本站已运行

攻城狮论坛

作者: Cmyrtle
查看: 1722|回复: 12

主题标签Tag

more +今日重磅推荐Recommend No.1

所有IT类厂商认证考试题库下载所有IT类厂商认证考试题库下载

more +随机图赏Gallery

【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器

[安全] 急,客户端是adsl上网,怎么才能登陆进pix515E的vpn

[复制链接]
查看: 1722|回复: 12
开通VIP 免金币+免回帖+批量下载+无广告
需要在防火墙上做如何配置: [0 s# |/ X- [, Z" f, w! w
防火墙是 pix515E: ?6 _$ t7 a! _7 v/ c  Z; P

+ y( ?, v6 y, I3 ^; k客户端是pppoe 上网
CCNA考试 官方正规报名 仅需1500元
回复 论坛版权

使用道具 举报

hawk793 [Lv4 初露锋芒] 发表于 2013-7-24 09:35:15 | 显示全部楼层
看我的帖子,
0 m! `0 h3 S$ ?( l用cisco的客户端软件
回复 支持 反对

使用道具 举报

eric980643 [Lv4 初露锋芒] 发表于 2013-7-24 18:02:55 | 显示全部楼层
我用的客户端软件是 cisco vpn client 4.0.1
回复 支持 反对

使用道具 举报

sleet [Lv4 初露锋芒] 发表于 2013-7-24 19:18:58 | 显示全部楼层
提示,the necessary vpn sub-system is not valiable$ I$ A8 d' h, t# u0 K* l
you can't connect to the remote vpn server
回复 支持 反对

使用道具 举报

rinker [Lv4 初露锋芒] 发表于 2013-7-24 21:46:47 | 显示全部楼层
pixfirewall#show run7 w$ [9 H8 \: H) e. ]: ]+ N
: Saved2 I) U- p4 V" W& h6 }
:
7 S; s, q' D4 q8 O3 y  UPIX Version 6.3(3)& y# W0 k* K9 Q: Z
interface ethernet0 100full
5 o* f6 B) ^% ?, l; s0 Kinterface ethernet1 100full
! s8 `# \7 |+ K% ^/ Xnameif ethernet0 outside security0
2 H7 @! Q7 N* f. jnameif ethernet1 inside security100
  Q) |8 t% c0 fenable password 8Ry2YjIyt7RRXU24 encrypted( A9 U5 K, s- S2 t
passwd 2KFQnbNIdI.2KYOU encrypted
) _3 V' I2 n9 ^) P( `& g5 G+ Whostname pixfirewall
! d* y( [4 F0 t3 J- I, N2 jfixup protocol dns maximum-length 512; Y2 N- `/ Y3 {) _6 ]0 D  v9 ~: I+ X
fixup protocol ftp 21
0 S1 j6 r* m: F+ I* T; efixup protocol h323 h225 17208 Q* _6 E6 w. Z# B# w/ c7 G  ^5 Q! T
fixup protocol h323 ras 1718-1719
+ {8 n: b5 C. R6 ~$ Bfixup protocol http 80/ X* `' q. ]3 O, e6 W
fixup protocol rsh 514
, V. d; w( B8 s: b! Ffixup protocol rtsp 554  K# ^9 p* Z4 F- o/ C
fixup protocol sip 5060
/ ]" r  P) |9 ?, H9 P( p+ Zfixup protocol sip udp 5060
0 h  F* K/ W+ }3 ~6 K3 l7 jfixup protocol skinny 2000% |! l& E  k% j: w8 d
fixup protocol smtp 25
; ^! T6 G! R, w5 @fixup protocol sqlnet 1521/ B! M, I8 A: N- I) M. N
fixup protocol tftp 699 m- y5 r  `; F
names. Y: K% ?* x4 J- a1 O
$ i4 V/ B) n* e$ L7 J  N
!--- Do not use Network Address Translation (NAT) for inside-to-pool( W2 i- g9 Y) t& h0 x
!--- traffic. This should not go through NAT.
, U4 M$ Y' g$ |1 u5 Y$ J6 ^; c
9 e8 |* ~2 {. Raccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240* K5 K' K* K4 y, t( X4 D
9 X/ t$ {) s) Y+ E5 w: M3 j) z" [6 Q- ~
!--- Permits Internet Control Message Protocol (ICMP)
' N4 G" m6 f& y1 [/ u; M) R!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)& c( l6 |- U& ^4 q( C
!--- traffic from any host on the Internet (non-VPN) to the web server.
: ~  Q) f, W+ t' @
6 J6 I" a0 C" Q: f) Faccess-list 120 permit icmp any host 10.89.129.1311 H' f, C2 T4 Q# U4 ~1 n0 }
access-list 120 permit tcp any host 10.89.129.131
6 d+ @% U; \  j4 ?' H3 T0 ]access-list 120 permit udp any host 10.89.129.131- }$ k. `; F. w. ?3 D" W. Q
3 d/ j7 L. o/ I) H5 k. B5 S
pager lines 24; a, n# d: B( H) X$ @( n$ N/ A7 d8 @: O, R
mtu outside 1500
. X8 N, u6 A% |0 s& ~mtu inside 1500
0 _1 ]9 d6 b. w7 Aip address outside 192.168.1.1 255.255.255.0
, d  \- p* z' [2 \4 f0 Sip address inside 10.89.129.194 255.255.255.240
4 u+ x0 O0 c, w7 nip audit info action alarm
$ G3 \. M; F# ]ip audit attack action alarm/ j8 L) d+ g) B: I$ {7 a

