ethernet3/0
　　　ip address 172.16.79.3 255.255.255.0
　　　no ip directed-broadcast
　　　ip policy route-map net-10
　　!
　　router eigrp 1
　　　network 172.16.0.0
　　!
　　access-list 110 permit ip 10.0.0.0 0.255.255.255 172.16.36.0 0.0.0.255
　　access-list 111 permit ip 10.0.0.0 0.255.255.255 any
　　!
　　route-map net-10 permit 10
　　　match ip address 111
　　　set interface Ethernet0/1
　　!
　　route-map net-10 permit 20
　　!
　　end
　　我们可以这样测试我们所做的配置。在名为Cisco-1的路由器10.1.1.1上发送ping命
令到Internet上的一个主机（这里就是192.1.1.1主机）。要查看名为Internet Router
的路由器上的情况，我们在特权命令模式下执行debug ip packet 101 detail命令。（
其中，在此路由器上有access-list 101 permit icmp any any配置命令）。下面是输出
结果：
　　Results of ping from Cisco-1 to 192.1.1.1/internet taken from Internet_R
outer:
　　Pakcet never makes it to Internet_Router
　　正如您所看到的：数据包没有到达Internet_Router路由器。下面的在Cisco WAN路
由器上的debug命令给出了原因：
　　Debug commands run from Cisco_WAN_Router:
　　"debug ip policy"
　　2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
　　2d15h: IP: route map net-10, item 10, permit
　　2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
　　2d15h: IP: Ethernet3/0 to Ethernet0/1 192.1.1.1
　　这里，数据包确实匹配了net-10策略图中的第一条规则。但为什么还是没有达到预
期的目的呢？用"debug arp"来看一下。
　　"debug arp"
　　2d15h: IP ARP: sent req src 172.16.39.3 0010.7bcf.5b02,
　　　　　　　　　　　　　　dst 192.1.1.1 0000.0000.0000 Ethernet0/1
　　2d15h: IP ARP rep filtered src 192.1.1.1 00e0.b064.243d, dst 172.16.39.3
0010.7bcf.5b02
　　　　　　　wrong cable, interface Ethernet0/1
　　debug arp的输出给出了原因。路由器努力完成它被指示要做的动作，而且试图把数
据包发向Ethernet0/1接口，但失败了。这要求路由器为目的地址192.1.1.1执行地址解
析协议操作，当执行该任务时，路由器知道了目的地址不处于该接口。接下来，路由器
发生封装错误。所以，最后数据包不能到达192.1.1.1。
　　我们怎样避免这个问题呢？修改路由图使防火墙地址为下一跳。
　　Config changed on Cisco_WAN_Router:
　　!
　　route-map net-10 permit 10
　　　match ip address 111
　　　set ip next-hop 172.16.39.2
　　!
修改后，在Internet Router上运行同样的命令：debug ip packet 101 detail。这时，
数据包可以按配置前进。我们也能看到数据包被防火墙翻译成了172.16.255.1。192.1.
1.1主机的回应：
　　Results of ping from Cisco_1 to 192.1.1.1/internet taken from Internet_R
outer:
　　2d15h: IP: s=172.16.255.1 (Ethernet1), d=192.1.1.1 (Serial0), g=192.1.1.
1, len 100, forward
　　2d15h: ICMP type=8, code=0
　　2d15h:
　　2d15h: IP: s=192.1.1.1 (Serial0), d=172.16.255.1 (Ethernet1), g=172.16.2
0.2, len 100, forward
　　2d15h: ICMP type=0, code=0
　　2d15h:
　　在Cisco WAN路由器上执行debug ip policy命令后，我们可以看到数据包被传递到
了防火墙，172.16.39.2：
　　Debug commands run from Cisco_WAN_Router:
　　"debug ip policy"
　　2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1, len 100, policy match
　　2d15h: IP: route map net-10, item 20, permit
　　2d15h: IP: s=10.1.1.1 (Ethernet3/0), d=192.1.1.1 (Ethernet0/1), len 100,
policy routed
　　2d15h: IP: Ethernet3/0 to Ethernet0/1 172.16.39.2


反向访问控制列表配置实例


我们采用如图所示的网络结构。路由器连接了二个网段，分别为172.16.4.0/24,172.16.3.0/24。在172.16.4.0/24网段中的计算机都是服务器，我们通过反向ACL设置保护这些服务器免受来自172.16.3.0这个网段的病毒***。

