Chinaunix首页 | 论坛 | 博客
  • 博客访问: 900776
  • 博文数量: 436
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: -103
  • 用 户 组: 普通用户
  • 注册时间: 2016-08-01 09:48
个人简介

爱生活,爱IT

文章分类

全部博文(436)

文章存档

2015年(1)

2014年(2)

2013年(6)

2011年(39)

2010年(176)

2009年(30)

2008年(28)

2007年(54)

2006年(91)

2005年(9)

分类: 网络与安全

2007-12-23 14:22:51

户通过ADSL登录后能得到一个192.168.20.*IP,做成VPN后能ping192.168.5.1(inside),但是不能访问内网(Ping也不通)。请大家赐教!

注:101.135.245.65 255.255.255.240 是一个假设公网IP,请大家不要对号入座。

以下是现在的设置
 

User Access Verification


Password:

Type help or '?' for a list of available commands.

pixfirewall> en

Password: **********

pixfirewall# show run

: Saved

:

PIX Version 7.0(4)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password uK/bGVpg2hjbjqrd encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 121.35.245.65 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

passwd QADWyv0isJeZAbgO encrypted

ftp mode passive

same-security-traffic permit intra-interface

object-group service 192.168.4.4 tcp

port-object eq www

port-object eq pop3

access-list 100 extended permit tcp any host 121.35.245.66 eq www

access-list 100 extended permit tcp any host 121.35.245.66 eq smtp

access-list 100 extended permit tcp any host 121.35.245.66 eq pop3

access-list 100 extended permit tcp any host 121.35.245.66 eq domain

access-list 100 extended permit tcp any host 121.35.245.66 eq ftp

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any interface outside eq 3389

access-list 100 extended permit tcp any host 121.35.245.66 eq 1112

access-list 100 extended permit tcp any host 121.35.245.66 eq 3389

access-list 100 extended permit tcp any host 121.35.245.66 eq telnet

access-list 100 extended permit ip any host 121.35.245.65

access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0

access-list kunda_yqd_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.20.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool add_pool_1 192.168.5.100-192.168.5.200 mask 255.255.255.0

ip local pool add_pool_2 192.168.20.1-192.168.20.254 mask 255.255.255.0

no failover

asdm image flash:/asdm504.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

alias (inside) 121.35.245.66 192.168.10.2 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.5.2 3389 netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 ftp 192.168.10.2 ftp netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 1112 192.168.10.2 1112 netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 www 192.168.10.2 www netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 smtp 192.168.10.2 smtp netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 pop3 192.168.10.2 pop3 netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 domain 192.168.10.2 domain netmask 255.255.255.255

static (dmz,outside) tcp 121.35.245.66 3389 192.168.10.2 3389 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 121.35.245.78 1

route inside 192.168.20.0 255.255.255.0 192.168.5.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

group-policy vpnuser internal

group-policy vpnuser attributes

vpn-idle-timeout 30

user-authentication enable

group-policy kunda_yqd internal

group-policy kunda_yqd attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value kunda_yqd_splitTunnelAcl

username yiqunda password 6fntmBhkFuQgK4WR encrypted privilege 0

username yiqunda attributes

vpn-group-policy kunda_yqd

vpn-framed-ip-address 192.168.20.1 255.255.255.0

username lyct password tiZTvJP01nOsS089 encrypted privilege 0

username lyct attributes

vpn-group-policy kunda_yqd

username chinafox password nnF2E/d4wfYJ4B/V encrypted

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 120

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group kunda_yqd type ipsec-ra

tunnel-group kunda_yqd general-attributes

address-pool add_pool_2

authentication-server-group (outside) LOCAL

default-group-policy kunda_yqd

tunnel-group kunda_yqd ipsec-attributes

pre-shared-key *

tunnel-group vpnuser type ipsec-ra

tunnel-group vpnuser general-attributes

address-pool add_pool_2

authentication-server-group (outside) LOCAL

default-group-policy vpnuser

tunnel-group vpnuser ipsec-attributes

pre-shared-key *

tunnel-group-map default-group kunda_yqd

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 211.0.0.0 255.0.0.0 outside

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 202.96.134.133 202.96.128.68

dhcpd lease 7200

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

ssl encryption des-sha1 rc4-md5

Cryptochecksum:bfa81b88e95834b25ce38069bf6bc0bb

: end

pixfirewall#

阅读(2370) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~