5 V5 h4 {/ h( q) m$ ~!--- Specifies the inside IP address range to be assigned, [' V; a4 Y1 Y- a3 K
!--- to the VPN Clients.
8 @" O3 a; u* a' ^% _5 r
. R$ d3 r+ H3 ^& m6 Gip local pool VPNpool 10.89.129.200-10.89.129.204
" Q8 I8 C  m, w! y. Bno failover
) p& x, ?5 z$ V( o4 i% k* Cfailover timeout 0:00:00
! S5 p; U- d- L  u- Nfailover poll 15) M  G! H0 d8 ?; Y0 K/ g  g
no failover ip address outside
$ _7 a1 x7 @% j# Gno failover ip address inside1 x1 U, y' u$ \' p0 V4 N: b. R
pdm history enable" ^+ v, n8 c, {+ R( S  K
arp timeout 14400
& ~1 S: @" }9 W" E. u+ n) J5 q  ?+ w! O6 B: x2 I, ^
!--- Defines a pool of global addresses to be used by NAT.
, v4 g9 S6 |. Q9 G" s" q
0 ]  O( s) j1 Rglobal (outside) 1 192.168.1.6-192.168.1.109 t! T; E, m* |8 B  g
7 G& W# a* ^. K2 W# e) _& X
nat (inside) 0 access-list 101
. w7 x6 Q/ D; x3 Ynat (inside) 1 0.0.0.0 0.0.0.0 0 0' V. x7 o) I6 u1 G. @
6 r  O% o/ p+ ^) `6 g$ g
!--- Specifies which outside IP address to apply to the web server.9 v! ^' r# Q/ q  {$ C

0 z: }  d  {6 T1 [) ustatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
2 ]4 I& E7 G4 e$ i2 b
7 I6 S, ]8 u5 }# \# H1 h! X# ^!--- Apply ACL 120 to the outside interface in the inbound direction.! d- L# F* s5 ~% y7 ]) M# [- Y- S

" _2 [$ z( f  E, S( o0 D' g6 P$ Iaccess-group 120 in interface outside: v  o+ y- }0 b* o% \  H! L3 a

: u" n! P% m9 H5 m+ E& a!--- Defines a default route for the PIX.
, ~6 n( ?: N! v7 B4 V
. A# t2 A3 |# L2 broute outside 0.0.0.0 0.0.0.0 192.168.1.3 1
& t9 r* \0 G% l  t* `0 e$ \/ e5 P0 A$ r% P9 ?5 _& X" u
!--- Defines a route for traffic within the PIX's$ J/ O4 K9 r3 s& Q# r
!--- subnet to reach other inside hosts.
: e. l7 K' Z$ u, @2 u3 O
" F  ?+ s/ ]6 t- c3 Lroute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
5 c' @6 t/ `, h) E+ d9 x, G4 J8 C% D6 W" D+ q5 m+ I
timeout xlate 3:00:003 V9 }4 A4 I2 p; M. H" y6 \
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
0 ~9 O% Z, m5 q# K2 n+ z* `# w( ]1 |6 ntimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
* v4 O* h; N7 z  j3 btimeout uauth 0:05:00 absolute
2 J; ~! x- t( g( daaa-server TACACS+ protocol tacacs+
/ h, M' W3 T( |: |7 L" \5 k% ?! ?aaa-server RADIUS protocol radius- s$ Q! V7 ?4 P8 C* L# A  ?
aaa-server LOCAL protocol local3 Z2 v  N- Y5 w. p- y! ]
( m. h7 A/ L% [0 h. m8 m5 }, W! k
!--- Authentication, authorization, and accounting (AAA)
* |: K1 q6 ^" n!--- statements for authentication. Method AuthInbound uses TACACS+.5 R1 B9 k* q# ~) e  R) u