配置实例：禁止病毒从172.16.3.0/24这个网段传播到172.16.4.0/24这个服务器网段。

路由器配置命令：

access-list 101 permit tcp 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255 established 定义ACL101，容许所有来自172.16.3.0网段的计算机访问172.16.4.0网段中的计算机，前提是TCP连接已经建立了的。当TCP连接没有建立的话是不容许172.16.3.0访问172.16.4.0的。

int e 1 进入E1端口

ip access-group 101 out 将ACL101宣告出去

设置完毕后病毒就不会轻易的从172.16.3.0传播到172.16.4.0的服务器区了。因为病毒要想传播都是主动进行TCP连接的，由于路由器上采用反向ACL禁止了172.16.3.0网段的TCP主动连接，因此病毒无法顺利传播。

小提示：检验反向ACL是否顺利配置的一个简单方法就是拿172.16.4.0里的一台服务器PING在172.16.3.0中的计算机，如果可以PING通的话再用172.16.3.0那台计算机PING172.16.4.0的服务器，PING不通则说明ACL配置成功。

通过上文配置的反向ACL会出现一个问题，那就是172.16.3.0的计算机不能访问服务器的服务了，假如图中172.16.4.13提供了WWW服务的话也不能正常访问。解决的方法是在ESTABLISHED那句前头再添加一个扩展ACL规则，例如：access-list 101 permit tcp 172.16.3.0 0.0.0.255 172.16.4.13 0.0.0.0 eq www

这样根据“最靠近受控对象原则”即在检查ACL规则时是采用自上而下在ACL中一条条检测的，只要发现符合条件了就立刻转发，而不继续检测下面的ACL语句。172.16.3.0的计算机就可以正常访问该服务器的WWW服务了，而下面的ESTABLISHED防病毒命令还可以正常生效。

笔者所在公司就使用的这种反向ACL的方式进行防病毒的，运行了一年多效果很不错，也非常稳定。

Cisco PIX515配置实例

Cisco PIX配置实例

想通过pix做snat使内网用户上网，再做dnat使访问本公网IP的http服务、ssh服务转换为192.168.4.2的http服务、ssh服务，对192.168.4.2开放本pix的telnet服务
　　
　　pix515防火墙配置策略实例
　　
　　#转换特权用户
　　pixfirewall>ena
　　pixfirewall#
　　
　　#进入全局配置模式
　　pixfirewall# conf t
　　
　　#激活内外端口
　　interface ethernet0 auto
　　interface ethernet1 auto
　　
　　#下面两句配置内外端口的安全级别
　　nameif ethernet0 outside security0
　　nameif ethernet1 inside security100
　　
　　#配置防火墙的用户信息
　　enable password pix515
　　hostname pix515
　　domain-name domain
　　
　　#下面几句配置内外网卡的IP地址
　　ip address inside 192.168.4.1 255.255.255.0
　　ip address outside 公网IP 公网IP子网掩码
　　global (outside) 1 interface
　　nat (inside) 1 192.168.4.0 255.255.255.0 0 0
　　
　　#下面两句将定义转发公网IP的ssh和www服务到192.168.4.2
　　static (inside,outside) tcp 公网IP www 192.168.4.2 www netmask 255.255.255.255 0 0
　　static (inside,outside) tcp 公网IP ssh 192.168.4.2 ssh netmask 255.255.255.255 0 0
　　
　　#下面两句将定义外部允许访问内部主机的服务
　　conduit permit tcp host 公网IP eq www any
　　conduit permit tcp host 公网IP eq ssh 信任IP 255.255.255.255
　　
　　#允许内部服务器telnet pix
　　telnet 192.168.4.2 255.255.255.0 inside
　　
　　#下面这句允许ping
　　conduit permit icmp any any
　　
　　#下面这句路由网关
　　route outside 0.0.0.0 0.0.0.0 公网IP网关 1
　　
　　#保存配置
　　write memory



