科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道Cisco pix 525 vpdn +acs 用户验证

Cisco pix 525 vpdn +acs 用户验证

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

实现功能:远程使用cisco ipsecvpnclient 3.x以上的vpn client 拨入企业网络;远程使用ms pptp vpn拨入企业网络。

作者:论坛整理 来源:zdnet网络安全 2008年3月31日

关键字: 防火墙 防火墙技术 硬件防火墙

  • 评论
  • 分享微博
  • 分享邮件

  系统环境:

  ciscopix 525

  cisco acs server3.2

  实现功能:

  远程使用cisco ipsecvpnclient 3.x以上的vpn client 拨入企业网络;

  远程使用ms pptp vpn拨入企业网络;

  所有远程vpdn用户通过acs server 做用户验证和记帐,便于管理和实现其他pix 验证无法实现的功能,例如实现用户帐号尝试错误后锁定,访问时间等功能;

  pix 525 上的配置:

  jtpixfirewall# sh run

  : Saved

  :

  PIX Version 6.3(3)

  interface ethernet0 auto

  interface ethernet1 auto

  interface ethernet2 auto

  interface ethernet3 auto

  interface ethernet4 auto

  interface ethernet5 auto

  nameif ethernet0 outside security0

  nameif ethernet1 inside security100

  nameif ethernet2 perimter1 security20

  nameif ethernet3 perimter2 security30

  nameif ethernet4 perimter3 security40

  nameif ethernet5 perimter4 security50

  enable password pAvMEKYodlghdOOb7Y encrypted

  passwd 1ZowQT4VG2d3TbU69 encrypted

  hostname jtpixfirewall

  domain-name jt.com

  fixup protocol dnsmaximum-length 512

  fixup protocol ftp21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol ils 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip5060

  fixup protocol sip udp 5060

  fixup protocol skinny 2000

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names

  name 10.1.5.0 test

  name 10.1.8.50 netman

  access-listinside_outbound_nat0_acl permit ip 10.1.8.0 255.255.255.0 10.1.58.0 255.255.255.0

  access-list inside_outbound_nat0_acl permit ip test 255.255.255.0 10.1.58.0 255.255.255.0

  access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.252.0.0 10.1.58.0 255.255.255.0

  access-list jt1_splitTunnelAcl permit ip tests 255.255.255.0 any

  access-listjt1_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any

  access-list acl-out permit icmp any any

  pager lines 24

  logging on

  logging timestamp

  logging trap debugging

  logging history debugging

  logging facility 16

  logging host inside netmang

  mtu outside 1500

  mtu inside 1500

  mtu perimter1 1500

  mtu perimter2 1500

  mtu perimter3 1500

  mtu perimter4 1500

  ip address outside 222.121.48.75 255.255.255.224

  ip address inside 10.1.8.12 255.255.255.0

  ip address perimter1 127.0.0.1 255.255.255.255

  no ip address perimter2

  no ip address perimter3

  no ip address perimter4

  ip audit info action alarm

  ip audit attack action alarm

  ip local pool local_pool 10.1.58.50-10.1.58.100

  no failover

  failover timeout 0:00:00

  failover poll 15

  no failover ip address outside

  no failover ip address inside

  no failover ip address perimter1

  no failover ip address perimter2

  no failover ip address perimter3

  no failover ip address perimter4

  pdm location 10.1.9.50 255.255.255.255 inside

  pdm location 10.1.9.0 255.255.255.0 inside

  pdm location 10.1.9.0 255.255.255.0 perimter1

  pdm location 10.1.1.253 255.255.255.255 inside

  pdm location 10.1.0.0 255.255.0.0 inside

  pdm location 10.1.1.253 255.255.255.255 perimter1

  pdm location test 255.255.255.0 inside

  pdm location 10.0.0.0 255.252.0.0 inside

  pdm location 10.1.58.0 255.255.255.0 outside

  pdm location netmang 255.255.255.255 inside

  pdm history enable

  arptimeout 14400

  nat (inside) 0 access-list inside_outbound_nat0_acl

  nat (inside) 1 10.1.8.0 255.255.255.0 0 0

  nat (inside) 0 10.0.0.0 255.252.0.0 0

  access-group acl-out in interface inside

  ripinside default version 2

  route outside 0.0.0.0 0.0.0.0 222.121.48.65 1

  route inside 10.1.0.0 255.255.0.0 10.1.8.253 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol loca

  aaa-server jtacs protocol radius

  #指定aaa采用radius

  aaa-server jtacs (inside) host netmang ddjt2008 timeout 5

  #指定radius server 的ip地址和口令(ddjt2008)

  aaa proxy-limit disable

  aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 jtacs

  #对aaa group jtacs做radius account (记帐)

  http server enable

  http 10.1.9.50 255.255.255.255 inside

  snmp-server host inside netmang

  no snmp-server location

  no snmp-server contact

  snmp-server community en9fk5*37

  snmp-server enable traps

  floodguard enable

  sysopt connection permit-ipsec

  sysopt connection permit-pptp

  sysopt radius ignore-secret

  service resetinbound

  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

  crypto map outside_map client authentication jtacs

  crypto map outside_map interface outside

  isakmp enable outside

  isakmp nat-traversal 20

  #解决 ipsec 穿透 nat 问题;

  isakmp policy 40 authentication pre-share

  isakmp policy 40 encryption 3des

  isakmp policy 40 hash md5

  isakmp policy 40 group 2

  isakmp policy 40 lifetime 86400

  vpngroup test1 address-pool local_pool

  vpngroup test1 dns-server 10.1.2.1

  vpngroup test1 wins-server 10.1.2.1

  vpngroup test1 default-domain jt

  vpngroup test1 split-tunnel jt1_splitTunnelAcl

  vpngroup test1 idle-time 1800

  vpngroup test1 secure-unit-authentication

  vpngroup tset1 user-idle-timeout 18

  vpngroup test1 device-pass-through

  vpngroup test1 password ********

  telnet10.1.8.0 255.255.255.0 inside

  telnet 10.1.9.0 255.255.255.0 inside

  telnet 10.1.1.253 255.255.255.255 inside

  telnet 10.1.1.253 255.255.255.255 perimter1

  telnet 10.1.1.253 255.255.255.255 perimter2

  telnet 10.1.1.253 255.255.255.255 perimter3

  telnet 10.1.1.253 255.255.255.255 perimter4

  telnet timeout 10

  ssh10.1.9.0 255.255.255.0 inside

  ssh 10.1.9.0 255.255.255.0 perimter1

  ssh 10.1.9.0 255.255.255.0 perimter2

  ssh 10.1.9.0 255.255.255.0 perimter3

  ssh 10.1.9.0 255.255.255.0 perimter4

  ssh timeout 10

  console timeout 0

  vpdn group jtpptp accept dialin pptp

  vpdn group jtpptp ppp authentication pap

  vpdn group jtpptp ppp authentication chap

  vpdn group jtpptp ppp authentication mschap

  vpdn group jtpptp ppp encryption mppe 40

  vpdn group jtpptp client configuration address local local_pool

  vpdn group jtpptp client configuration dns 10.1.2.1 10.1.2.2

  vpdn group jtpptp client configuration wins 10.1.2.1

  vpdn group jtpptp client authentication aaa jtacs

  vpdn group jtpptp client accounting jtacs

  vpdn group jtpptp pptp echo 60

  vpdn enable outside

  vpdn enable inside

  vpdn enable perimter1

  terminal width 80

  Cryptochecksum:a11527433cfa5f41c672abd0dd1923ae

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章