防火墙配置实例
防火墙gre隧道配置实例
防火墙gre隧道配置实例
防火墙GRE隧道的配置实例如下:
1. 拓扑图:北京总公司与上海分公司通过广域网连接,使用一个三层交换机模拟广域网,并使用两个H3C的防火墙进行GRE接入。
2. 配置广域网通信:首先,在交换机上创建两个VLAN,分别是VLAN 10和VLAN 20,并将相应的端口加入到相应的VLAN中。
然后,在VLAN 10上配置IP地址。
3. 配置防火墙:在两个防火墙(FW1和FW2)上配置GRE隧道,使它们能够通过Internet相互通信。
4. 测试:测试北京总公司与上海分公司之间的内网通信是否正常。
请注意,上述配置是一个简化的示例,实际配置可能因网络环境、设备型号和需求而有所不同。
在进行实际配置之前,建议仔细阅读设备文档并咨询专业人士。
防火墙透明模式典型配置举例
防火墙透明模式典型配置举例防火墙透明模式是一种常见的网络安全配置,它允许防火墙在网络上作为透明的桥接设备,无需修改网络设备的IP地址和配置,对所有网络流量进行过滤和监控。
本文将以一个典型的企业网络环境为例,详细介绍防火墙透明模式的配置。
1.网络拓扑假设企业网络中有一个内部局域网(LAN)和一个外部网络(WAN),分别连接到防火墙的两个接口。
内部局域网的网段为192.168.0.0/24,防火墙的局域网接口IP地址为192.168.0.1;外部网络的网段为202.100.100.0/24,防火墙的广域网接口IP地址为202.100.100.1、防火墙的透明模式设置在两个接口之间。
2.配置步骤(1)配置局域网接口IP地址:登录防火墙管理界面,在网络设置中找到局域网接口,设置IP地址为192.168.0.1,子网掩码为255.255.255.0。
这样,防火墙就可以与内部网络通信。
(2)配置广域网接口IP地址:同样在网络设置中找到广域网接口,设置IP地址为202.100.100.1,子网掩码为255.255.255.0。
这样,防火墙就可以与外部网络通信。
(3)配置透明模式:在防火墙的透明模式设置中,将局域网接口和广域网接口进行桥接。
在桥接配置中,选择透明模式,并将局域网接口和广域网接口绑定在一个桥接组中。
(4)配置ACL(访问控制列表):通过ACL可以定义防火墙的过滤规则,控制允许和禁止的流量。
例如,可以设置允许内部网络对外访问的规则,禁止特定IP地址的访问规则等。
在防火墙管理界面的策略设置中,创建相应的ACL规则。
(5)配置NAT(网络地址转换):NAT可以将内部网络的私有IP地址映射为公共IP地址,实现内部网络对外部网络的访问。
在防火墙的NAT设置中,配置相应的NAT规则。
(6)配置日志功能:在防火墙中启用日志功能,记录所有的网络流量和安全事件。
可以将日志信息发送到指定的日志服务器,方便网络管理员进行监控和分析。
H3C防火墙配置实例
本文为大家介绍一个H3C防火墙的配置实例,配置内容包括:配置接口IP地址、配置区域、配置NAT地址转换、配置访问策略等,组网拓扑及需求如下。
1、网络拓扑图2、配置要求1)防火墙的E0/2接口为TRUST区域,ip地址是:192.168.254.1/29;2)防火墙的E1/2接口为UNTRUST区域,ip地址是:202.111.0.1/27;3)内网服务器对外网做一对一的地址映射,192.168.254.2、192.168.254.3分别映射为202.111.0.2、202.111.0.3;4)内网服务器访问外网不做限制,外网访问内网只放通公网地址211.101.5.49访问192.168.254.2的1433端口和192.168.254.3的80端口。
3、防火墙的配置脚本如下<H3CF100A>dis cur#sysname H3CF100A#super password level 3 cipher 6aQ>Q57-$.I)0;4:\(I41!!!#firewall packet-filter enablefirewall packet-filter default permit#insulate##firewall statistic system enable#radius scheme systemserver-type extended#domain system#local-user net1980password cipher ######service-type telnetlevel 2#aspf-policy 1detect h323detect sqlnetdetect rtspdetect httpdetect smtpdetect ftpdetect tcpdetect udp##acl number 3001description out-insiderule 1 permit tcp source 211.101.5.49 0 destination 192.168.254.2 0 destination-port eq 1433 rule 2 permit tcp source 211.101.5.49 0 destination 192.168.254.3 0 destination-port eq www rule 1000 deny ipacl number 3002description inside-to-outsiderule 1 permit ip source 192.168.254.2 0rule 2 permit ip source 192.168.254.3 0rule 1000 deny ip#interface Aux0async mode flow#interface Ethernet0/0shutdown#interface Ethernet0/1shutdown.#interface Ethernet0/2speed 100duplex fulldescription to serverfirewall packet-filter 3002 inboundfirewall aspf 1 outbound#interface Ethernet0/3shutdown#interface Ethernet1/0shutdown#interface Ethernet1/1shutdown#interface Ethernet1/2speed 100duplex fulldescription to internetfirewall packet-filter 3001 inboundfirewall aspf 1 outboundnat outbound static#interface NULL0#firewall zone localset priority 100#firewall zone trustadd interface Ethernet0/2set priority 85#firewall zone untrustadd interface Ethernet1/2set priority 5#firewall zone DMZadd interface Ethernet0/3set priority 50#.firewall interzone local trust#firewall interzone local untrust#firewall interzone local DMZ#firewall interzone trust untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#ip route-static 0.0.0.0 0.0.0.0 202.111.0.30 preference 60 #user-interface con 0user-interface aux 0user-interface vty 0 4authentication-mode scheme#return。
