防火墙的×××配置
??? 前段時間完成了防火墻的×××配置,辛苦了好長一段時間,總算是功德圓滿。下面的完成的筆記,以記錄。
ip local pool testpool 172.19.100.1-172.19.100.254 mask 255.255.255.0??? (第一步)// 建立一個地址池名為testpool
crypto isakmp policy 10? / * 建立isakmp策略 ?authentication pre-share??? /*預(yù)共享密鑰驗證 ?encryption 3des???????? /*加密 ?hash sha???????? /*使用sha1 hash校驗 ?group 2?? /*使用DH group2 ?lifetime 86400? /*有效期1天(默認(rèn))
ip local pool testpool 172.19.100.1-172.19.100.254 mask 255.255.255.0??? (第一步)// 建立一個地址池名為testpool
?
access-list inside_nat0_outbound extended permit ip 172.19.74.0 255.255.255.0 172.19.100.0 255.255.255.0 ????(第二步)?? 建立一個用于標(biāo)記流量分割的acl? ? (只允許訪問74的網(wǎng)段)?
nat (inside) 0 access-list inside_nat0_outbound? ???(第三步)?
access-list tunnellist standard permit 172.19.100.0 255.255.255.0 access-list tunnellist standard permit 172.19.74.0 255.255.255.0 ???????(第四步) (只允許訪問74的網(wǎng)段)?
group-policy ra-group internal??? ???(第五步) group-policy test_group internal?? /*內(nèi)部組策略 group-policy test_group attributes? /*組策略 ***-idle-timeout 30 ?dns-server value 172.19.74.1 ?***-tunnel-protocol IPSec ??/*使用IPSec作為隧道協(xié)議 ?split-tunnel-policy tunnelspecified??? /*表示分割流量是acl明確標(biāo)記出來的 ?split-tunnel-network-list value tunnellist?? /*acl名為tunnellist的流量需要使用加密隧道傳輸 ?default-domain value cisco.com username test password aaaa username test attributes service-type remote-access (允許用戶remote-access) ?***-group-policy test_group tunnel-group test_group type ipsec-ra ?/*(remote-access)組test_group是ipsec remote access類型的 tunnel-group test_group general-attributes?? /*針對該組的一般屬性(地址、dns等) ?address-pool testpool??? /*地址池使用名為testpool的 ?default-group-policy test_group?? /*該組使用的策略名叫做test_group tunnel-group test_group ipsec-attributes?? /*針對該組的ipsec屬性 ?pre-shared-key ?bbb?? /*共享密鑰為" bbb ",配置好之后show run看到的共享密鑰應(yīng)該顯示為"*"?
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ?????(第六步) crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs?
// 建立一個動態(tài)map SYSTEM_DEFAULT_CRYPTO_MAP調(diào)用該轉(zhuǎn)換集?
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5?
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP?
// 建立一個靜態(tài)map outside_map調(diào)用動態(tài)map SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside? /*在接口上應(yīng)用靜態(tài)map outside_map crypto isakmp enable outside? //在outside接口上啟用isakmp,默認(rèn)isakmp是不啟用的,這點與路由器不一樣crypto isakmp policy 10? / * 建立isakmp策略 ?authentication pre-share??? /*預(yù)共享密鑰驗證 ?encryption 3des???????? /*加密 ?hash sha???????? /*使用sha1 hash校驗 ?group 2?? /*使用DH group2 ?lifetime 86400? /*有效期1天(默認(rèn))
?
?
轉(zhuǎn)載于:https://blog.51cto.com/379136/125375
總結(jié)
- 上一篇: 如何避免被网络暴力 避免自己被网络暴力有
- 下一篇: 发布乐维Webgis平台1.0 Demo