防火墙和PC的远程接入VPN
一 设备
1、 CISCO 路由器俩台,IOS版本12.3带K9
二 拓扑图
三 配置
1、
不带隧道分离的基本配置
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
access-list per-icmp extended permit icmp any any
access-group per-icmp in interface outside
nat (inside) 1 10.10.1.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1
access-list go- extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list go-
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 800
ip local pool pool 192.168.1.1-192.168.1.254
tunnel-group ez type ipsec-ra
tunnel-group ez general-attributes
authentication-server-group (outside) LOCAL
address-pool pool
tunnel-group myez ipsec-attributes
pre-shared-key *
username cisco password cisco encrypted
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
crypto dynamic-map ez-dynamic-map 10 set transform-set ccsp
crypto dynamic-map ez-dynamic-map 10 set reverse-route
crypto map cisco 10 ipsec-isakmp dynamic ez-dynamic-map
crypto map cisco interface outside
2、
隧道分离配置
access-list 888 extended permit ip 10.10.1.0 255.255.255.0 any
group-policy policy internal
group-policy policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 888
tunnel-group ez general-attributes
default-group-policy policy