思科ASA5505防火墙配置成功实例
配置要求:1、分别划分inside(内网)、outside(外网)、dmz(安全区)三个区域。
2、内网可访问外网及dmz内服务器(web),外网可访问dmz内服务器(web)。
3、Dmz服务器分别开放80、21、3389端口。
说明:由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。
具体配置如下:希望对需要的朋友有所帮助ASA Version 7.2(4)!hostname asa5505enable password tDElRpQcbH/qLvnn encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif outsidesecurity-level 0ip address 外网IP 外网掩码!interface Vlan2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan3no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.16.1.1 255.255.255.0!interface Ethernet0/0description outside!interface Ethernet0/1description insideswitchport access vlan 2!interface Ethernet0/2description dmzswitchport access vlan 3!interface Ethernet0/3description insideswitchport access vlan 2!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!ftp mode passiveobject-group service outside-to-dmz tcpport-object eq wwwport-object eq ftpport-object eq 3389access-list aaa extended permit tcp any host 外网IP object-group outsid e-to-dmzaccess-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255. 255.0 object-group outside-to-dmzpager lines 24mtu outside 1500mtu inside 1500mtu dmz 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfaceglobal (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0nat (inside) 1 192.168.1.0 255.255.255.0nat (dmz) 1 172.16.1.0 255.255.255.0alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255. 255.255dnsstatic (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns access-group aaa in interface outsideaccess-group bbb in interface dmzroute outside 0.0.0.0 0.0.0.0 外网网关 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpinspect http!service-policy global_policy globalprompt hostname contextCryptochecksum:9d2a6010d4fc078cf026f98dcec96007 : endasa5505(config)#。
H3C Firewall 配置实例
防火墙作为出口网关,联通光纤、电信光纤、电信ADSL出口,防火墙接H3C二层交换机,H3C二层交换机接内网服务器和下面的二层交换机(内网用户都接这里)。
由于客户是静态设置地址,所以这里是没有DHCP配置的。
一、上网设置:#域配置zone name Management id 0priority 100zone name Local id 1priority 100zone name Trust id 2priority 85zone name DMZ id 3priority 50zone name Untrust id 4priority 5import interface Dialer1#内网网关ip address 192.168.100.254 255.255.0.0port link-mode routenat outbound 3090#电信出口port link-mode routeip address 219.137.182.2xx 255.255.255.248nat outbound 2000 address-group 1#联通出口port link-mode routeip address 218.107.10.xx 255.255.255.248nat outbound 2000 address-group 2#PPPOE电信ADSLport link-mode routepppoe-client dial-bundle-number 1#设定拨号访问组的拨号控制列表dialer-rule 1 ip permit#PPPOE配置interface Dialer1nat outbound 2000link-protocol pppppp chap userppp chap password cipher$c$3$cft8cT2sYcO4XYUDKRgfw0R0HOSTSDh69HbN KCf9IdG。
华为USG5500防火墙配置实验一
华为USG5500防火墙配置实验1、实验拓扑内网:192.168.0.0/24外网:192.168.1.0/24其他设备地址规划如图,按照拓扑图搭建网络,并配置设备地址2、具体配置命令AR1<Huawei>system-view[Huawei]sysname AR1[AR1]interface g0/0/0[AR1-GigabitEthernet0/0/0]ip address 192.168.0.150 24[AR1-GigabitEthernet0/0/0]quit 退出[AR1]ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 配置默认路由AR1开启Telnet服务[AR1]user-interface vty 0 4 开启远程线程[AR1-ui-vty0-4]au[AR1-ui-vty0-4]authentication-mode password 认证方式为password Please configure the login password (maximum length 16):888 登录密码 [AR1-ui-vty0-4]user privilege level 3 设置用户等级[AR1-ui-vty0-4]AR2<Huawei>system-view[Huawei]sysname