月亮雨小组的天地 YLY Studio

思科2811及其它路由器SSLVPN配置(非固定IP地址)

  一: 上传软件

   R1#copy tftp flash
   Address or name of remote host []? 192.168.10.100
   Source filename []? sslclient-win-1.1.2.169.pkg
   Destination filename [sslclient-win-1.1.2.169.pkg]?
   Accessing tftp://192.168.10.100/sslclient-win-1.1.2.169.pkg...
   Loading sslclient-win-1.1.2.169.pkg from 192.168.10.100 (via FastEthernet0/0): !!
   [OK - 415090 bytes]

作者:mysy2001 分类:网络技术 浏览:525 评论:0

ASA ipsec vpn1

 
 
实验配置步骤参考:
1、设备初始化
3、配置路由
4、配置NAT
5、配置ISAKMP/IKE阶段1
6、配置ISAKMP/IKE阶段2
7、测试
-----------------------------------------------------------------------------------------
1、设备初始化
ciscoasa(config)#hostname ASA5520
ASA5520(config)#int e0/0
ASA5520(config-if)#nameif outside
ASA5520(config-if)#security-level 0
ASA5520(config-if)#ip add 172.16.2.1 255.255.255.0
ASA5520(config-if)#no sh
ASA5520(config)#int e0/1
ASA5520(config-if)#nameif inside
ASA5520(config-if)#security-level 100
ASA5520(config-if)#ip add 192.168.20.254 255.255.255.0
ASA5520(config-if)#no sh
2811-R1(config)#hostname 2811-R1
2811-R1(config)#int e0/0
2811-R1(config-if)#ip add 172.16.1.1 255.255.255.0
2811-R1(config-if)#no sh
2811-R1(config)#int e0/1
2811-R1(config-if)#ip add 192.168.10.254 255.255.255.0
2811-R1(config-if)#no sh
internet(config)#int e0/0
internet(config-if)#ip add 172.16.1.254 255.255.255.0
internet(config-if)#no sh
internet(config)#int e0/1
internet(config-if)#ip add 172.16.2.254 255.255.255.0
internet(config-if)#no sh
2、配置路由(作用:保证VPN加/解密点之间能通信)
ASA5520(config)#route outside 0.0.0.0 0.0.0.0 172.16.2.254
2811-R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.254
3、配置NAT
ASA5520(config)#access-list NONAT permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0---(不进行NAT转换)
ASA5520(config)#nat (inside) 0 access-list NONAT------表示NAT豁免技术
ASA5520(config)#nat (inside) 1 192.168.20.0 255.255.255.0
ASA5520(config)#global (outside) 1 interface
2811-R1(config)#ip access-list extended NAT    定义什么流量进行NAT转
2811-R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255------这是VPN的流量,所以不进行NAT转换
2811-R1(config-ext-nacl)#permit ip any any     允许其他流量进行NAT转换
2811-R1(config)#ip nat inside source list NAT interface e0/0 overload
2811-R1(config)#int e0/0
2811-R1(config-if)#ip nat outside
2811-R1(config)#int e0/1
2811-R1(config-if)#ip nat inside
--------------------------------------------------------------------------------------------------------------------
4、配置ISAKMP/IKE阶段1(作用:建立VPN的管理连接)
1)配置ISAKMP/IKE策略
ASA5520(config)#crypto isakmp enable outside    启用ISAKMP协议
ASA5520(config)#crypto isakmp policy 1     定义第一阶段ISAKMP/IKE策略
ASA5520(config-isakmp)#hash md5         哈希使用md5
ASA5520(config-isakmp)#encryption des    加密方式使用3DES(对称)
ASA5520(config-isakmp)#group 2             DH加密算法强度
ASA5520(config-isakmp)#authentication pre-share   验证用预共享密钥
2811-R1(config)#crypto isakmp policy 1    定义第一阶段ISAKMP/IKE策略
2811-R1(config-isakmp)#hash md5          哈希算法使用md5
2811-R1(config-isakmp)#encryption des    加密方式使用3DES(对称)
2811-R1(config-isakmp)#group 2              DH加密算强度
2811-R1(config-isakmp)#authentication pre-share   验证用预共享密钥
2)配置预共享密钥
ASA5520(config)#crypto isakmp key  cisco address 172.16.1.1
2811-R1(config)#crypto isakmp key  0 cisco address 172.16.2.1
5、配置ISAKMP/IKE阶段2(作用:建立VPN的数据连接)
1)、配置ACL定义VPN连接所保护的流量
ASA5520(config)#access-list VPN permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
2811-R1(config)#ip access-list extended VPN    定义vpn感兴趣流
2811-R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
2)、定义Ipsec传输集(转换集)
ASA5520(config)#crypto ipsec transform-set ESP-T esp-des esp-md5-hmac
2811-R1(config)#crypto ipsec transform-set ESP-T esp-des esp-md5-hmac
3)、配置crypto map加密映射(作用:关联ACL和ipsec传输集设置)
ASA5520(config)#crypto map VPN-MAP 1 ipsec-isakmp     全局启用ipsec-ISAKMP协议
ASA5520(config)#crypto map VPN-MAP 1 match address VPN
ASA5520(config)#crypto map VPN-MAP 1 set peer 172.16.1.1    指定对方的加/解点
ASA5520(config)#crypto map VPN-MAP 1 set transform-set ESP-T
2811-R1(config)#crypto map VPN-MAP 1 ipsec-isakmp     默认已开启
2811-R1(config-crypto-map)#set transform-set ESP-T  调用转换集
2811-R1(config-crypto-map)#match address VPN      匹配需加密的流量
2811-R1(config-crypto-map)#set peer 172.16.2.1     指明对方加(解)密点
4)、crypto map接口应用
ASA5520(config)#crypto map VPN-MAP interface outside
2811-R1(config)#int e0/0
2811-R1(config-if)#crypto map VPN-MAP    端口调用加密映射
6、测试
1)路由器VPN查看与排错命令:
Show crypto isakmp policy    显示所有尝试的策略以及最后的默认策略设置:
clear cry session  清除VPN连接
Show crypto ipsec transform-set  显示ipsec传输集设置
Show crypto map    显示crypto map相关配置
Show cyrpto isakmp sa   显示ISAKMP/IKE阶段1安全联盟SA---VPN连接
Show crypto ipsec sa     显示ISAKMP/IKE阶段2安全联盟SA
Show crypto engine connction active   显示VPN连接加解密的数据包数量
2)ASA防火墙VPN查看与排错命令:
show vpn-sessiondb l2l   查看l2l vpn的连接状态信息

