VPN Remote Access

Материал из wiki
Версия от 04:47, 21 мая 2015; Moiseevvi (обсуждение | вклад) (Новая страница: «Cisco ASA/PIX <code> users------PIX-----------inet | | | | DMZ RemoteAccess VPN us…»)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к: навигация, поиск

Cisco ASA/PIX

  users------PIX-----------inet
              |              |
              |              |
             DMZ          RemoteAccess VPN

users 10.0.0.0/24
dmz   10.11.12.13/24
inet  212.192.80.150
vpn = users via outside

users -> inet = NAT
users -> dmz = allow
vpn   -> users = allow
vpn   -> dmz = allow
vpn   -> inet = NAT
inet  -> dmz = port-forward 4321->22 static nat 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

pixfirewall# sh run
PIX Version 7.2(1) 
!
domain-name psu.ru
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 212.192.88.150 255.255.255.0 
 no shut
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 no shut
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.11.12.1 255.255.255.0 
 no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
 network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13 
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321 
access-list LAN extended permit ip object-group LAN any 
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0 

ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0

global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN

nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ

static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255 

access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 212.192.64.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 

username cisco password cisco mschap

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map CM 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside

crypto isakmp identity address 
crypto isakmp enable outside

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

tunnel-group DefaultRAGroup general-attributes
 address-pool net10
 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global