一个两个点的VPN配置,Router Cisco 2610XM.
version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$gxXJ$xJJKhbeYZS4PTDrZNG8nJ0
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key kc#14C11320/yhm-guiyang address 202.232.88.132
crypto isakmp key kc#14C11320/beijing-guiyang address 218.247.171.165
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set RTPSET esp-3des esp-md5-hmac
!
crypto map RTP 10 ipsec-isakmp
set peer 202.232.88.132
set transform-set RTPSET
match address 100
crypto map RTP 20 ipsec-isakmp
set peer 218.247.171.165
set transform-set RTPSET
match address 102
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
interface FastEthernet0/0
ip address xxx.xxx.46.2 255.255.255.224
ip access-group 101 in
ip nat outside
duplex auto
speed auto
crypto map RTP
!
interface FastEthernet0/1
ip address 10.78.10.1 255.255.248.0 secondary
ip address 10.78.9.1 255.255.248.0
ip nat inside
duplex auto
speed auto
!
ip nat pool internet 61.243.46.3 61.243.46.3 netmask 255.255.255.224
ip nat inside source route-map nonat pool internet overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
ip pim bidir-enable
!
!
logging trap debugging
access-list 10 permit any
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.11.8.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.11.72.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.13.16.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.8.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.16.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.40.0 0.0.7.255
access-list 100 permit ip 10.78.0.0 0.0.255.255 10.33.16.0 0.0.7.255
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 permit udp 10.18.100.0 0.0.0.255 any eq snmp
access-list 101 deny udp any any eq snmp
access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq telnet
access-list 101 permit tcp 202.232.88.128 0.0.0.63 any eq telnet
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
access-list 101 permit esp any any
access-list 102 permit ip 10.78.0.0 0.0.255.255 10.79.8.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.18.0.0 0.0.255.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.11.8.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.11.72.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.13.16.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.8.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.16.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.40.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.33.16.0 0.0.7.255
access-list 110 deny ip 10.78.0.0 0.0.255.255 10.79.8.0 0.0.7.255
access-list 110 permit ip 10.78.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server community public RO
call rsvp-sync
!
!
mgcp profile default
!
mgcp profile defaullogin
!
dial-peer cor custom
!
!
!
!
banner motd C
S/N:JMX0636L32C
!
line con 0
line aux 0
password
login
modem InOut
modem autoconfigure type default
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
password
login
!
!
end
原文出处:http://blog.chinaunix.net/u/5591/showart_243878.html
相关文章
