ciscoasa l2tp raduis and local 单臂模式（ciscoasa 5520active亮红灯）

ciscoasa l2tp raduis and local 单臂模式（ciscoasa 5520active亮红灯）

拓扑说明：通过公网IP映射到ciscoasa内网口IP，所有流量丢向核心，互联网流量通过出口防火墙进行管控上网。

ciscoasa# sh run: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password ajgvZKkj9OFA/xdm encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0shutdownno nameifno security-levelno ip address!-------------地址配置------------------------------interface Ethernet0/1nameif insidesecurity-level 100ip address X.118.138.253 255.255.255.0 !interface Ethernet0/2shutdownno nameifno security-levelno ip address! interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passive

---------------单臂模式流量从一个端口进出----------------same-security-traffic permit inter-interfacesame-security-traffic permit intra-interface

----------------配置地址组------------------------object-group network dhcpnetwork-object X.118.139.0 255.255.255.0object-group network homenetwork-object X.0.0.0 255.0.0.0network-object 192.168.150.0 255.255.255.0network-object 172.28.0.0 255.255.0.0

access-list ingate extended permit ip any any access-list 101 extended permit ip object-group home object-group dhcp pager lines 24mtu inside 1500**ip local pool l2tp X.118.139.1-X.118.139.100 mask 255.255.255.0 //配置*地址池no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400access-group ingate in interface insideroute inside 0.0.0.0 0.0.0.0 X.118.138.254 1 //默认路由丢向核心timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicy-------------radius认证------------------------aaa-server l2tp protocol radiusaaa-server l2tp (inside) host 172.28.2.101key ciscono snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart--------------ipsec配置----------------------------crypto ipsec transform-set cisco esp-3des esp-md5-hmac crypto ipsec transform-set cisco mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map cisco 10 set transform-set ciscocrypto map cisco 10 ipsec-isakmp dynamic ciscocrypto map cisco interface insidecrypto isakmp enable insidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 172.28.5.98

----------------------l2tp配置-----------------------**group-policy cisco internalgroup-policy cisco attributesdns-server value X.118.145.252*-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value 101username cisco password XIAPE6POhu0lQN1OczHpog== nt-encryptedusername vxiadmin password /1ganKF8WKayiiD0 encrypted

tunnel-group DefaultRAGroup general-attributesaddress-pool l2tpauthentication-server-group l2tp -----------域账户认证default-group-policy cisco

**authentication-server-group （inside）LOCAL ------本地认证** ******本地账号认证命令 username cisco password cisco mschap******

*tunnel-group DefaultRAGroup ipsec-attributespre-shared-key tunnel-group DefaultRAGroup ppp-attributesauthentication ms-chap-v2**!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp !service-policy global_policy globalprompt hostname context Cryptochecksum:82282849a585a23d4f6f9d0e1a034527: end

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。