引用: 作者: ゞ懒虫ゞ
不是一条两条命令的问题
+ Q$ p1 H8 z& M* u* O
1 Z% ?1 n) y0 S7 P8 x参考$ F- R+ Q6 [+ c W
! z" K5 ^4 F7 \. m* D+ P
PIX Version 7.0(1)
! N: }) r8 W( d+ unames
% O! T: @' ^2 ]8 [+ t7 V. C. `1 S!1 j0 e3 I! ~/ w) F% u$ I6 G5 J7 m* u
interface Ethernet09 m M! `) Y8 Z% } I
nameif outside
7 |, @) b4 e1 c% N, W) fsecurity-level 0
! B: ]% G8 H5 R* [# tip address 172.29.6.1 255.255.255.0
6 L; s3 Y7 v4 \( Z* V6 q5 W!
7 O% |: j$ @' X' O% q5 C+ ~interface Ethernet1
4 ^5 B; L# U+ j1 }* f7 @nameif inside$ f/ x6 H. _( b3 p2 B2 N
security-level 100 d$ G' k5 X2 H, R8 I) j
ip address 172.29.131.1 255.255.255.0
7 I* m& Z! K) Y9 A* i8 P!
/ k1 k6 _' d% s% H& Y' ~, H+ Fenable password 90RBsEWodTGO2XFL encrypted2 T( M# b2 G% D" L$ J1 }
passwd 2KFQnbNIdI.2KYOU encrypted* B" v( T+ D! b! t& Q3 a& S( s$ b
hostname pix
. X3 |' p' d5 v: U: Sftp mode passive7 P) j9 M7 C8 O" S9 r/ c
access-list nonat extended permit ip 172.29.131.0 255.255.255.0 10.1.1.0 255.255.255.0 c6 u8 O: y, C$ f* u; e1 i
access-list split standard permit 10.1.1.0 255.255.255.0
- L- E8 w6 N- l E- }5 npager lines 24
6 ^3 H7 j) J* J) a/ mlogging console debugging
. N0 J5 A8 ~& y) F1 g9 M2 T+ z$ U: tmtu outside 1500
" M5 K& w- H3 s' Pmtu inside 1500
8 H& S* ~1 s% Z( Aip local pool testpool 10.1.1.1-10.1.1.150 d) m# g& }) ]* z2 z
no failover% i' l g9 o# q5 M
monitor-interface outside1 D4 y; N4 x& P3 J3 [
monitor-interface inside
8 K9 e' s* y8 O4 O- X6 J) {8 L- Sno asdm history enable
# _: r' z3 I* z/ W' n- U# r/ harp timeout 14400
- S$ C( V8 V" ~, u! S% ?: y) a$ \nat (inside) 0 access-list nonat
5 T5 [, `9 Y! kroute outside 172.29.0.0 255.255.0.0 172.29.6.254 17 T8 N; V8 \( p; q' A
timeout xlate 3:00:00
+ e8 u9 m* A& ?# M p/ ?$ P2 r, xtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:025 p- o! S9 s0 I# a
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00" @* C) P' U" m, p; {! Y9 X( M
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
c K% ?: @9 |4 E+ d6 v! o( Utimeout uauth 0:05:00 absolute
5 V$ S( n* ?/ h& J3 |group-policy test internal
6 e0 s# I7 m, I) l. o: _1 igroup-policy test attributes
( O, O0 |' h8 c8 A7 x( Rwins-server value 10.1.1.102* g( e' A: z6 U
dns-server value 10.1.1.100 10.1.1.101
/ R; `% u( V$ z5 ^1 J/ e) Isplit-tunnel-policy tunnelspecified2 d2 @1 d/ n" s' X. d7 B( g2 ~0 L
split-tunnel-network-list value split
% C0 r& N# C+ [9 z4 U: M4 Vusername peter password eiLX8yKuiZqgo6C8 encrypted
0 r$ l; @; n% u, E9 F) U* I& U' M! Qusername tcytech password HTEt2RXRBqicQQ2g encrypted N" p" i) j# `2 S5 P