作者:mysy2001 分类:网络技术 浏览:1292 评论:0

思科2800 l2tp vpn基本配置

                                         
                                                                               
User Access Verification                                                       
                                                                               
Username: zqshuiku                                                             
Password:                                                                      
                                                                               
Router#show run                                                                
Building configuration...                                                      
                                                                               
Current configuration : 3190 bytes                                             
!                                                                              
! Last configuration change at 13:58:58 UTC Tue Nov 19 2013 by l2tp            
version 15.1                                                                   
service timestamps debug datetime msec                                         
service timestamps log datetime msec                                           
no service password-encryption                                                 
!                                                                              
hostname Router                                                                
!                                                                              
boot-start-marker                                                              
boot system flash flash:c2800nm-advsecurityk9-mz.151-4.M4.bin                  
boot-end-marker                                                                
!                                                                              
!                                                                              
enable password zqshuiku                                                       
!                                                                              
aaa new-model                                                                  
!                                                                              
!                                                                              
aaa authentication ppp default local                                           
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
aaa session-id common                                                          
!                                                                              
!                                                                              
dot11 syslog                                                                   
ip source-route                                                                
!                                                                              
!                                                                              
ip cef                                                                         
!                                                                              
!                                                                              
!                                                                              
!                                                                              
multilink bundle-name authenticated                                            
!                                                                              
vpdn enable                                                                    
!                                                                              
vpdn-group l2tp                                                                
 ! Default L2TP VPDN group                                                     
 accept-dialin                                                                 
  protocol l2tp                                                                
  virtual-template 1                                                           
 no l2tp tunnel authentication                                                 
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
license udi pid CISCO2811 sn FHK1453F27K                                       
username zqshuiku password 0 123456                                            
username daiming password 0 daiming                                            
username l2tp password 0 cisco                                                 
!                                                                              
redundancy                                                                     
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
interface FastEthernet0/0                                                      
 ip address 122.228.121.10 255.255.255.252                                     
 ip nat outside                                                                
 ip virtual-reassembly in                                                      
 duplex auto                                                                   
 speed auto                                                                    
!                                                                              
interface FastEthernet0/1                                                      
 ip address 192.168.1.1 255.255.255.0                                          
 ip nat inside                                                                 
 ip virtual-reassembly in                                                      
 duplex auto                                                                   
 speed auto                                                                    
!                                                                              
interface Virtual-Template1                                                    
 ip address 192.168.100.1 255.255.255.0                                        
 ip nat inside                                                                 
 ip virtual-reassembly in                                                      
 peer default ip address pool l2tp                                             
 ppp authentication chap                                                       
!                                                                              
ip local pool l2tp 192.168.100.2 192.168.100.200                               
ip forward-protocol nd                                                         
no ip http server                                                              
no ip http secure-server                                                       
!                                                                              
!                                                                              
ip nat inside source list 1 interface FastEthernet0/0 overload                 
ip nat inside source static tcp 192.168.1.88 80 122.228.121.10 80 extendable   
ip nat inside source static udp 192.168.1.88 80 122.228.121.10 80 extendable   
ip nat inside source static tcp 192.168.1.88 3389 122.228.121.10 3389 extendable
ip nat inside source static udp 192.168.1.88 3389 122.228.121.10 3389 extendable
ip nat inside source static tcp 192.168.1.88 5002 122.228.121.10 5002 extendable
ip nat inside source static udp 192.168.1.88 5002 122.228.121.10 5002 extendable
ip nat inside source static tcp 192.168.1.88 8081 122.228.121.10 8081 extendable
ip nat inside source static udp 192.168.1.88 8081 122.228.121.10 8081 extendable
ip nat inside source static tcp 192.168.1.88 8082 122.228.121.10 8082 extendable
ip nat inside source static udp 192.168.1.88 8082 122.228.121.10 8082 extendable
ip nat inside source static tcp 192.168.1.88 8085 122.228.121.10 8085 extendable
ip nat inside source static udp 192.168.1.88 8085 122.228.121.10 8085 extendable
ip nat inside source static tcp 192.168.1.88 8086 122.228.121.10 8086 extendable
ip nat inside source static udp 192.168.1.88 8086 122.228.121.10 8086 extendable
ip nat inside source static tcp 192.168.1.88 8087 122.228.121.10 8087 extendable
ip nat inside source static udp 192.168.1.88 8087 122.228.121.10 8087 extendable
ip nat inside source static tcp 192.168.1.88 8088 122.228.121.10 8088 extendable
ip nat inside source static udp 192.168.1.88 8088 122.228.121.10 8088 extendable
ip route 0.0.0.0 0.0.0.0 122.228.121.9                                         
!                                                                              
access-list 1 permit any                                                       
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
!                                                                              
control-plane                                                                  
!                                                                              
!                                                                              
!                                                                              
line con 0                                                                     
line aux 0                                                                     
line vty 0 4                                                                   
 privilege level 15                                                            
 password zqshuiku                                                             
 transport input all                                                           
line vty 5 15                                                                  
 transport input all                                                           
!                                                                              
scheduler allocate 20000 1000                                                  
end                                                                            
                                                                               
