目的:用vpn clinet 3.1与pix525建立vpn隧道。
# {4 E9 @1 D: _8 M) L问题:如果使用电话拨号到ISP,再使用client 3.1拨号建立vpn,一切正常。7 P. Z( E1 B) }3 S. i
如果在远程局域网内(该局域网已经通过ADSL连接到internet),能够正常建立VPN隧道,但是发出的加密数据返回时,pix不对其进行加密,所以不通。
/ }. m" I8 o' P! T2 J请各位大哥帮助解决,配置文档如下: m3 d8 g% ?* B7 i6 @& J
: k* }3 G4 o1 SPIX Version 6.1(1)
2 ~5 M+ J8 n) l4 {1 {! P5 _nameif ethernet0 outside security0% h, m% C \7 W
nameif ethernet1 inside security100# y6 i' e& X1 N$ {0 D# v
nameif ethernet2 intf2 security10
7 \- D' ^3 _( R1 Qnameif ethernet3 intf3 security153 }6 H/ q0 t9 F. X; |
enable password 8Ry2YjIyt7RRXU24 encrypted l. a; X6 F4 j' s2 l1 O# k# w9 r
passwd 2KFQnbNIdI.2KYOU encrypted j. i- ^; q: @4 a% u, \4 X9 {
hostname pixfirewall" x8 M+ J1 N5 G) T8 V$ {
domain-name cisco.com
% ~5 T2 @4 F6 e- ufixup protocol ftp 21
5 @9 \( Q9 c9 g( I( |fixup protocol http 80
) M/ `9 _& h& V8 S, O efixup protocol h323 17200 F+ [. B# e3 H! E
fixup protocol rsh 514( T( B+ g u) x) H }1 B+ A
fixup protocol rtsp 554
) J l$ Z* i0 L1 N7 Ifixup protocol smtp 25" r9 ~4 {$ N H4 ?7 ^6 I
fixup protocol sqlnet 1521' B5 L; f0 i$ p1 X7 X
fixup protocol sip 5060
5 Y/ W( x! G& ^$ V* Jfixup protocol skinny 2000
$ d# a: R! y1 \& x) C; Vnames9 K/ \) O. Z4 t% l+ z' X0 F
access-list 101 permit ip 10.48.66.0 255.255.254.0
% I- l2 b& E& O10.48.67.0 255.255.255.0" k0 `7 Q/ ?4 {, N! u0 o4 `' r
access-list 120 permit icmp any host 200.1.1.99
- R9 v% @% T0 [# |. X8 laccess-list 120 permit tcp any host 200.1.1.99; o# V! w: P5 i5 y, E
access-list 120 permit udp any host 200.1.1.99* J/ j* X: K+ W! X
pager lines 24
: L! Y7 R3 n; a/ ~1 Jinterface ethernet0 10full
8 H* n! L" P: ^7 q z: q Dinterface ethernet1 10full
6 r0 |4 }& p% N) S0 e/ Ginterface ethernet2 auto shutdown) U9 L, Y9 e/ I F! p
interface ethernet3 auto shutdown. {& m+ i/ Q1 c* z5 h, ?$ `
mtu outside 1500
. |2 J: A% i$ Y. {# B: |& r; dmtu inside 1500) }4 @( c2 v$ N* s- R0 m: m
mtu intf2 15009 y2 p# b: _% z
mtu intf3 15009 ?( r4 w# A# F- b3 t2 t7 S
ip address outside 200.1.1.1 255.255.255.0
7 e @) z* X& q6 W. wip address inside 10.48.66.18 255.255.254.0 _& Q' ^& A, O" y
ip address intf2 127.0.0.1 255.255.255.2559 F8 A$ z' y/ o8 i
ip address intf3 127.0.0.1 255.255.255.255
, q) t- t" W6 b6 ]0 N+ k0 oip audit info action alarm6 [1 ?; c, m K" X& { w# c0 U
ip audit attack action alarm
0 @; G3 t) _* h ~' ]6 _. j3 Rip local pool ippool 10.48.67.1-10.48.67.20
. c, k8 S. ?% ~) {, \: ^no failover
& R7 P6 @/ b' Xfailover timeout 0:00:00
6 ^' ?2 B% k) s$ J3 P: Yfailover poll 15
4 x6 ^+ i) c' a* n/ Mfailover ip address outside 0.0.0.0
- X. E( a" E, p# e+ K0 m; tfailover ip address inside 0.0.0.0
( D8 V8 {9 Z) y0 A, H @; wfailover ip address intf2 0.0.0.0
: T$ ?8 m7 H; n( ]6 ?) @( Ufailover ip address intf3 0.0.0.0/ b! ^1 h, g% D% _$ N6 Y
pdm history enable1 J. N0 v, X: J5 h( F0 j# L" b% E
arp timeout 14400
b" D8 q8 I7 i1 yglobal (outside) 1 200.1.1.100-200.1.1.110% {9 E, K% f" r# U% f
nat (inside) 0 access-list 101
8 P- w1 v' }, Lnat (inside) 1 0.0.0.0 0.0.0.0 0 0' P' b( B" E% F2 _" P/ h, t
static (inside,outside) 200.1.1.99 10.48.66.99
: B8 W& q& ?8 |! u6 {2 ]8 u6 Fnetmask 255.255.255.255 0 0* |9 h4 o8 B; p6 W# w) T; [, n
access-group 120 in interface outside; e3 k' u0 \( Y# g8 L$ H7 [
route outside 0.0.0.0 0.0.0.0 200.1.1.3 1
- I. z+ U. h5 ctimeout xlate 3:00:00
4 Y5 {4 p. w$ Htimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