no snmp-server location2 i, z4 \& l2 {! K
no snmp-server contact
9 ^$ T: r' T" J3 i Dsnmp-server enable traps snmp
6 S$ y, |0 ~8 [; Jcrypto ipsec transform-set test esp-aes esp-sha-hmac
0 W3 F% A) {- Ncrypto dynamic-map mymap 10 set transform-set test
+ h" a* T9 P% ?( f Bcrypto map test 10 ipsec-isakmp dynamic mymap
; y' Y* {0 H0 w* Vcrypto map test interface outside& ]. x" X+ h2 C3 ^5 m
isakmp enable outside
: c) f- V8 G, Q, j( cisakmp policy 20 authentication pre-share
* C5 _+ L$ q5 i+ g, ?( sisakmp policy 20 encryption aes2 i4 Y$ |) X+ q
isakmp policy 20 hash sha+ r5 H. ]+ {( ]. I6 R( A L5 {
isakmp policy 20 group 2
$ A7 p& L" z; e, Jisakmp policy 20 lifetime 3600
1 e$ ]. Q6 O. q; oisakmp policy 65535 authentication pre-share. M" m+ a3 x; O
isakmp policy 65535 encryption 3des
# p/ q" y2 W( \% ^- Kisakmp policy 65535 hash sha8 \1 C" J8 X" S
isakmp policy 65535 group 26 k$ Y$ a, U* _9 @: d# t2 L8 _$ Z
isakmp policy 65535 lifetime 86400
1 @' W# [ ^* _) @% `telnet timeout 5; A1 ]/ V7 h! u6 T3 O' p
ssh timeout 5
. e% ?4 X/ E$ t( ?7 @! ?! L. f2 Econsole timeout 0! n3 a0 n' ^/ b# k# K7 Z4 G1 Y! |
tunnel-group test type ipsec-ra
9 {' f4 P5 @6 k. b: \* Ftunnel-group test general-attributes2 D$ O: i# O* R! ~% q( D
address-pool testpool
% w' b# n& D) A; y- f/ Xdefault-group-policy test: u8 g1 d) a* |4 N1 }% b
tunnel-group test ipsec-attributes
& [9 f( Q8 j: epre-shared-key *: N5 h0 w% }) {/ V6 T
!- z2 E) o2 z& [5 H5 U
class-map inspection_default, u9 j: ]5 @* ]6 o: \( C1 A% x1 I
match default-inspection-traffic F6 c; h, k; g3 E3 e9 I7 R. ]
!, ]: l1 n+ |9 q; b K
!
( P/ y7 Y9 |7 u6 _& C" r" cpolicy-map global_policy
) x+ |0 r+ T1 N$ R+ \1 C' ~7 T- qclass inspection_default; E7 l1 t. Q2 m9 Z h
inspect dns maximum-length 512
$ z1 l7 Q& a ainspect ftp + m! L1 ?2 z: {$ v0 {4 s1 {
inspect h323 h225
' S {4 h/ O0 i3 V! t3 }inspect h323 ras
3 H5 o+ M' `7 C7 X( Iinspect netbios
! P9 B3 ~3 }" w7 |3 y) X. jinspect rsh . p' |% Q) V: H1 l, L
inspect rtsp
* g; S. O/ k6 h. Oinspect skinny * N* X: a5 M3 R; b& z+ y- p
inspect esmtp
, B2 ^8 k0 v4 \/ Finspect sqlnet ; l. u6 D/ K! N; G
inspect sunrpc 8 |6 m1 t' e* [! _8 s7 ]( L
inspect tftp : \6 B4 v4 g1 {8 I) T( u& z! p
inspect sip 9 ?9 P0 \, p+ T( T. C/ Z
inspect xdmcp
5 u7 a+ x9 q( y9 ?9 ]! M5 t5 T6 }1 C' j9 c! r" A
http://www.hrbnt.cn/cisco/article.asp?id=1842
谢谢你!我真的很想给你奖分~~需要结合class-map policy-map 和service-map三者结合完成,大家看最后几段命令模仿就行了~~谢谢你哦! |