引用: 作者: ゞ懒虫ゞ
不是一条两条命令的问题, z" o$ M9 A r
( p; j |$ m' ~6 e
参考* a4 N z6 D0 o6 ^6 x
2 F, y. S' U+ FPIX Version 7.0(1)
# n$ c7 N* u5 _# z; unames
$ v1 @% U$ a- Z+ J" u5 T7 |!
* x$ Y" M5 _# i% Jinterface Ethernet0
! r/ G% b0 ?, A. x0 U7 H3 W7 k lnameif outside
+ S" L4 x# o) C2 U: m- Esecurity-level 09 h- i( R9 P, l- J0 s9 ~
ip address 172.29.6.1 255.255.255.0
2 D. \- I& Y5 ]$ U' w: ]$ Y) {!
4 \0 F2 W" J$ U% B, Jinterface Ethernet1
2 B. o6 z+ _ m3 k0 _nameif inside
' m* b+ _* g! U0 l7 ]% G3 usecurity-level 1001 I4 I0 Y& v/ x& l# I4 c
ip address 172.29.131.1 255.255.255.0 . q- z5 a9 \, N/ l( q' ]
!
, |# a* ^+ \2 c( ^) c, Lenable password 90RBsEWodTGO2XFL encrypted" w8 e8 w3 U9 u" f9 }% a2 u
passwd 2KFQnbNIdI.2KYOU encrypted
; R7 P& r) _' N$ n. E" L2 ahostname pix
* g+ t( ?7 g! R: q [' cftp mode passive
/ S5 L! z; C' D1 J, kaccess-list nonat extended permit ip 172.29.131.0 255.255.255.0 10.1.1.0 255.255.255.0
( f% Y- K$ Q8 ~0 Zaccess-list split standard permit 10.1.1.0 255.255.255.0 j+ Z, v7 U3 o+ \& l
pager lines 24
6 B7 |/ l9 d' W: u1 [/ Nlogging console debugging
3 W3 K; k1 _5 ~- P; q$ \mtu outside 1500% K9 w0 f E+ S: s
mtu inside 1500
+ U3 |4 H: e: ^ N3 Yip local pool testpool 10.1.1.1-10.1.1.15# x8 P R# F. [" j8 x! j
no failover
1 s1 N& L1 v0 H! l omonitor-interface outside
5 l* d! y$ w+ A8 zmonitor-interface inside
" }+ @; _$ x% \# x8 f$ T Yno asdm history enable0 ]4 i" q4 Y; Q L8 r
arp timeout 14400
" b9 R) I8 [ y/ H8 _" ~( ?2 anat (inside) 0 access-list nonat7 B# `' R) |3 s& `: E0 e( i
route outside 172.29.0.0 255.255.0.0 172.29.6.254 1
, x/ V- n% W, f9 rtimeout xlate 3:00:00& ]- r, P1 t+ z, D9 Z# d8 R
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02: V: [* l) b! J) {5 j% u4 Z& H
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00& |. r9 I) B; C6 }; }; G$ a
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00. e' O% g2 z6 T. g) R, K
timeout uauth 0:05:00 absolute
: n) C; J' x% P! G! wgroup-policy test internal& Y+ k% p% q1 g0 b/ l( [ m! i
group-policy test attributes5 c# K& V8 R5 j. {
wins-server value 10.1.1.102
/ b3 v9 j( f; ]0 ?/ L0 @dns-server value 10.1.1.100 10.1.1.101
$ N- }; `0 l- E! ^- m- ^- _8 ^split-tunnel-policy tunnelspecified
- G. ]* O+ @6 h) P( U" Zsplit-tunnel-network-list value split
2 ?8 B. u; y) O& K1 U+ E1 husername peter password eiLX8yKuiZqgo6C8 encrypted$ w% V \2 k: W/ Q8 C
username tcytech password HTEt2RXRBqicQQ2g encrypted
4 ?6 F4 x1 J8 p9 Rno snmp-server location