Cisco SONET 配置实例

Cisco SONET 配置实例

controller SONET 6/0/0
framing sdh
clock source internal
!
au-4 1 tug-3 1
tug-2 1 e1 1 unframed
tug-2 1 e1 2 unframed
tug-2 1 e1 3 unframed
tug-2 2 e1 1 unframed
tug-2 2 e1 2 unframed
tug-2 2 e1 3 unframed
tug-2 3 e1 1 unframed
tug-2 3 e1 2 unframed
tug-2 3 e1 3 unframed
tug-2 4 e1 1 unframed
tug-2 4 e1 2 unframed
tug-2 4 e1 3 unframed
tug-2 5 e1 1 unframed
tug-2 5 e1 2 unframed
tug-2 5 e1 3 unframed
tug-2 6 e1 1 unframed
tug-2 6 e1 2 unframed
tug-2 6 e1 3 unframed
tug-2 7 e1 1 unframed
tug-2 7 e1 2 unframed
tug-2 7 e1 3 unframed
!
au-4 1 tug-3 2
idle pattern 0x0
tug-2 1 e1 1 unframed
tug-2 1 e1 2 unframed
tug-2 1 e1 3 unframed
tug-2 2 e1 1 unframed
tug-2 2 e1 2 unframed
!
au-4 1 tug-3 3
idle pattern 0x0
!
..........
...........
............
interface Serial6/0/0.1/1/1/1:0
no ip address
encapsulation ppp
tx-queue-limit 26
ppp multilink
multilink-group 1
!
interface Serial6/0/0.1/1/1/2:0
no ip address
encapsulation ppp
tx-queue-limit 26
ppp multilink
multilink-group 1
!
interface Serial6/0/0.1/1/1/3:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
multilink-group 1
!
interface Serial6/0/0.1/1/2/1:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
multilink-group 1
!
interface Serial6/0/0.1/1/2/2:0
no ip address
encapsulation ppp
tx-queue-limit 26
ppp multilink
multilink-group 2
!
interface Serial6/0/0.1/1/2/3:0
description To_
no ip address
encapsulation ppp
tx-queue-limit 26
ppp multilink
multilink-group 2
!
interface Serial6/0/0.1/1/3/1:0
description To
no ip address
encapsulation ppp
tx-queue-limit 26
ppp multilink
multilink-group 2
!
interface Serial6/0/0.1/1/3/2:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
multilink-group 2
!
interface Serial6/0/0.1/1/3/3:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
multilink-group 2
!
..........
...........
............
interface Multilink1
ip address X.X.X.X 255.255.255.252
mpls label protocol ldp
tag-switching ip
ppp multilink
multilink-group 1
!
interface Multilink2
ip address X.X.X.X 255.255.255.252
mpls label protocol ldp
tag-switching ip
ppp multilink
multilink-group 2
!


To configure a logical channel group on an E1 line, use the tug-2 <tug-2#> e1 <e1#> channel-group <channel-group#> timeslots

<list-of-timeslots> command where:

tug-2# is a value from 1 to 7

e1# is a value from 1 to 3

channel-group# is a value from 0 to 30

list-of-timeslots can be a value from 1 to 31 or a combination of subranges within the range 1 to 31 (each subrange is a list

of time slots that makes up the E1 line).

In the following example, logical channel group 15 on E1 line 1 is configured and channelized time slots 1 to 5 and 20 to 23

are assigned to the newly created logical channel group:

Router(config)# controller sonet 1/1/0

Router(config-controller)# framing sdh

Router(config-controller)# aug mapping au-4

Router(config-controller)# au-4 1 tug-3 2

Router(config-controller-tug3)# mode c-12

Router(config-controller-tug3)# tug-2 4 e1 1 channel-group 15 timeslots 1-5, 20-23

Router(config-controller-tug3)# exit

Router(config-controller)# exit


Cisco 路由器端口限速配置实例

2610(config)# access-list 2 permit 192.168.0.15 0.0.0.63

2610(config)# class-map acgroup2

2610(config-cmap)# match access-group 2

2610(config-cmap)# exit

2610(config)# policy-map police

2610(config-pmap)# class acgroup2

2610(config-pmap-c)# police 20000 2000 4000 conform-action transmit exceed-action drop

2610(config-pmap-c)# exit

2610(config-pmap)# exit

2610(config)# interface ethernet 0/0

2610(config-if)# service-policy input police



CISCO7114路由器配置实例

7114#sh run
Building configuration...

