Cisco pix 525 vpdn +acs 用户验证

来源:本站原创 CISCO 超过797 views围观 0条评论

系统环境:

  cisco pix 525
  cisco acs server 3.2
实现功能:
  远程使用cisco ipsec vpn client 3.x以上的vpn client 拨入企业网络;
  远程使用ms pptp vpn拨入企业网络;
  所有远程vpdn用户通过acs server 做用户验证和记帐,便于管理和实现其他pix 验证无法实现的功能,例如实现用户帐号尝试错误后锁定,访问时间等功能;
pix 525 上的配置:
  jtpixfirewall# sh run
  : Saved
  :
  PIX Version 6.3(3)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  interface ethernet3 auto
  interface ethernet4 auto
  interface ethernet5 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 perimter1 security20
  nameif ethernet3 perimter2 security30
  nameif ethernet4 perimter3 security40
  nameif ethernet5 perimter4 security50
  enable password pAvMEKYodlghdOOb7Y encrypted
  passwd 1ZowQT4VG2d3TbU69 encrypted
  hostname jtpixfirewall
  domain-name jt.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 10.1.5.0 test
  name 10.1.8.50 netmang
  access-list inside_outbound_nat0_acl permit ip 10.1.8.0 255.255.255.0 10.1.58.0 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip test 255.255.255.0 10.1.58.0 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.252.0.0 10.1.58.0 255.255.255.0
  access-list jt1_splitTunnelAcl permit ip tests 255.255.255.0 any
  access-list jt1_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any
  access-list acl-out permit icmp any any
  pager lines 24
  logging on
  logging timestamp
  logging trap debugging
  logging history debugging
  logging facility 16
  logging host inside netmang
  mtu outside 1500
  mtu inside 1500
  mtu perimter1 1500
  mtu perimter2 1500
  mtu perimter3 1500
  mtu perimter4 1500
  ip address outside 222.121.48.75 255.255.255.224
  ip address inside 10.1.8.12 255.255.255.0
  ip address perimter1 127.0.0.1 255.255.255.255
  no ip address perimter2
  no ip address perimter3
  no ip address perimter4
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool local_pool 10.1.58.50-10.1.58.100
  no failover
  failover timeout 0:00:00
  failover poll 15
  no failover ip address outside
  no failover ip address inside
  no failover ip address perimter1
  no failover ip address perimter2
  no failover ip address perimter3
  no failover ip address perimter4
  pdm location 10.1.9.50 255.255.255.255 inside
  pdm location 10.1.9.0 255.255.255.0 inside
  pdm location 10.1.9.0 255.255.255.0 perimter1
  pdm location 10.1.1.253 255.255.255.255 inside
  pdm location 10.1.0.0 255.255.0.0 inside
  pdm location 10.1.1.253 255.255.255.255 perimter1
  pdm location test 255.255.255.0 inside
  pdm location 10.0.0.0 255.252.0.0 inside
  pdm location 10.1.58.0 255.255.255.0 outside
  pdm location netmang 255.255.255.255 inside
  pdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 10.1.8.0 255.255.255.0 0 0
  nat (inside) 0 10.0.0.0 255.252.0.0 0 0
  access-group acl-out in interface inside
  rip inside default version 2
  route outside 0.0.0.0 0.0.0.0 222.121.48.65 1
  route inside 10.1.0.0 255.255.0.0 10.1.8.253 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server jtacs protocol radius
  #指定aaa采用radius
  aaa-server jtacs (inside) host netmang ddjt2008 timeout 5
  #指定radius server 的ip地址和口令(ddjt2008)
  aaa proxy-limit disable
  aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 jtacs
  #对aaa group jtacs做radius account (记帐)
  http server enable
  http 10.1.9.50 255.255.255.255 inside
  snmp-server host inside netmang
  no snmp-server location
  no snmp-server contact
  snmp-server community en9fk5*37
  snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  sysopt radius ignore-secret
  service resetinbound
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication jtacs
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp nat-traversal 20
  #解决 ipsec 穿透 nat 问题;
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup test1 address-pool local_pool
  vpngroup test1 dns-server 10.1.2.1
  vpngroup test1 wins-server 10.1.2.1
  vpngroup test1 default-domain jt
  vpngroup test1 split-tunnel jt1_splitTunnelAcl
  vpngroup test1 idle-time 1800
  vpngroup test1 secure-unit-authentication
  vpngroup tset1 user-idle-timeout 18
  vpngroup test1 device-pass-through
  vpngroup test1 password ********
  telnet 10.1.8.0 255.255.255.0 inside
  telnet 10.1.9.0 255.255.255.0 inside
  telnet 10.1.1.253 255.255.255.255 inside
  telnet 10.1.1.253 255.255.255.255 perimter1
  telnet 10.1.1.253 255.255.255.255 perimter2
  telnet 10.1.1.253 255.255.255.255 perimter3
  telnet 10.1.1.253 255.255.255.255 perimter4
  telnet timeout 10
  ssh 10.1.9.0 255.255.255.0 inside
  ssh 10.1.9.0 255.255.255.0 perimter1
  ssh 10.1.9.0 255.255.255.0 perimter2
  ssh 10.1.9.0 255.255.255.0 perimter

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=383转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
下篇文章:
  • 相关文章
  • 为您推荐
  • 各种观点

暂时还木有人评论,坐等沙发!
发表评论

您必须 [ 登录 ] 才能发表留言!