C114门户论坛百科APPEN| 举报 切换到宽版

通信人家园

 找回密码
 注册

只需一步,快速开始

短信验证,便捷登录

搜索
返回列表 发新帖
查看: 3864|回复: 0
打印

pix vpn server两个出口的问题!急啊!!!! [复制链接]

Male不在线
garylu

军衔等级:

  下士

注册:2003-11-3
跳转到指定楼层
1#
发表于 2006-6-23 12:47:00 |只看该作者 |倒序浏览
现在有一PIX525的防火墙配置如下:
然后我想加多个出口供海外的用户拨VPN进来,如何在此基础上配置呢?


PIX Version 6.3(3)
interface ethernet0 auto               
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0     
nameif ethernet1 inside security100   
nameif ethernet2 dmz security50      
enable password BSbnH22kNKtK22Dm encrypted
passwd BSbnH22kNKtK22Dm encrypted
hostname aaa
domain-name aaa.com.cn
clock timezone HKST 8
fixup protocol dns maximum-length 512           
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.13.183.19 mailserver
name 192.13.183.24 webserver
name 192.13.183.26 videoserver
name 192.13.183.21 proxyserver
access-list 101 permit ip any 172.17.1.0 255.255.255.0
access-list 101 permit ip any 172.17.64.0 255.255.192.0
access-list outside2dmz permit icmp any any echo
access-list outside2dmz permit icmp any any echo-reply
access-list outside2dmz permit tcp any host 18.13.83.19 eq www
access-list outside2dmz permit tcp any host 18.13.83.19 eq smtp
access-list outside2dmz permit tcp any host 18.13.83.19 eq pop3
access-list outside2dmz permit tcp any host 18.13.83.26 eq 1800
access-list outside2dmz permit tcp any host 18.13.83.26 eq 2000
access-list outside2dmz permit udp any host 18.13.83.26 eq 2001
access-list outside2dmz permit tcp any host 18.13.83.24 eq 1018
access-list outside2dmz permit tcp any host 18.13.83.26 eq ftp
access-list outside2dmz permit tcp any host 18.13.83.21 eq 6666
access-list outside2dmz permit tcp any host 18.13.83.19 eq telnet
access-list outside2dmz compiled
access-list dmz2inside permit icmp any any echo
access-list dmz2inside permit icmp any any echo-reply
access-list dmz2inside permit ip 192.13.183.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list dmz2inside permit ip 192.13.183.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list dmz2inside permit ip 192.13.183.0 255.255.255.0 any
pager lines 24
logging history errors
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 18.13.83.162 255.255.255.252  
ip address inside 172.17.1.1 255.255.0.0         
ip address dmz 192.13.183.254 255.255.255.0      
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 172.17.64.1-172.17.127.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 172.17.1.0 255.255.255.0 inside
pdm location 10.1.18.66 255.255.255.255 inside
pdm location 10.44.44.44 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 172.17.1.2 255.255.255.255 inside
pdm location 172.17.1.251 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location mailserver 255.255.255.255 dmz
pdm location proxyserver 255.255.255.255 dmz
pdm location webserver 255.255.255.255 dmz
pdm location videoserver 255.255.255.255 dmz
pdm location 172.17.64.1 255.255.255.255 outside
pdm logging errors 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
static (dmz,outside) 18.13.83.24 webserver netmask 255.255.255.255 0 0
static (dmz,outside) 18.13.83.19 mailserver netmask 255.255.255.255 0 0
static (dmz,outside) 18.13.83.26 videoserver netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) 18.13.83.21 proxyserver netmask 255.255.255.255 0 0
access-group outside2dmz in interface outside
access-group dmz2inside in interface dmz
route outside 0.0.0.0 0.0.0.0 218.13.183.161 1
route inside 10.0.0.0 255.0.0.0 172.17.1.2 1
route inside 172.16.0.0 255.255.0.0 172.17.1.2 1
route inside 192.168.0.0 255.255.255.0 172.17.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.17.1.251 aaa040416 timeout 10
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console TACACS+
http server enable
http 172.17.64.1 255.255.255.255 outside
http 172.17.1.2 255.255.255.255 inside
http 172.17.1.0 255.255.255.0 inside
http 10.44.44.44 255.255.255.255 inside
snmp-server host inside 172.17.1.2
no snmp-server location
no snmp-server contact
snmp-server community aaa040416
snmp-server enable traps
tftp-server inside 172.17.1.2 aaapixcfg
floodguard enable
fragment chain 1 outside
sysopt connection permit-ipsec
auth-prompt prompt welcome to aaa
auth-prompt accept you have been accepted
auth-prompt reject Sorry,Don't Try!
crypto ipsec transform-set aaa esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set aaa
crypto map aaa 10 ipsec-isakmp dynamic dynmap
crypto map aaa client configuration address initiate
crypto map aaa client configuration address respond
crypto map aaa client authentication TACACS+
crypto map aaa interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 30 20
isakmp client configuration address-pool local vpn outside
isakmp nat-traversal 120
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup aaavpn address-pool vpn
vpngroup aaavpn idle-time 1800
vpngroup aaavpn password ********
vpngroup aaawcgl address-pool vpn
vpngroup aaawcgl idle-time 1800
vpngroup aaawcgl password ********
telnet 10.1.18.66 255.255.255.255 inside
telnet 10.44.44.44 255.255.255.255 inside
telnet 172.17.1.251 255.255.255.255 inside
telnet timeout 5
ssh 172.17.1.0 255.255.255.0 inside
ssh 10.44.44.44 255.255.255.255 inside
ssh timeout 5
console timeout 10
username test3 password K9D3OPDBzNrja1kw encrypted privilege 1
username jybwcgl1 password gp6rtaJDUPZR.UOn encrypted privilege 1
username admin password sHAADKcKq4geB3IE encrypted privilege 15
terminal width 80
Cryptochecksum:0f981552863c79e4d5890c31c01dc0f8

举报本楼

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册 |

版规|手机版|C114 ( 沪ICP备12002291号-1 )|联系我们 |网站地图  

GMT+8, 2025-8-2 16:43 , Processed in 0.198157 second(s), 17 queries , Gzip On.

Copyright © 1999-2025 C114 All Rights Reserved

Discuz Licensed

回顶部