AR2[AR2]interface g0/0/0[AR2-GigabitEthernet0/0/0]ip add[AR2-GigabitEthernet0/0/0]ip address 192.168.1.150 24[AR2-GigabitEthernet0/0/0]q[AR1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1AR2配置TelnetAR2]us[AR2]user-interface v[AR2]user-interface vty 0 4[AR2-ui-vty0-4]au[AR2-ui-vty0-4]authentication-mode p[AR2-ui-vty0-4]authentication-mode passwordPlease configure the login password (maximum length 16):666 或者[AR2-ui-vty0-4]set authentication password cipher 666[AR2-ui-vty0-4]user privilege level 3[AR2-ui-vty0-4]q防火墙配置:The device is running!<SRG>system-view[SRG]sysname FW1[FW1]interface g0/0/0[FW1-GigabitEthernet0/0/0]ip add 192.168.0.1 24Warning: Address already exists! 默认接口地址已经存在,不用管[FW1-GigabitEthernet0/0/0]q[FW1]interface g0/0/1[FW1-GigabitEthernet0/0/1]ip add 192.168.1.1 24[FW1-GigabitEthernet0/0/1]q[FW1]display zone 显示区域配置localpriority is 100#trustpriority is 85interface of the zone is (1):GigabitEthernet0/0/0#untrustpriority is 5interface of the zone is (0):#dmzpriority is 50interface of the zone is (0):#[FW1][FW1]firewall zone name outside 创建一个名字为outside的区域[FW1-zone-outside]set priority 30 设置安全等级为30[FW1-zone-outside]q[FW1]firewall zone name inside[FW1-zone-inside]set priority 90[FW1-zone-inside]q[FW1]display zone[FW1]firewall zone outside 进入outside区域,把接口g0/0/1接入该区域[FW1-zone-outside]add interface GigabitEthernet 0/0/1[FW1-zone-outside]display this 显示当前的配置#firewall zone name outsideset priority 30add interface GigabitEthernet0/0/1#return[FW1-zone-outside]q[FW1]display policy all 查看策略policy zone local#policy zone trust#policy zone untrust#policy zone dmz#policy zone outside#policy zone inside#policy interzone local trust inboundfirewall default packet-filter is permit#policy interzone local trust outboundfirewall default packet-filter is permit#policy interzone local untrust inboundfirewall default packet-filter is deny#policy interzone local untrust outbound firewall default packet-filter is permit #policy interzone local dmz inboundfirewall default packet-filter is deny#policy interzone local dmz outboundfirewall default packet-filter is permit #policy interzone local outside inboundfirewall default packet-filter is deny#policy interzone local outside outbound firewall default packet-filter is permit #policy interzone local inside inboundfirewall default packet-filter is deny#policy interzone local inside outboundfirewall default packet-filter is permit #policy interzone trust untrust inboundfirewall default packet-filter is deny#policy interzone trust untrust outbound firewall default packet-filter is deny#policy interzone trust dmz inboundfirewall default packet-filter is deny#policy interzone trust dmz outboundfirewall default packet-filter is deny#policy interzone trust outside inboundfirewall default packet-filter is deny#policy interzone trust outside outbound firewall default packet-filter is deny#policy interzone inside trust inboundfirewall default packet-filter is deny#policy interzone inside trust outboundfirewall default packet-filter is deny#policy interzone dmz untrust inboundfirewall default packet-filter is deny#policy interzone dmz untrust outboundfirewall default packet-filter is deny#policy interzone outside untrust inboundfirewall default packet-filter is deny#policy interzone outside untrust outboundfirewall