Ciscopix525vpdn+acs用户验证-网络安全专区

Ciscopix525vpdn+acs用户验证

作者：IT168 编辑：杨京京 2008-10-14 23:44 来源：IT168�

系统环境:

　　cisco pix 525

　　cisco acs server 3.2

　　实现功能:

　　远程使用cisco ipsec vpn client 3.x以上的vpn client 拨入企业网络;

　　远程使用ms pptp vpn拨入企业网络;

　　所有远程vpdn用户通过acs server 做用户验证和记帐,便于管理和实现其他pix 验证无法实现的功能,例如实现用户帐号尝试错误后锁定,访问时间等功能;

　　pix 525 上的配置:

　　jtpixfirewall# sh run

　　: Saved

　　:

　　PIX Version 6.3(3)

　　interface ethernet0 auto

　　interface ethernet1 auto

　　interface ethernet2 auto

　　interface ethernet3 auto

　　interface ethernet4 auto

　　interface ethernet5 auto

　　nameif ethernet0 outside security0

　　nameif ethernet1 inside security100

　　nameif ethernet2 perimter1 security20

　　nameif ethernet3 perimter2 security30

　　nameif ethernet4 perimter3 security40

　　nameif ethernet5 perimter4 security50

　　enable password pAvMEKYodlghdOOb7Y encrypted

　　passwd 1ZowQT4VG2d3TbU69 encrypted

　　hostname jtpixfirewall

　　domain-name jt.com

　　fixup protocol dns maximum-length 512

　　fixup protocol ftp 21

　　fixup protocol h323 h225 1720

　　fixup protocol h323 ras 1718-1719

　　fixup protocol http 80

　　fixup protocol ils 389

　　fixup protocol rsh 514

　?ixup protocol rtsp 554

　　fixup protocol sip 5060

　　fixup protocol sip udp 5060

　　fixup protocol skinny 2000

　　fixup protocol smtp 25

　　fixup protocol sqlnet 1521

　　fixup protocol tftp 69

　　names

　　name 10.1.5.0 test

　　name 10.1.8.50 netmang

　　access-list inside_outbound_nat0_acl permit ip 10.1.8.0 255.255.255.0 10.1.58.0 255.255.255.0

　　access-list inside_outbound_nat0_acl permit ip test 255.255.255.0 10.1.58.0 255.255.255.0

　　access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.252.0.0 10.1.58.0 255.255.255.0

　　access-list jt1_splitTunnelAcl permit ip tests 255.255.255.0 any

　　access-list jt1_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any

　　access-list acl-out permit icmp any any

　　pager lines 24

　　logging on

　　logging timestamp

　　logging trap debugging

　　logging history debugging

　　logging facility 16

　　logging host inside netmang

　　mtu outside 1500

　　mtu inside 1500

　　mtu perimter1 1500

　　mtu perimter2 1500

　　mtu perimter3 1500

　　mtu perimter4 1500

　　ip address outside 222.121.48.75 255.255.255.224

　　ip address inside 10.1.8.12 255.255.255.0

　　ip address perimter1 127.0.0.1 255.255.255.255

　　no ip address perimter2

　　no ip address perimter3

　　no ip address perimter4

　　ip audit info action alarm

　　ip audit attack action alarm

　　ip local pool local_pool 10.1.58.50-10.1.58.100

　　no failover

　　failover timeout 0:00:00

　　failover poll 15

　　no failover ip address outside

　　no failover ip address inside

　　no failover ip address perimter1

　　no failover ip address perimter2

　　no failover ip address perimter3

　　no failover ip address perimter4

　　pdm location 10.1.9.50 255.255.255.255 inside

　　pdm location 10.1.9.0 255.255.255.0 inside

　　pdm location 10.1.9.0 255.255.255.0 perimter1

　　pdm location 10.1.1.253 255.255.255.255 inside

　　pdm location 10.1.0.0 255.255.0.0 inside

　　pdm location 10.1.1.253 255.255.255.255 perimter1

　　pdm location test 255.255.255.0 inside

　　pdm location 10.0.0.0 255.252.0.0 inside

　　pdm location 10.1.58.0 255.255.255.0 outside

　　pdm location netmang 255.255.255.255 inside

　　pdm history enable

　　arp timeout 14400

　　nat (inside) 0 access-list inside_outbound_nat0_acl

　　nat (inside) 1 10.1.8.0 255.255.255.0 0 0

　　nat (inside) 0 10.0.0.0 255.252.0.0 0 0

　　access-group acl-out in interface inside

　　rip inside default version 2

　　route outside 0.0.0.0 0.0.0.0 222.121.48.65 1

　　route inside 10.1.0.0 255.255.0.0 10.1.8.253 1

　　timeout xlate 3:00:00

　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

　　timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

　　timeout uauth 0:05:00 absolute

　　aaa-server TACACS+ protocol tacacs+

　　aaa-server RADIUS protocol radius

　　aaa-server LOCAL protocol local

　　aaa-server jtacs protocol radius

　　#指定aaa采用radius

　　aaa-server jtacs (inside) host netmang ddjt2008 timeout 5

　　#指定radius server 的ip地址和口令(ddjt2008)

　　aaa proxy-limit disable

　　aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 jtacs

　　#对aaa group jtacs做radius account (记帐)

　　http server enable

　　http 10.1.9.50 255.255.255.255 inside

　　snmp-server host inside netmang

　　no snmp-server location

　　no snmp-server contact

　　snmp-server community en9fk5*37

　　snmp-server enable traps

　　floodguard enable

　　sysopt connection permit-ipsec

　　sysopt connection permit-pptp

　　sysopt radius ignore-secret

　　service resetinbound

　　crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

　　crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

　　crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

　　crypto map outside_map client authentication jtacs

　　crypto map outside_map interface outside

　　isakmp enable outside

　　isakmp nat-traversal 20

　　#解决 ipsec 穿透 nat 问题;

　　isakmp policy 40 authentication pre-share

　　isakmp policy 40 encryption 3des

　　isakmp policy 40 hash md5

　　isakmp policy 40 group 2

　　isakmp policy 40 lifetime 86400

　　vpngroup test1 address-pool local_pool

　　vpngroup test1 dns-server 10.1.2.1

　　vpngroup test1 wins-server 10.1.2.1

　　vpngroup test1 default-domain jt

　　vpngroup test1 split-tunnel jt1_splitTunnelAcl

　　vpngroup test1 idle-time 1800

　　vpngroup test1 secure-unit-authentication

　　vpngroup tset1 user-idle-timeout 18

　　vpngroup test1 device-pass-through

　　vpngroup test1 password ********

　　telnet 10.1.8.0 255.255.255.0 inside

　　telnet 10.1.9.0 255.255.255.0 inside

　　telnet 10.1.1.253 255.255.255.255 inside

　　telnet 10.1.1.253 255.255.255.255 perimter1

　　telnet 10.1.1.253 255.255.255.255 perimter2

　　telnet 10.1.1.253 255.255.255.255 perimter3

　　telnet 10.1.1.253 255.255.255.255 perimter4

　　telnet timeout 10

　　ssh 10.1.9.0 255.255.255.0 inside

　　ssh 10.1.9.0 255.255.255.0 perimter1

　　ssh 10.1.9.0 255.255.255.0 perimter2

　　ssh 10.1.9.0 255.255.255.0 perimter

关注我们