扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
最近看vpn的东西比较多,发现现在很多厂家都在关注中小企业的基于动态ip地址的vpn的实现。
当然cisco也不例外,在他的 ios 12.3 (4) T 中开始支持动态的地址解析vpn peer 的方式。
来看个例子
现在Cisco IOS 12.3(4)T中新增了根据DNS名称来建立VPN peer 的命令,借助希网(3322.org)、
有一个动态地址Site-to-Site VPN的案例,你自己改一下配置就可以了
分部:cisco 2621 adsl动态ip ,内部ip地址168.98.1.0
要求,总部,分部,均VPN连接
可上网,分部168.98.1.0网段访问总部168.98.0.0网段时,自动建立
总部的防火墙配置:
: Saved
: Written by enable_
15 at 16:16:19.510 UTC Sun J
ul 25 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name localdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service http2 tcp
port-object eq www
port-object range 9080 9090
access-list nonat permit ip 168.98.0.0 255.255.255.0 168.98.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.d 255.255.255.128
ip address inside 168.98.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 168.98.0.250 255.255.255.255 inside
pdm location 168.98.1.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp any object-group http2 any
route outside 0.0.0.0 0.0.0.0 电信网关1
timeout xlate 3:00:00
timeout conn 1:00:00
half-closed 0:10:00 udp 0:0
2:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 168.98.0.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set router-se
t esp-des esp-md5-hmac
crypto dynamic-map c
isco 1 set transform-set rou
ter-set
crypto map dyn-map 1
0 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key cisco123 address 0.0.0.0
netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 168.98.0.250
255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username pixuser pas
sword 70BnAnxaMBm181Wa encry
pted privilege 2
terminal width 80
Cryptochecksum:a44fafd4f70dd9e548cd5
fd61a6d20ff
: end
分部的路由器配置:
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $s
PqPwW1GX.TXw8RGSHEvqa2.
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address a
.b.c.d
!
!
crypto ipsec transfo
rm-set pix-set esp-des esp-m
d5-hmac
!
crypto map pix 10 ipsec-isakmp
set peer a.b.c.d
set transform-set pix-set
match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 168.98.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1450
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ddd password 0 ddd
crypto map pix
!
ip nat inside source
route-map nonat interface D
ialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 168.98.1.0
0.0.0.255 168.98.0.0 0.0.0.255
access-list 110 deny
ip 168.98.1.0 0.0.0.255 168
.98.0.0 0.0.0.255
access-list 110 permit ip 168.98.1.0
0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
!
end
这是一个site to site 的vpn的实现,很多中国的企业,也在用软件的方式来实现这些功能,同时也支持移动用户的方式。
一般来讲,就是在中心点(总部,同样可以是动态ip地址)安装一个vpn软件的服务器版本,然后在远端的lan上安装一个vpn 网关,移动用户安装vpn 移动客户端。
但是感觉速度永远是一个瓶颈,大家自己衡量吧。
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者