default packet-filter is deny#policy interzone inside untrust inboundfirewall default packet-filter is deny#policy interzone inside untrust outboundfirewall default packet-filter is deny#policy interzone dmz outside inboundfirewall default packet-filter is deny#policy interzone dmz outside outboundfirewall default packet-filter is deny#policy interzone inside dmz inboundfirewall default packet-filter is deny#policy interzone inside dmz outboundfirewall default packet-filter is deny#policy interzone inside outside inboundfirewall default packet-filter is deny#policy interzone inside outside outboundfirewall default packet-filter is deny#[FW1]创建策略放行outbound流量[FW1]policy interzone trust outside outbound 定义outbound流量 [FW1-policy-interzone-trust-outside-outbound]poli[FW1-policy-interzone-trust-outside-outbound]policy 1[FW1-policy-interzone-trust-outside-outbound-1]poli[FW1-policy-interzone-trust-outside-outbound-1]policy so[FW1-policy-interzone-trust-outside-outbound-1]policy source192.168.0.150 001:27:13 2016/11/15[FW1-policy-interzone-trust-outside-outbound-1]poli[FW1-policy-interzone-trust-outside-outbound-1]policy de[FW1-policy-interzone-trust-outside-outbound-1]policy destination any 01:27:25 2016/11/15[FW1-policy-interzone-trust-outside-outbound-1]ac[FW1-policy-interzone-trust-outside-outbound-1]action p[FW1-policy-interzone-trust-outside-outbound-1]action permit01:27:34 2016/11/15[FW1-policy-interzone-trust-outside-outbound-1][FW1-policy-interzone-trust-outside-outbound-1]q01:27:37 2016/11/15[FW1-policy-interzone-trust-outside-outbound][FW1-policy-interzone-trust-outside-outbound]q01:27:38 2016/11/15[FW1][FW1][FW1]dis[FW1]display po[FW1]display poli[FW1]display policy i[FW1]display policy interzone t[FW1]display policy interzone trust o[FW1]display policy interzone trust outside outbound01:27:55 2016/11/15policy interzone trust outside outboundfirewall default packet-filter is denypolicy 1 (0 times matched)action permitpolicy service service-set ippolicy source 192.168.0.0 mask 255.255.255.0policy source 192.168.0.150 0policy destination any[FW1]firewall packet-filter default permit interzone trust outside Warning:Setting the default packet filtering to permit poses security risks. Youare advised to configure the security policy based on the actual data flows. Are you sure you want to continue?[Y/N]y[FW1]dis[FW1]display policy interzone trust outside outbound01:28:23 2016/11/15policy interzone trust outside outboundfirewall default packet-filter is permitpolicy 1 (0 times matched)action permitpolicy service service-set ippolicy source 192.168.0.0 mask 255.255.255.0policy source 192.168.0.150 0policy destination any恢复默认值deny[FW1]firewall packet-filter default deny interzone trust outside [FW1]display policy interzone trust outside outbound01:32:06 2016/11/15policy interzone trust outside outboundfirewall default packet-filter is denypolicy 1 (0 times matched)action permitpolicy service service-set ippolicy source 192.168.0.0 mask 255.255.255.0policy source 192.168.0.150 0policy destination any用内网的路由Telnet AR2后,可以登录在防火墙查看会话状态[FW1]display firewall session table verbose00:58:32 2016/11/15Current Total Sessions : 2telnet VPN:public --> publicZone: trust--> outside TTL: 00:00:10 Left: 00:00:00Interface: GigabitEthernet0/0/1 NextHop: 192.168.1.150 MAC: 