ciscoasa l2tp radius 网关模式（ciscoasa5506x配置）

ciscoasa l2tp radius 网关模式（ciscoasa5506x配置）

拓扑说明：Ciscoasa l2tp ** 拨号成功以后，为解决远端用户上网问题，用户修改本地路由表，如公司内网资源10.0.0.0/8，下一跳指向网关，默认路由指向本地网关。**

ciscoasa# sh run: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password ajgvZKkj9OFA/xdm encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!--------------IP地址配置--------------------------interface Ethernet0/0nameif outsidesecurity-level 0ip address X.104.203.13 255.255.255.248 !interface Ethernet0/1nameif insidesecurity-level 100ip address 172.28.192.249 255.255.255.0 !interface Ethernet0/2shutdownno nameifno security-levelno ip address!interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passive-----------地址组配置-------------------object-group network dhcpnetwork-object X.118.139.0 255.255.255.0object-group network homenetwork-object 10.0.0.0 255.0.0.0

access-list ingate extended permit ip any any access-list outgate extended permit ip any any

-----------ACL配置禁止NAT--------------access-list 101 extended permit ip object-group home object-group dhcp pager lines 24mtu outside 1500mtu inside 1500ip local pool l2tp X.118.139.1-X.118.139.100 mask 255.255.255.0 ----*地址池no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400--------------NAT配置-------------------*global (outside) 1 interfacenat (inside) 0 access-list 101 --------流量不被NAT----------------nat (inside) 1 0.0.0.0 0.0.0.0***

access-group outgate in interface outsideaccess-group ingate in interface inside

--------------路由配置----------------------route outside 0.0.0.0 0.0.0.0 X.104.203.9 1route inside 10.0.0.0 255.0.0.0 172.28.192.254 1

timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicy------------------radius认证服务器-------------------------aaa-server l2tp protocol radiusaaa-server l2tp (inside) host 172.28.2.101key ciscono snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart---------------IPsec配置---------------------------------crypto ipsec transform-set cisco esp-3des esp-md5-hmac crypto ipsec transform-set cisco mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map cisco 10 set transform-set ciscocrypto map cisco 10 ipsec-isakmp dynamic ciscocrypto map cisco interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5 group 2lifetime 86400

---------------NAT-T-----------------------crypto isakmp nat-traversal 10

telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 172.28.5.98**--------------L2TP 策略组--------------------------group-policy cisco internalgroup-policy cisco attributesdns-server value X.118.145.252 X.118.144.252*-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value 101 username vxiadmin password /1ganKF8WKayiiD0 encryptedtunnel-group DefaultRAGroup general-attributesaddress-pool l2tpauthentication-server-group l2tpdefault-group-policy ciscotunnel-group DefaultRAGroup ipsec-attributespre-shared-key ciscotunnel-group DefaultRAGroup ppp-attributesauthentication ms-chap-v2!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp !service-policy global_policy globalprompt hostname context Cryptochecksum:144accded4034c4321147106fc666840: end

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。