Current configuration : 2671 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 7114
!
enable secret 5 xxxxxx
!
no cable qos permission create
no cable qos permission update
cable qos permission modems
cable time-server
clock timezone PDT -8
ip subnet-zero
no ip routing
no ip domain-lookup
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.0.14 255.255.255.252
no ip route-cache
no ip mroute-cache
duplex full
speed 100
no cdp enable
!
interface FastEthernet0/1
no ip address
no ip route-cache
no ip mroute-cache
duplex full
speed 100
no cdp enable
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Cable1/0
ip address 10.2.0.2 255.255.0.0
ip helper-address 10.2.0.6
no ip route-cache
no ip mroute-cache
no keepalive
cable downstream annex B
cable downstream modulation 256qam
cable downstream interleave-depth 32
cable downstream frequency 714000000
no cable upstream 0 shutdown
cable downstream rf-power 50
cable downstream channel-id 0
cable upstream 0 frequency 30000000
cable upstream 0 power-level 0
cable upstream 0 channel-width 3200000
cable upstream 0 minislot-size 4
no cable upstream 0 shutdown
cable upstream 1 frequency 30000000
cable upstream 1 power-level 0
cable upstream 1 channel-width 3200000
cable upstream 1 minislot-size 4
no cable upstream 1 shutdown
cable upstream 2 frequency 30000000
cable upstream 2 power-level 0
cable upstream 2 channel-width 3200000
cable upstream 2 minislot-size 4
no cable upstream 2 shutdown
cable upstream 3 frequency 30000000
cable upstream 3 power-level 0
cable upstream 3 channel-width 3200000
cable upstream 3 minislot-size 4
no cable upstream 3 shutdown
bridge-group 2
bridge-group 2 subscriber-loop-control
!
ip default-gateway 10.1.0.13
ip classless
no ip http server
!
!
no cdp run
snmp-server community xxxxxx RO
snmp-server community xxxxxx RO
snmp-server manager
banner motd ^C
Cisco 7114
Welcome
^C
alias exec scm show cable modem
alias exec sd show int cable1/0 downstream
alias exec su show int cable1/0 upstream
alias exec sr show cable modem remote-query
alias exec scf show cable flap
alias exec ccm clear cable modem
alias exec scc show controllers cable 1/0
!
line con 0
timeout login response 300
password 7 000000
logging synchronous
login
line aux 0
password 7 000000
logging synchronous
login
line vty 0 4
password 7 000000
logging synchronous
login
!
end


PIX-PPTP ×××配置实例

pixfirewall(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit ip any any
access-list acl_in permit ip any any
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 192.168.0.100-192.168.0.110
ip local pool cisco 192.168.0.120-192.168.0.130
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aaades esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto map mymap 20 ipsec-isakmp dynamic dynomap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local testpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
***group usergroup address-pool testpool
***group usergroup idle-time 1800
***group usergroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local cisco
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username 123 password *********
vpdn enable outside
username user1 password tJsDL6po9m1UFs.h encrypted privilege 2
terminal width 80
Cryptochecksum:49fcf8e651150adf5ce5d8f749987ba2
: end
pixfirewall(config)#




PIX-×××-Client配置实例

pixfirewall(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit ip any any
access-list acl_in permit ip any any
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 192.168.0.100-192.168.0.110
ip local pool cisco 192.168.0.120-192.168.0.130
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aaades esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto map mymap 20 ipsec-isakmp dynamic dynomap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local testpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
***group usergroup address-pool testpool
***group usergroup idle-time 1800
***group usergroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username user1 password tJsDL6po9m1UFs.h encrypted privilege 2
terminal width 80
Cryptochecksum:49fcf8e651150adf5ce5d8f749987ba2
: end
pixfirewall(config)#

简单的路由器DHCP配置实例

Router#sh run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
!
!
!
!
ip subnet-zero
!
ip dhcp pool test
network 192.168.0.0 255.255.255.0
dns-server 202.97.224.68
default-router 192.168.0.1
lease 3
!
ip dhcp pool tom
host 192.168.0.18 255.255.255.0
client-identifier 0100.c09f.9b1f.8b
!
lane client flush
cns event-service server
!
!
!
!
!
!
!
interface Ethernet2/0
ip address 192.168.0.1 255.255.255.0
!
ip classless
no ip http server
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end


IPsec ××× access 配置实例



总部：

crypto isakmp policy 1　　　　//策略
encryption 3des　　　　　　 //加密方式
authentication pre-share　　//认证
group 2　　　　　　　　　　　　//加密组

crypto isakmp client configuration address-pool local poolxxx
//客户端IP地址池

crypto isakmp client configuration group groupxxx //组名称
key crackerxxx 　　　　//密钥，也就是客户端密码
dns 211.98.2.4　　　　　　//客户端DNS
domain xxx.edu.cn　　　　//域名
pool poolxxx　　　　　　　//客户端拨号地址池
netmask 255.255.255.0　　//客户端掩码

crypto ipsec transformset setxxx esp-3des esp-sha-hmac //变换集

crypto dynamic-map mapxxx 1　　　　//动态map
set transform-set setxxx //引用变换集setxxx

crypto map map isakmp authorization list groupxxx //验证方式
crypto map map client configuration address respond //客户端自动获取IP
crypto map map 1 ipsec-isakmp dynamic mapxxx //引用动态map

ip local pool poolxxx 211.89.1.1 211.89.1.254 //拨号地址池

int f0/1　　　　　　　　　　//进入外网接口
crypto map map //激活crypto map


客户端：
必须采用思科的*** client软件
在group配置中填写groupxxx
密码选项填写crackerxxx
地址选项填写MAIN　OFFICE的路由器外口地址即可
 

 

转载于:https://blog.51cto.com/taiguoqing/741417