00-e0-fc-7a-0b-5a<--packets:18 bytes:867 -->packets:17 bytes:728192.168.0.150:49272-->192.168.1.150:23telnet VPN:public --> publicZone: trust--> outside TTL: 00:10:00 Left: 00:09:55Interface: GigabitEthernet0/0/1 NextHop: 192.168.1.150 MAC: 00-e0-fc-7a-0b-5a<--packets:16 bytes:725 -->packets:17 bytes:726192.168.0.150:49957-->192.168.1.150:23[FW1]如何允许外网的用户Telnet到内网的路由器[FW1]policy interzone trust outside inbound[FW1-policy-interzone-trust-outside-inbound]policy 1[FW1-policy-interzone-trust-outside-inbound-1]policy source 192.168.1.150 0[FW1-policy-interzone-trust-outside-inbound-1]policy destination 192.168.0.150 0[FW1-policy-interzone-trust-outside-inbound-1]policy service service-set telnet[FW1-policy-interzone-trust-outside-inbound-1]action permit验证试验效果。
防火墙配置案例
综合案例案例1:路由模式下通过专线访问外网路由模式下通过专线访问外网,主要描述总公司接入网络卫士防火墙后的简单配置,总公司的网络卫士防火墙工作在路由模式下。
(提示:用LAN 或者WAN 表示方式。
一般来说,WAN 为外网接口,LAN 为内网接口。
)图 1 网络卫士防火墙的路由模式网络状况:●总公司的网络卫士防火墙工作在路由模式。
Eth1 属于外网区域,IP 为202.69.38.8;Eth2 属于SSN 区域,IP 为172.16.1.1;Eth0 属于内网区域,IP 为192.168.1.254。
●网络划分为三个区域:外网、内网和SSN。
管理员位于内网中。
内网中存在3个子网,分别为192.168.1.0/24,192.168.2.0/24,192.168.3.0/24。
●在SSN 中有三台服务器,一台是HTTP 服务器(IP 地址:172.16.1.2),一台是FTP 服务器(IP 地址:172.16.1.3),一台是邮件服务器(IP 地址:172.16.1.4)。
用户需求:●内网的机器可以任意访问外网,也可访问SSN 中的HTTP 服务器、邮件服务器和FTP 服务器;●外网和SSN 的机器不能访问内网;●允许外网主机访问SSN 的HTTP 服务器。
配置步骤:1) 为网络卫士防火墙的物理接口配置IP 地址。
进入NETWORK 组件topsec# network配置Eth0 接口IP work# interface eth0 ip add 192.168.1.254 mask255.255.255.0配置Eth1 接口IP work# interface eth1 ip add 202.69.38.8 mask255.255.255.0配置Eth2 接口IP work# interface eth2 ip add 172.16.1.1 mask255.255.255.02)内网中管理员通过浏览器登录网络卫士防火墙,为区域资源绑定属性,设置权限。
交换机路由防火墙配置实例
在网络中,防火墙、交换机和路由器通常是网络安全的重要组成部分。
以下是一个简单的示例,演示如何配置一个具有防火墙功能的路由器和交换机。
请注意,实际配置可能会根据您的网络架构和设备型号而有所不同。
设备列表:路由器:使用Cisco设备作为示例,实际上可以是其他厂商的路由器。
路由器IP地址:192.168.1.1交换机:同样,使用Cisco设备作为示例。
交换机IP地址:192.168.1.2防火墙规则:允许内部网络向外部网络发出的通信。
阻止外部网络对内部网络的未经请求的通信。
配置示例:1. 配置路由器:Router(config)# interface GigabitEthernet0/0Router(config-if)# ip address 192.168.1.1 255.255.255.0Router(config-if)# no shutdownRouter(config)# interface GigabitEthernet0/1Router(config-if)# ip address [外部IP地址] [外部子网掩码]Router(config-if)# no shutdownRouter(config)# ip route 0.0.0.0 0.0.0.0 [外部网关]2. 配置防火墙规则:Router(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 anyRouter(config)# access-list 101 deny ip any 192.168.1.0 0.0.0.255Router(config)# access-list 101 permit ip any anyRouter(config)# interface GigabitEthernet0/1Router(config-if)# ip access-group 101 in3. 配置交换机:Switch(config)# interface Vlan1Switch(config-if)# ip address 192.168.1.2 255.255.255.0Switch(config-if)# no shutdown配置说明:路由器通过两个接口连接内部网络(192.168.1.0/24)和外部网络。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
C I S C O5520防火墙配置实例本人在项目中已经两次接触到思科5500系列防火墙的配置应用了,根据项目的需求不同,详细的配置也不一样,因此汇总了一个通用版本的思科5500系列防火墙的配置,不详之处,请各位大虾给予指点,谢谢!CD-ASA5520# show run: Saved:ASA Version (2)!hostname CD-ASA5520&nb sp; //给防火墙命名enable password 9jNfZuG3TC5tCVH0 encrypted // 进入特权模式的密码namesdns-guard!interface GigabitEthernet0/0 //内网接口:duplex full //接口作工模式:全双工,半双,自适应nameif inside //为端口命名:内部接口insidesecurity-level 100 //设置安全级别 0~100 值越大越安全!interface GigabitEthernet0/1 //外网接口nameif outside //为外部端口命名:外部接口outsidesecurity-level 0!interface GigabitEthernet0/2nameif dmzsecurity-level 50!interface GigabitEthernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0 //防火墙管理地址shutdownno nameifno security-levelno ip address!passwd encryptedftp mode passiveclock timezone CST 8dns server-group DefaultDNSaccess-list outside_permit extended permit tcp any interface outside eq 3389//访问控制列表access-list outside_permit extended permit tcp any interface outside range 30000 30010//允许外部任何用户可以访问outside 接口的30000-30010的端口。