Router#                            

作者:mysy2001 分类:网络技术 浏览:751 评论:0

路由器cisco2811上怎么配置VPN

 IPSec VPN配置:
crypto isakmp policy 1
encryption aes
authentication pre-share
group 1
exit搜索

crypto isakmp key PASSWORD address 61.139.2.69
crypto ipsec transform-set VPN1 esp-sha-hmac esp-3des

exit

crypto map VPN1 10 ipsec-isakmp
set transform-set VPN1
set peer 61.139.2.69
match address 110
exit

access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

int g0/1
crypto map VPN1

作者:mysy2001 分类:网络技术 浏览:458 评论:0

CISCO2811路由器EasyVPN配置范例

  interface FastEthernet0/1

  description ToInternet

  ip address 20.165.8.73 255.255.255.192

  ip nat outside

  ip nat enable

  ip virtual-reassembly

  duplex auto

  speed auto

  no cdp enable

作者:mysy2001 分类:网络技术 浏览:490 评论:0

cisco 2811 pppoe拨号 点对点 ipsec vpn 成功配置案例

 

九天的努力全在这边了!!

摸索中前进啊!!

Using 2109 out of 196600 bytes

!

! Last configuration change at 10:23:00 UTC Fri May 3 2013

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

作者:mysy2001 分类:网络技术 浏览:700 评论:0

美主持人播天气预报 一只狗“路过”令人捧腹

 

据外媒报道,近日,美国新罕布什尔州(NH) 曼彻斯特市 Manchester 一名天气预报主持人在播报节目时,一只狗突然闯入镜头,并不紧不慢的路过,使主持人措手不及。据悉,这位“不速之客”的到来反而受到了观众欢迎。据报道,在狗狗路过主持人时,主持人沉默片刻后笑着说,“……我身后是一条狗。”

作者:mysy2001 分类:旅行游记 浏览:450 评论:0

华为对员工的十六条要求

 华为对员工的十六条要求:

1.重在参与,敢于向自己挑战

任正非告诫员工,做一件事无论是否成功,你都要找到自己的那份感觉。只要你参与并与之拼搏过,你就是成功了,“胜负无定数,敢搏成七分”。

2.重视向别人学习,取长补短

任正非说,做人要积极吸收别人的优点,对伙伴则应积极指出他的缺点。别人指出你的缺点,批评你的缺点实际上是在帮助你,希望你进步,如果你把这种帮助也放弃了,那就太亏了。

作者:mysy2001 分类:通讯技术 浏览:541 评论:0

IP Phone 7945, 7965, 7975 Factory Reset Procedure, SCCP Firmware Upgrade & CME DHCP Server Setup

 

This article explains how to reset your Cisco 7945, 7965 and 7975 IP phone to factory defaults, and how to upgrade the firmware to the latest available version. We also provide necessary information on how to setup a DHCP server on a CME router or Cisco Catalyst switch, to support Cisco IP Phones and provide them with DHCP Option 150 so they know where to find and register with the CallManager or CallManager Express server.

作者:mysy2001 分类:网络技术 浏览:443 评论:0