***

實現動態***的一個例子



最近看***的東西比較多，發現現在很多廠家都在關注中小企業的基於動態ip地址的***的實現。

當然cisco也不例外，在他的 ios 12.3 (4) T 中開始支持動態的地址解析*** peer 的方式。

來看個例子

現在Cisco IOS 12.3(4)T中新增了根據DNS名稱來建立*** peer 的命令，藉助希網(3322.org)、

有一個動態地址Site-to-Site ***的案例，你自己改一下配置就可以了

總部：pix 525 adsl靜態ip,內部ip地址168.98.0.0
分部：cisco 2621 adsl動態ip ,內部ip地址168.98.1.0
要求，總部，分部，均***連接
可上網，分部168.98.1.0網段訪問總部168.98.0.0網段時，自動建立

總部的防火牆配置：
: Saved
: Written by enable_
15 at 16:16:19.510 UTC Sun J
ul 25 2004

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name localdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service http2 tcp
port-object eq www
port-object range 9080 9090
access-list nonat permit ip 168.98.0.0 255.255.255.0 168.98.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.d 255.255.255.128

ip address inside 168.98.0.254 255.255.255.0


ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 168.98.0.250 255.255.255.255 inside

pdm location 168.98.1.0 255.255.255.0 outside


pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp any object-group http2 any


route outside 0.0.0.0 0.0.0.0 電信網關1
timeout xlate 3:00:00
timeout conn 1:00:00
half-closed 0:10:00 udp 0:0
2:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 si
p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 168.98.0.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set router-se
t esp-des esp-md5-hmac

crypto dynamic-map c
isco 1 set transform-set rou
ter-set

crypto map dyn-map 1
0 ipsec-isakmp dynamic cisco


crypto map dyn-map interface outside
isakmp enable outside
isakmp key cisco123 address 0.0.0.0
netmask 0.0.0.0

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 168.98.0.250
255.255.255.255 inside


telnet timeout 5
ssh timeout 5
console timeout 0
username pixuser pas
sword 70BnAnxaMBm181Wa encry
pted privilege 2

terminal width 80
Cryptochecksum:a44fafd4f70dd9e548cd5
fd61a6d20ff

: end

分部的路由器配置：

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $s
PqPwW1GX.TXw8RGSHEvqa2.


!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address a
.b.c.d

!
!
crypto ipsec transfo
rm-set pix-set esp-des esp-m
d5-hmac

!
crypto map pix 10 ipsec-isakmp
set peer a.b.c.d
set transform-set pix-set
match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 168.98.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1450
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ddd password 0 ddd
crypto map pix
!
ip nat inside source
route-map nonat interface D
ialer1 overload

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 168.98.1.0
0.0.0.255 168.98.0.0 0.0.0.255

access-list 110 deny
ip 168.98.1.0 0.0.0.255 168
.98.0.0 0.0.0.255

access-list 110 permit ip 168.98.1.0
0.0.0.255 any

!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
!
end