Cisco-Pix515e-r-IKE配置示例

核心提示： nat (inside) 1 192.168.10.0 255.255.255.0 0 0access-group 104 in interface outsideroute outside 0.0.0.0 0.0.0.0 202.108.48.181 1timeout xlate 3:0

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

access-group 104 in interface outside

route outside 0.0.0.0 0.0.0.0 202.108.48.181 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.168.10.110 cisco123 timeout 10 //指定Radius服务器IP及key

aaa-server parnerauth protocol tacacs+

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication partnerauth //设置通过Radius进行用户身份验证

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 10 //这句就是允许NAT用户穿过PIX,在6.3中才新增的特性,例如解决局域网内NAT VPN拨号问题

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool pccw //以下我建了两个组，如果要为每个组分配一个固定IP的话，只有为每个用户建立一个Group了，哎，提出这样要求的客户简直是折磨人 ：（

vpngroup vpn3000 dns-server 202.96.134.133

vpngroup vpn3000 split-tunnel 102

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

vpngroup link address-pool pccw02

vpngroup link split-tunnel 102

vpngroup link idle-time 1800

vpngroup link password ********

telnet 192.168.32.0 255.255.255.0 outside

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:81630e6f8040b488f6c2e6c6ff872804

: end

[OK]