( c/ r. w* U- E% z: l! C0:05:00 sip 0:30:00 sip_media 0:02:00: T% v, [) |) f% ~7 N
timeout uauth 0:05:00 absolute' K- S0 K z/ {
aaa-server TACACS+ protocol tacacs+
* L6 ~) k2 ~% U/ Naaa-server RADIUS protocol radius1 W. ]+ B+ W- S i
aaa-server AuthInbound protocol tacacs+
% Q! Z X5 O2 i1 \1 z7 {& S' ]8 Eaaa-server AuthInbound (inside) host 10.48.66.102$ N2 U( g$ `$ c8 n
cisco timeout 10
$ ^. Q' p& t0 t3 `9 eaaa authentication include http outside 10.48.66.99
0 x# I1 Z( {. ?: [255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound3 V6 Q( E; b9 H. t
aaa authentication include ftp outside 10.48.66.99+ z6 {6 Z5 M7 D# |! H) @
255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
' V1 x1 U* b+ U/ r! l0 haaa authentication include telnet outside 10.48.66.99
1 A( @. W2 S9 `: l255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound5 L/ j' Y; e1 ]- U2 X
no snmp-server location
& g) ^9 H+ y7 U7 R! R& zno snmp-server contact
- }2 F0 G5 o2 t; I0 Y7 `snmp-server community public: y9 c. b! F3 s# L* x
no snmp-server enable traps" V4 K& r- E7 c z: p- m
floodguard enable- E5 w1 H* g. T* W
sysopt connection permit-ipsec
! H: @+ U+ b! P, K! M4 ~2 e# n+ |no sysopt route dnat
: y4 j# x8 C* D, W$ Y' hcrypto ipsec transform-set myset esp-des esp-md5-hmac
; s& K% m# T! E, W6 r, M5 {crypto dynamic-map dynmap 10 set transform-set myset- B% G, O) P" F' M) b: R
crypto map mymap 10 ipsec-isakmp dynamic dynmap
" R3 i u/ U+ v2 F/ b; a+ J/ Jcrypto map mymap client configuration address initiate
$ w( H' n' H0 _& tcrypto map mymap client configuration address respond% g% I' j+ f! K2 x8 Z7 F
crypto map mymap client authentication AuthInbound( q" n7 C8 w( M$ Q
crypto map mymap interface outside, |: i" t& g; A% k3 ~8 g& S y
isakmp enable outside5 W" B0 ]8 I; ]1 j) t) w
isakmp key ******** address 0.0.0.0 netmask 0.0.0.02 Q$ b5 l/ Z% N
isakmp identity address! p; k: z) {" F$ Y
isakmp client configuration address-pool local ippool outside
~* a4 K$ O1 w: T3 [0 S: o8 n: ? B, Uisakmp policy 10 authentication pre-share
" m/ I( ]5 Q i e' r! f8 a9 {5 Xisakmp policy 10 encryption des
- s& B# f" J. n" H @5 nisakmp policy 10 hash md50 c# `5 q1 h, m3 X- L& E
isakmp policy 10 group 2
6 W! ^& y& R3 C/ Cisakmp policy 10 lifetime 86400. k4 ]& \) _8 R: A @/ M5 B
isakmp policy 20 authentication pre-share
( P; }. ^, d! }5 N; risakmp policy 20 encryption des" m* H' j1 a/ H5 x( R" J
isakmp policy 20 hash md5
# X4 {4 s! N, h. |; u0 y# [, i! gisakmp policy 20 group 1
0 U# U( Y) Z8 D* I: x5 ?5 \; j& {# zisakmp policy 20 lifetime 86400 ^, F# D! K" p( ^- c- V# A, @
vpngroup vpn3000 address-pool ippool
. E- Z9 l& f8 H# n% \vpngroup vpn3000 dns-server 10.48.66.7' d# p T( n5 r* w* P' ~
vpngroup vpn3000 wins-server 10.48.66.1002 z; @" q/ f# w: B; n0 `+ M" a- J5 U
vpngroup vpn3000 default-domain cisco.com" t3 T7 t- r( u+ c, i7 R
vpngroup vpn3000 split-tunnel / @1 z' W% j# s/ c
vpngroup vpn3000 idle-time 1800: i7 }' I- r3 {$ @2 p) P/ v
vpngroup vpn3000 password cisco: y7 M+ Y* B. ~
telnet timeout 54 O) d' i2 F/ h9 b! a) B. F
ssh timeout 55 H3 t+ u4 v% i d- \3 _- g; g
terminal width 80
8 T2 G3 T: Z t: ACryptochecksum:d41d8cd98f00b204e9800998ecf8427e
. v. p* @9 I( D/ f0 b& K: end
& I. [. R1 y! i* V[OK]
1 G( C, i: H6 K6 ypixfirewall# |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
