爱生活,爱IT
全部博文(436)
分类: 网络与安全
2007-12-23 14:22:51
客户通过ADSL登录后能得到一个192.168.20.*的IP,做成VPN后能ping通192.168.5.1(inside),但是不能访问内网(Ping也不通)。请大家赐教!
注:101.135.245.65 255.255.255.240 是一个假设公网IP,请大家不要对号入座。
User Access Verification
Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: **********
pixfirewall# show run
: Saved
:
PIX Version 7.0(4)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password uK/bGVpg2hjbjqrd encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 121.35.245.65 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
passwd QADWyv0isJeZAbgO encrypted
ftp mode passive
same-security-traffic permit intra-interface
object-group service 192.168.4.4 tcp
port-object eq www
port-object eq pop3
access-list 100 extended permit tcp any host 121.35.245.66 eq www
access-list 100 extended permit tcp any host 121.35.245.66 eq smtp
access-list 100 extended permit tcp any host 121.35.245.66 eq pop3
access-list 100 extended permit tcp any host 121.35.245.66 eq domain
access-list 100 extended permit tcp any host 121.35.245.66 eq ftp
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any interface outside eq 3389
access-list 100 extended permit tcp any host 121.35.245.66 eq 1112
access-list 100 extended permit tcp any host 121.35.245.66 eq 3389
access-list 100 extended permit tcp any host 121.35.245.66 eq telnet
access-list 100 extended permit ip any host 121.35.245.65
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list kunda_yqd_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool add_pool_1 192.168.5.100-192.168.5.200 mask 255.255.255.0
ip local pool add_pool_2 192.168.20.1-192.168.20.254 mask 255.255.255.0
no failover
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
alias (inside) 121.35.245.66 192.168.10.2 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.5.2 3389 netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 ftp 192.168.10.2 ftp netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 1112 192.168.10.2 1112 netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 www 192.168.10.2 www netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 smtp 192.168.10.2 smtp netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 pop3 192.168.10.2 pop3 netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 domain 192.168.10.2 domain netmask 255.255.255.255
static (dmz,outside) tcp 121.35.245.66 3389 192.168.10.2 3389 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 121.35.245.78 1
route inside 192.168.20.0 255.255.255.0 192.168.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
group-policy vpnuser internal
group-policy vpnuser attributes
vpn-idle-timeout 30
user-authentication enable
group-policy kunda_yqd internal
group-policy kunda_yqd attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value kunda_yqd_splitTunnelAcl
username yiqunda password 6fntmBhkFuQgK4WR encrypted privilege 0
username yiqunda attributes
vpn-group-policy kunda_yqd
vpn-framed-ip-address 192.168.20.1 255.255.255.0
username lyct password tiZTvJP01nOsS089 encrypted privilege 0
username lyct attributes
vpn-group-policy kunda_yqd
username chinafox password nnF2E/d4wfYJ4B/V encrypted
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 120
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group kunda_yqd type ipsec-ra
tunnel-group kunda_yqd general-attributes
address-pool add_pool_2
authentication-server-group (outside) LOCAL
default-group-policy kunda_yqd
tunnel-group kunda_yqd ipsec-attributes
pre-shared-key *
tunnel-group vpnuser type ipsec-ra
tunnel-group vpnuser general-attributes
address-pool add_pool_2
authentication-server-group (outside) LOCAL
default-group-policy vpnuser
tunnel-group vpnuser ipsec-attributes
pre-shared-key *
tunnel-group-map default-group kunda_yqd
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 211.0.0.0 255.0.0.0 outside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 202.96.134.133 202.96.128.68
dhcpd lease 7200
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
Cryptochecksum:bfa81b88e95834b25ce38069bf6bc0bb
: end
pixfirewall#