pager lines 24logging enable //启动日志功能logging asdm informationalmtu inside 1500 内部最大传输单元为1500字节mtu outside 1500mtu dmz 1500//定义一个命名为vpnclient的IP地址池,为remote用户分配IP地址no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/no asdm history enablearp timeout 14400 //arp空闲时间为14400秒global (outside) 1 interface //由于没有配置NAT 故这里是不允许内部用户上INTERNET//端口映射可以解决内部要公布的服务太多,而申请公网IP少问题。
access-group outside_permit in interface outside//把outside_permit控制列表运用在外部接口的入口方向。
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute------------定义一个命名为vpnclient的组策略-------------------------group-policy vpnclient internal //创建一个内部的组策略。
group-policy vpnclient attributes //设置vpnclient组策略的参数vpn-idle-timeout none //终止连接时间设为默认值vpn-session-timeout none //会话超时采用默认值vpn-tunnel-protocol IPSec //定义通道使用协议为IPSEC。
split-tunnel-policy tunnelspecified //定义。
default-domain value //定义默认域名为------------定义一个命名为l2lvpn的组策略------------------------- group-policy l2lvpn internalgroup-policy l2lvpn attributesvpn-simultaneous-logins 3vpn-idle-timeout nonevpn-session-timeout nonevpn-tunnel-protocol IPSecusername test password P4ttSyrm33SV8TYp encrypted privilege 0//创建一个远程访问用户来访问安全应用username cisco password 3USUcOPFUiMCO4Jk encryptedhttp server enable //启动HTTP服务no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart //snmp的默认配置crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac//配置转集(定义了IPSC隧道使用的加密和信息完整性算法集合)crypto dynamic-map vpn_dyn_map 10 set transform-set ESP-DES-MD5//为动态加密图条目定义传换集crypto map outside_map 10 ipsec-isakmp dynamic vpn_dyn_map//创建一个使用动态加密条目的加密图crypto map outside_map interface outside//将 outside_map加密图应用到outside端口------------配置IKE--------------crypto isakmp enable outside //在ostside 接口启动ISAKMPcrypto isakmp policy 20 //isakmmp权值,值越小权值越高authentication pre-share //指定同位体认证方法是共享密钥encryption des //指定加密算法hash md5 //指定使用MD5散列算法group 2 //指定diffie-hellman组2lifetime 86400 //指定SA(协商安全关联)的生存时间crypto isakmp policy 65535authentication pre-shareencryption deshash md5group 2lifetime 86400-------------调用组策略-----------------crypto isakmp nat-traversal 20tunnel-group DefaultL2LGroup general-attributes //配置这个通道组的认证方法default-group-policy l2lvpn //指定默认组策略名称。
tunnel-group DefaultL2LGroup ipsec-attributes //配置认证方法为IPSECpre-shared-key * //提供IKE连接的预共享密钥tunnel-group vpnclient type ipsec-ra //设置连接类型为远程访问。
tunnel-group vpnclient general-attributes //配置这个通道组的认证方法address-pool vpnclient //定义所用的地址池default-group-policy vpnclient //定义默认组策略-----设置认证方式和共享密钥-------------tunnel-group vpnclient ipsec-attributes //配置认证方法为IPSECpre-shared-key * //提供IKE连接的预共享密钥telnet timeout 5 //telnet 超时设置ssh timeout 60 //SSH连接超时设置console timeout 0 //控制台超时设置dhcp-client update dns server both!的地址池dhcpd enable inside //启动DHCP服务。
!!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns migrated_dns_map_1 parametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns migrated_dns_map_1inspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp!service-policy global_policy globalprompt hostname context: end。