. R2 a3 V5 H6 R; i" jaaa-server AuthInbound protocol tacacs+
7 k5 E, N/ w* _5 x
, A1 m( m  b2 H!--- Specify the TACACS+ server and key." C/ Z& u/ [7 n* h# _$ b3 d, f
; [0 b& Q( l% N* g' s
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10! H8 A3 @8 |9 e
9 c! d; C4 |1 ^& P" J0 C
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.5 p% P4 W6 Q; D$ G0 g+ a
1 x$ u) [& p* O: @( J4 ?
aaa authentication include http outside
# F. }: H( |& z! t10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound2 ?! ?5 L0 Q- ]3 }1 m; o/ q- x

& i$ S3 Z/ p6 Zaaa authentication include ftp outside
$ y7 ?/ x& n: T  N 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound; W( X9 {/ C3 G* g$ P' x( P

: J: H* W1 ~$ \aaa authentication include telnet outside
. C7 S6 L6 M6 Z3 j10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
7 \0 k7 p  t3 s( R6 Z
6 m# d- ^8 y% x! e4 o5 V" z( eno snmp-server location
4 T  M7 [$ @# `; l8 Z& V1 Bno snmp-server contact
$ g7 {% ?+ E8 S0 ^4 Z0 i: w1 |snmp-server community public
; B0 k- r$ H  k5 zno snmp-server enable traps
% m; W" d& n  m! f8 K' G9 \# m+ Vfloodguard enable+ ^4 N4 V3 X: x

  {* y  t1 q( [9 y: G1 Q!--- Trust IPSec traffic and avoid going through ACLs/NAT.
& P: ?, M8 O$ R0 ~. p
' A# U" E9 `8 U# Jsysopt connection permit-ipsec" |7 b2 n2 K) r6 M1 U' c1 g

7 D, z. T3 h) q!--- IPSec and dynamic map configuration.' D' D* d4 k& K, K+ C& N' z

$ Z+ Q5 N7 }) W2 n9 C. lcrypto ipsec transform-set myset esp-des esp-md5-hmac
9 |- x+ b9 T, b$ i5 Y+ ecrypto dynamic-map dynmap 10 set transform-set myset; u% w# Q+ s7 O8 R
crypto map mymap 10 ipsec-isakmp dynamic dynmap
/ }' ~- r* l, N3 A) B0 t5 H
/ ^. `7 e6 p5 H5 w4 m7 x4 J!--- Assign IP address for VPN 1.1 Clients.
' U$ b1 W8 p' f0 `" {$ P7 s" R  S8 f0 ]- V
crypto map mymap client configuration address initiate
7 ^, L! D7 c3 Z  Dcrypto map mymap client configuration address respond4 g; V1 }& m- S1 @4 G

! a  g' @" u- @!--- Use the AAA server for authentication (AuthInbound).
/ v  E: s) p5 A5 b5 p, u, h/ J
- f, O& z' N& U! Ycrypto map mymap client authentication AuthInbound
" o( [6 _  j! X& t7 I; G( k5 J/ r- P5 q4 k6 K% @
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.! m/ Q4 R! t, F4 F

