1.配置管理的IP地址和閘道器
interface Vlanif1
ip address 10.20.69.1 255.255.255.0
2.使用FTP上傳web管理的配置檔案web.zip
ftp server enable
aaa
local-user user1 password cipher user1
local-user user1 service-type ftp
local-user user1 ftp-directory flash:/
電腦上傳web.zip
ftp> binary 使用二進位制上傳
ftp> put web.zip
3.啟用web管理,建立web管理的使用者
http server enable
http server load web.zip 載入web管理檔案
local-user user2 password cipher user2
local-user user2 service-type http
local-user user2 privilege level 3
二、配置DHCP服務:
1.全域性啟用dhcp
dhcp enable
#
ip pool lan
gateway-list 10.20.69.1
network 10.20.69.0 mask 255.255.255.0
excluded-ip-address 10.20.69.2 10.20.69.100
excluded-ip-address 10.20.69.200 10.20.69.254
dns-list 172.16.10.25 172.16.10.21
dns resolve
dns proxy enable
dhcp select global
2.只在介面上啟用dhcp
dhcp select interface
dhcp server dns-list 172.16.10.25 172.16.10.21
三、ppoe客戶端配置:
1.配置nat轉換:
acl number 3000
rule 10 deny ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 deny ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 30 permit ip source 192.168.254.0 0.0.0.255
rule 40 permit ip source 10.20.69.0 0.0.0.255
2.配置執行ppoe的物理介面
interface Ethernet0/0/8
pppoe-client dial-bundle-number 1 on-demand
undo shutdown
3.配置ppoe
dialer-rule
dialer-rule 1 ip permit
interface Dialer1
link-protocol ppp
ppp chap user 2100771@xmadsl
ppp chap password cipher xmgov123
ppp pap local-user 2100771@xmadsl password cipher xmgov123
tcp adjust-mss 1400
ip address ppp-negotiate
dialer user 2100771@xmadsl
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 3000 啟用nat
ip route-static 0.0.0.0 0.0.0.0 Dialer1
4.檢查ppoe狀態
display pppoe-client session summarydisplay pppoe-client session summary
四、在配置ike vpn
1.配置感興趣流
acl number 3002
rule 10 permit ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 permit ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
2. 在Router上配置進行IKE協商時需要的本機ID和IKE Peer。
ike peer jfgf v1
pre-shared-key simple XMgovVPNPS
ike-proposal 10
r
emote-address 28.5.6.29
野蠻模式中,如果local-id-type取值為name的時候,對於發起協商端需要增加remote-adress x.x.x.x的配置。[ 顯示配置資訊:display ike peer name jfgf verbose ]
3.建立安全提議:
ipsec proposal xmjf
ike peer 10 v2 這個應該可以不用,因為前面有ike peer jfgf v1
ike proposal 10
authentication-algorithm md5
執行display ipsec proposal會顯示所配置的資訊
4.配置安全策略
ipsec policy map 10 isakmp
security acl 3002
ike-peer jfgf
proposal xmjf
執行display ipsec policy會顯示所配置的資訊
5.應用安全策略
ipsec policy map
display ipsec sa會顯示所配置的資訊
display ike sa會顯示所配置的資訊
五、路由器管理配置:
clock timezone utc add 08:00:00
local-user xmjf password cipher xmjf
local-user xmjf privilege level 3
local-user xmjf service-type telnet telnet ssh http
local-user admin password cipher admin
local-user admin service-type telnet http
user-interface con 0
authentication-mode password
set authentication password cipher admin
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
1.配置管理的IP地址和閘道器
interface Vlanif1
ip address 10.20.69.1 255.255.255.0
2.使用FTP上傳web管理的配置檔案web.zip
ftp server enable
aaa
local-user user1 password cipher user1
local-user user1 service-type ftp
local-user user1 ftp-directory flash:/
電腦上傳web.zip
ftp> binary 使用二進位制上傳
ftp> put web.zip
3.啟用web管理,建立web管理的使用者
http server enable
http server load web.zip 載入web管理檔案
aaa
local-user user2 password cipher user2
local-user user2 service-type http
local-user user2 privilege level 3
二、配置DHCP服務:
1.全域性啟用dhcp
dhcp enable
#
ip pool lan
gateway-list 10.20.69.1
network 10.20.69.0 mask 255.255.255.0
excluded-ip-address 10.20.69.2 10.20.69.100
excluded-ip-address 10.20.69.200 10.20.69.254
dns-list 172.16.10.25 172.16.10.21
#
dns resolve
dns proxy enable
#
interface Vlanif1
dhcp select global
2.只在介面上啟用dhcp
interface Vlanif1
ip address 10.20.69.1 255.255.255.0
dhcp select interface
dhcp server dns-list 172.16.10.25 172.16.10.21
#
三、ppoe客戶端配置:
1.配置nat轉換:
acl number 3000
rule 10 deny ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 deny ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 30 permit ip source 192.168.254.0 0.0.0.255
rule 40 permit ip source 10.20.69.0 0.0.0.255
2.配置執行ppoe的物理介面
interface Ethernet0/0/8
pppoe-client dial-bundle-number 1 on-demand
undo shutdown
3.配置ppoe
dialer-rule
dialer-rule 1 ip permit
#
interface Dialer1
link-protocol ppp
ppp chap user 2100771@xmadsl
ppp chap password cipher xmgov123
ppp pap local-user 2100771@xmadsl password cipher xmgov123
tcp adjust-mss 1400
ip address ppp-negotiate
dialer user 2100771@xmadsl
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 3000 啟用nat
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
4.檢查ppoe狀態
display pppoe-client session summarydisplay pppoe-client session summary
四、在配置ike vpn
1.配置感興趣流
acl number 3002
rule 10 permit ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 permit ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
2. 在Router上配置進行IKE協商時需要的本機ID和IKE Peer。
ike peer jfgf v1
pre-shared-key simple XMgovVPNPS
ike-proposal 10
r
emote-address 28.5.6.29
野蠻模式中,如果local-id-type取值為name的時候,對於發起協商端需要增加remote-adress x.x.x.x的配置。[ 顯示配置資訊:display ike peer name jfgf verbose ]
3.建立安全提議:
ipsec proposal xmjf
ike peer 10 v2 這個應該可以不用,因為前面有ike peer jfgf v1
ike proposal 10
authentication-algorithm md5
執行display ipsec proposal會顯示所配置的資訊
4.配置安全策略
ipsec policy map 10 isakmp
security acl 3002
ike-peer jfgf
proposal xmjf
執行display ipsec policy會顯示所配置的資訊
5.應用安全策略
interface Dialer1
ipsec policy map
display ipsec sa會顯示所配置的資訊
display ike sa會顯示所配置的資訊
五、路由器管理配置:
clock timezone utc add 08:00:00
aaa
local-user xmjf password cipher xmjf
local-user xmjf privilege level 3
local-user xmjf service-type telnet telnet ssh http
local-user admin password cipher admin
local-user admin service-type telnet http
user-interface con 0
authentication-mode password
set authentication password cipher admin
user-interface vty 0 4
authentication-mode aaa
user privilege level 15