Cisco 851配置EZVPN

0

本文作者:h3cisco  发布于:2010-6-11  分类:网络技术  点击:


          上一个篇结介绍了网络中的无线配置。这篇来介绍Cisco 851配置过程。

          配置中使用到的技术:NAT DHCP EZVPN等。

SHMCM#show run
Building configuration...

Current configuration : 2296 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SHMCM
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 096B4B0C110A45425A5C
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ezvpn-authentication local
aaa authorization network ezvpn-authorization local
!        
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.11.1 192.168.11.100
ip dhcp excluded-address 192.168.11.200 192.168.11.254
!
ip dhcp pool SHMCM
   network 192.168.11.0 255.255.255.0             
   default-router 192.168.11.254
   dns-server 8.8.8.8
!
!
ip cef
no ip domain lookup
!
!
!
username cisco password 7 132212170303567A7A74
username ezvpn password 7 105E290A1600421908567A7A74
!        
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group myezvpn
 key cisco1234
 dns 8.8.8.8
 domain mcm.com
 pool ezvpn-pool
 acl 101
 save-password
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto dynamic-map ezvpn-dynamic-map 10
 set transform-set ccsp
 reverse-route
!
!        
crypto map cisco client authentication list ezvpn-authentication
crypto map cisco isakmp authorization list ezvpn-authorization
crypto map cisco client configuration address respond
crypto map cisco 10 ipsec-isakmp dynamic ezvpn-dynamic-map
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 180.18.33.22 255.255.255.252                                                                (安全起见,ip假的)
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map cisco
!        
interface Vlan1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool ezvpn-pool 172.16.1.1 172.16.1.50
ip classless
ip route 0.0.0.0 0.0.0.0 180.18.33.21
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet4 overload                           (这里比较尴尬,开始配置的时候没有巧inside,搞了通不了网,嗨,一斤汗
!
access-list 101 deny   ip 192.168.11.0 0.0.0.255 172.16.1.0 0.0.0.255           (这里使用的 ip access-list 101的命令配置)
access-list 101 permit ip 192.168.11.0 0.0.0.255 any  
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password 7 112E1C001F1D595C557A
!
scheduler max-task-time 5000
end

SHMCM#

ok,网络通了,下面来连接EZVPN客户端,客户端软件如下配置。

连接上去以后,会分配到一个172.16.1.x 的ip地址,虽然连接进去了,内网不能访问vpn客户端,vpn客户端也不能访问内网。

这样需要在做NAT的acl的时候,不要把访问172.16.1.0的网络也做NAT,具体命令如下:

ip access-list 101

deny   ip 192.168.11.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 any  

然后再运用到NAT里面就可以实现内网和vpn客户端相互访问了。

 

本文为www.h3cisco.cn原创,转载请注明出处。

 

 

 

本文标签: EZvpn  
本文Url: http://www.h3cisco.cn/post/69.html (出自: 旋风网络家园)
我要引用: 点击这里获取该日志的TrackBack引用地址

相关文章:

0 Comments

Write a comment ?