( S- s, n8 {/ b# U2 Ncrypto map mymap interface outside
0 W% P* g: k8 H+ i, L" n9 n$ {! Qisakmp enable outside
2 i0 z! y) D4 P! z5 m
3 C/ ~$ N, @: S/ ?" r0 f!--- Pre-shared key for VPN 1.1 Clients.
! f% Z: p/ c  b, v0 {3 W4 M- i6 N4 J- B; ?* `, {
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0! Y# J; ?6 b9 K7 j. g- q- {
isakmp identity address
: _# O: K/ K& |' L# G: T8 T
9 b" Y- B0 v6 j! h0 ]' h* |. j, h!--- Assign address from &quot;VPNpool&quot; pool for VPN 1.1 Clients.
; [$ E& d' {% V2 q) {! {- m' C1 Z( ?" U" H( B2 D7 b6 [( G
isakmp client configuration address-pool local VPNpool outside. F1 J1 e# \& _7 S9 h+ B1 v( z: v) U
8 W3 P# K- @8 f7 S7 J
!--- ISAKMP configuration for VPN Client 3.x/4.x.; D, A% s; L4 j1 t9 x9 [9 }

) ]$ I7 ~( h8 Q1 Z, pisakmp policy 10 authentication pre-share7 a( i3 o' A& l8 |/ G
isakmp policy 10 encryption des
: Q* L% T* `/ w3 a0 D- ?7 }' n0 Nisakmp policy 10 hash md5
5 ?4 V7 g: _4 h* visakmp policy 10 group 2
! h# R5 \9 U* R2 Jisakmp policy 10 lifetime 864007 J5 S6 @" n9 `- Z
- b3 w4 A' P2 _
!--- ISAKMP configuration for VPN Client 1.x.. s% X; G: v  V- l6 j# {& r

4 |. U6 ~4 _- A( X" `$ c1 D$ ]isakmp policy 20 authentication pre-share! R0 z# j- x3 b% [! N/ b
isakmp policy 20 encryption des2 [8 k) M* I, K" b) e, w4 V' a# b
isakmp policy 20 hash md5
2 D" x( {8 B3 Tisakmp policy 20 group 1
2 s: F# z3 \  n& D' B4 \isakmp policy 20 lifetime 86400+ l" S( W) q& z* Z- Q

, v# H% G4 ]# T# F!--- Assign addresses from &quot;VPNpool&quot; for VPN Client 3.x/4.x.
0 D! J) j  m" U/ L+ f1 u- R3 L  t1 ?$ W
vpngroup vpn3000 address-pool VPNpool
% s- h, _& K4 P% _2 U; Q# h/ ~: P, S( q& D5 B" ]- i
vpngroup vpn3000 idle-time 1800
9 T4 t) z* [: P
# R4 W( Y2 [* ]8 `4 M. w
% E/ Y% D* Q# R3 E, @!--- Group password for VPN Client 3.x/4.x (not shown in configuration).+ _9 b; |* u5 _1 H$ R

; r0 R" R1 L% |; svpngroup vpn3000 password ********' \( K, l/ G: Y, Z" x
telnet timeout 5+ r1 \9 i8 W$ h: V; \' E
ssh timeout 5
; c5 `7 Q( E9 \1 gconsole timeout 0
2 {+ k: h) }+ I% L# ?( S/ Sterminal width 80+ C" u" i5 A4 D9 D1 ^9 H* b; E/ s
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc
" h0 i( @( k0 m4 @3 |9 I: end# X* T8 ?4 E! ^) N
pixfirewall#
回复 支持 反对

使用道具 举报

mosheh [Lv5 不断成长] 发表于 2013-7-24 23:12:03 | 显示全部楼层
我和你配的差不多,我用公网ip可以连上vpn
8 n4 T8 x( j  [7 I( badsl的pppoe访问不了
回复 支持 反对

使用道具 举报

ayayay [Lv8 技术精悍] 发表于 2013-11-6 22:00:54 | 显示全部楼层
不错不错,楼主您辛苦了。。。
回复 支持 反对

使用道具 举报

sadasz [Lv8 技术精悍] 发表于 2013-11-7 20:26:09 | 显示全部楼层
路过,支持一下啦
回复 支持 反对

使用道具 举报

azcat [Lv8 技术精悍] 发表于 2013-11-9 10:22:14 | 显示全部楼层
支持一下:lol
回复 支持 反对

使用道具 举报

楚行云 [Lv8 技术精悍] 发表于 2013-11-9 10:55:03 | 显示全部楼层
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|无图浏览|手机版|网站地图|攻城狮论坛

GMT+8, 2026-7-4 06:50 , Processed in 0.120522 second(s), 12 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4 © 2001-2013 Comsenz Inc.

Designed by ARTERY.cn