一个正常使用的ADSL配置-whut2405-ChinaUnix博客

vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet0/1
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
full-duplex
no cdp enable
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
no cdp enable
ppp authentication pap callin
ppp pap sent-username fmapdof password 0 f535120
!
ip nat inside source list 1 interface Dialer1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
access-list 1 permit any
dialer-list 2 protocol ip permit
=================
需要注意的就是 ip tcp adjust-mss 1452 调整tcp最大分段大小以满足PPPOE下的MTU
因为pppoe下实际的数据段只能为1500-8(ppp的头)=1492,1492再减去TCP和IP头各20等于1452,也就是说为了避免2层上不停的分割数据包,适应某些应用如MSN,同时加快传输.#p#!---配置静态加密图.

crypto map mymap 10 match address 100
crypto map mymap 10 set peer 14.38.77.10
crypto map mymap 10 set transform-set myset

!--- 绑定加密图.

crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap

!--- 将加密图应用到接口.

crypto map mymap interface outside
isakmp identity address
isakmp enable outside

!--- configure ISAKMP policy.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *

!--- Configuration of tunnel-group for the static LAN-to-LAN tunnel.

tunnel-group 14.38.77.10 type ipsec-l2l
tunnel-group 14.38.77.10 ipsec-attributes

!--- 为LAN-to-LAN tunnel配置预共享密鈅.

pre-shared-key *

!--- 为VPN Clients配置通道组及信息.

tunnel-group rtptacvpn type ipsec-ra

!--- 配置VPN clients的组参数

tunnel-group rtptacvpn general-attributes
address-pool vpnpool

!--- 取消用户认证.

authentication-server-group none
authorization-server-group LOCAL

!--- 绑定组策略到相应的通道

default-group-policy clientgroup
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:646541da0da9a4c764effd2e05633018
: end
Note 1: 命令sysopt connection permit-ipsecsysopt 在7.0中使用show running-config sysopt来检查配置. Note 2: Vpn Client 的IPSec是基于UDP的, 配置group-policy 部分应用下面. group-policy clientgroup attributes
vpn-idle-timeout 20
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnelNote 3: VPN Clients IPSec 基于TCP的, 在global configuration配置.isakmp ipsec-over-tcp port 10000

2、PIX3的配置PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX3
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list for the encryption of traffic
!--- between PIX3 and PIX1 networks.

access-list 100 permit ip 30.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0

!--- Access-list for the encryption of traffic
!--- between the PIX3 network and the VPN Client address pool.

access-list 100 permit ip 30.30.30.0 255.255.255.0 192.168.10.0 255.255.255.0

!--- Access-list used to bypass the NAT process.

access-list nonat permit ip 30.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 30.30.30.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 14.38.77.10 255.255.0.0
ip address inside 30.30.30.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface

!--- Bind ACL nonat to the NAT statement
!--- in order to avoid NAT on the IPSec packets.

nat (inside) 0 access-list nonat
nat (inside) 1 30.30.30.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 14.38.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

!--- Permits all inbound IPSec authenticated cipher sessions.

sysopt connection permit-ipsec

!--- Defines IPSec encryption and authentication algorithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!--- Defines crypto map.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset

!--- Apply crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside

!--- Defines the pre-shared secret key used for IKE authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.0 no-xauth
isakmp identity address

!--- Defines the ISAKMP policy.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cb5c245112db607e3a9a85328d1295db
: end