FTTB+NAT+DHCP+pppoe+CBAC+vpn client+Authentication AAA
成功配置,已经调试成功的说!
hongyi#show run
Building configuration...
Current configuration : 4655 bytes
!
! Last configuration change at 04:47:29 UTC Sun Apr 25 2004 by tonyxue
! NVRAM config last updated at 04:47:50 UTC Sun Apr 25 2004 by tonyxue
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hongyi
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$nyjl$3Q7avJNhGMGg9h8S3TxL01
!
username tonyxue password 7 110B0B0C101A1F010524
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login hongyi_authen group tacacs+
aaa authentication login no_tacasc enable
aaa authentication login line_vty local
aaa authorization network hongyi_author local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip dhcp excluded-address 172.16.0.1 172.16.0.220
!
ip dhcp pool hongyi
network 172.16.0.0 255.255.255.0
dns-server 202.96.209.5 202.96.209.133
default-router 172.16.0.10
lease 30
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect name firewall cuseeme
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall icmp
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip inspect name firewall http
ip audit po max-events 100
vpdn enable
!
vpdn-group FTTB
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group hongyi
key *********
pool hongyi_pool
!
!
crypto ipsec transform-set hongyi_set esp-3des esp-sha-hmac
!
crypto dynamic-map hongyi_dynamic_map 10
set transform-set hongyi_set
!
!
crypto map clientmap client authentication list hongyi_authen
crypto map clientmap isakmp authorization list hongyi_author
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic hongyi_dynamic_map
!
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
ip address 172.16.0.10 255.255.0.0
ip access-group Local_Ruler in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
speed auto
no cdp enable
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group Outbound_Ruler in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall out
encapsulation ppp
no ip mroute-cache
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ad********* @shtel password 7 046B08133D255F7908
crypto map clientmap
!
ip local pool hongyi_pool 192.168.0.1 192.168.0.254
ip nat inside source route-map nat_map interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended Local_Ruler
deny 53 any any log
deny 55 any any log
deny pim any any log
deny tcp any any eq echo log
deny tcp any any eq chargen log
deny tcp any any eq 135 log
deny tcp any any eq 136 log
deny tcp any any eq 137 log
deny tcp any any eq 138 log
deny tcp any any eq 139 log
deny tcp any any eq 445 log
deny tcp any any eq 4444 log
deny udp any any eq tftp log
deny udp any any eq 135 log
deny udp any any eq 136 log
deny udp any any eq netbios-ns log
deny udp any any eq netbios-dgm log
deny udp any any eq netbios-ss log
deny udp any any eq snmp log
deny udp any any eq 445 log
permit ip any any
ip access-list extended Outbound_Ruler
permit udp any any eq isakmp log
permit esp any any log
permit udp any any eq non500-isakmp log
permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log
deny ip any any log
logging source-interface FastEthernet0
logging 172.16.0.100
access-list 1 deny any
access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
no cdp run
!
route-map nat_map permit 10
match ip address 101
!
tacacs-server host 172.16.0.100 key 7 0459190F082958430817
tacacs-server directed-request
!
line con 0
logging synchronous
login authentication line_vty
line aux 0
logging synchronous
line vty 0 4
logging synchronous
login authentication line_vty
!
!
end 文章录入:aaadxmmm 责任编辑:aaadxmmm