|
PIX515E-R防火墙安装ACS3.0做用户身份验证(2) aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.110 cisco123 timeout 10 //指定Radius服务器IP及key
aaa-server parnerauth protocol tacacs+
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication partnerauth //设置通过Radius进行用户身份验证
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10 //这句就是允许NAT用户穿过PIX,在6.3中才新增的特性,例如解决局域网内NAT VPN拨号问题
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool pccw //以下我建了两个组,如果要为每个组分配一个固定IP的话,只有为每个用户建立一个Group了,哎,提出这样要求的客户简直是折磨人 :(
vpngroup vpn3000 dns-server 202.96.134.133
vpngroup vpn3000 split-tunnel 102
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup link address-pool pccw02
vpngroup link split-tunnel 102
vpngroup link idle-time 1800
vpngroup link password ********
telnet 192.168.32.0 255.255.255.0 outside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:81630e6f8040b488f6c2e6c6ff872804
: end
[OK]
|