4 u: b3 N7 b2 l1 T3 R6 Uno snmp-server contact
! d4 H4 V' N. E* t0 r" ~ tsnmp-server enable traps snmp
' h8 K7 W# X8 X# ]# r# S( z8 n9 _crypto ipsec transform-set test esp-aes esp-sha-hmac % P, ^7 o! L5 Z* f. i
crypto dynamic-map mymap 10 set transform-set test0 |) W6 Z& D# Q& s* {
crypto map test 10 ipsec-isakmp dynamic mymap
9 W; |1 E* L, X6 q3 Y [# ocrypto map test interface outside' b. y0 z3 z2 b& D( c
isakmp enable outside! q5 r2 u* [/ T2 v9 V
isakmp policy 20 authentication pre-share
' o* x: b, P \& c/ d8 x* yisakmp policy 20 encryption aes; O$ ]% ~( K, ^5 T4 o5 t7 L
isakmp policy 20 hash sha
. I: A8 s+ @2 n7 u r: P5 Tisakmp policy 20 group 2( C% G0 }$ Y: W2 t6 J
isakmp policy 20 lifetime 3600- H9 ^$ O: ]" w/ E
isakmp policy 65535 authentication pre-share
( k/ V/ E; @& I* ~! ~isakmp policy 65535 encryption 3des
$ U2 q( j; V1 D' Z2 q! ?0 m# jisakmp policy 65535 hash sha' s6 X: w$ C/ h- G& L' u- G& ?; ]
isakmp policy 65535 group 22 o6 n7 {' {/ K$ K h) O
isakmp policy 65535 lifetime 86400* s4 h+ j: }& s+ W, H* @
telnet timeout 5$ \0 ?. M8 F4 f7 I- j
ssh timeout 51 a' j- ~ @& P$ o
console timeout 0! ^' V* H$ Z8 X' I) J8 u
tunnel-group test type ipsec-ra
. F; n- D/ q7 T: Atunnel-group test general-attributes6 P5 A; O% c2 z: h+ S# ~3 n, l
address-pool testpool
8 a' b, P+ R, _5 mdefault-group-policy test3 W5 Q& \% {$ i9 L3 X! W2 m( a
tunnel-group test ipsec-attributes
7 P& N+ x0 L* r3 o L8 Q- p+ Mpre-shared-key *' |# H5 K9 K( d
!- |4 i' ~# I& _, b- K S0 C( f/ Y
class-map inspection_default* t( o7 k$ x1 J8 H
match default-inspection-traffic
& o! U& j! h' m6 l9 w. t y!5 p" ~. |; U! U3 t- Z# U$ A' Q. |
!3 s0 D6 }: y" K( O
policy-map global_policy
7 g& x+ t7 n) [class inspection_default: A* d6 w! w$ d. h# W P
inspect dns maximum-length 512 % P/ q1 l w0 d& H- e5 g
inspect ftp ( A: B1 e' ]9 m* z
inspect h323 h225 " K* t ?0 k) u# n
inspect h323 ras
" e) Z1 ]' z \0 Pinspect netbios 0 x8 w3 W/ s+ z" @
inspect rsh ) t- C! r- p7 ?1 }
inspect rtsp
6 j5 A* c! \+ U+ O2 i, z# rinspect skinny ( z2 R+ n) m/ t8 ]8 _ }6 [
inspect esmtp 9 s& \ @% R3 H! e8 I! h7 d
inspect sqlnet
: z$ `- D0 U/ v0 {inspect sunrpc
6 \. q! f8 i4 r" m/ E! S0 ~inspect tftp / [1 @1 t& x' G) ` d! I0 d
inspect sip 1 X) L: Y" o0 w) z% s$ Q. l
inspect xdmcp
( l" t4 j$ `0 O; m' X
5 M. k3 M4 A7 s" s$ Chttp://www.hrbnt.cn/cisco/article.asp?id=1842
谢谢你!我真的很想给你奖分~~需要结合class-map policy-map 和service-map三者结合完成,大家看最后几段命令模仿就行了~~谢谢你哦! |