VPN Remote Access
Версия от 04:47, 21 мая 2015; Moiseevvi (обсуждение | вклад) (Новая страница: «Cisco ASA/PIX <code> users------PIX-----------inet | | | | DMZ RemoteAccess VPN us…»)
Cisco ASA/PIX
users------PIX-----------inet
| |
| |
DMZ RemoteAccess VPN
users 10.0.0.0/24
dmz 10.11.12.13/24
inet 212.192.80.150
vpn = users via outside
users -> inet = NAT
users -> dmz = allow
vpn -> users = allow
vpn -> dmz = allow
vpn -> inet = NAT
inet -> dmz = port-forward 4321->22 static nat
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
pixfirewall# sh run
PIX Version 7.2(1)
!
domain-name psu.ru
!
interface Ethernet0
nameif outside
security-level 0
ip address 212.192.88.150 255.255.255.0
no shut
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.11.12.1 255.255.255.0
no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321
access-list LAN extended permit ip object-group LAN any
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0
ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0
global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN
nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255
access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 212.192.64.2
vpn-tunnel-protocol IPSec l2tp-ipsec
username cisco password cisco mschap
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map CM 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool net10
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global