Cisco 5505 PPTP Passthru 配置帮助

网络工程 思科-ASA
2022-02-19 00:29:49

我是 5505 的新手并正在配置它们。我有几本书和网络作为研究工具,但是我还没有完全理解整个事情。我更擅长逆向工程,然后是初始配置。我正在尝试终止我的内部 Win 2012 RRAS 服务器上的远程访问 PPTP VPN 连接。我知道我需要允许 GRE 和 PPTP 1723 直通以及将 1723 端口转发到 Win 2012 内部 IP。可悲的是,在配置中这是如何完成的正是我失去它的地方。以下是我的配置,如果有人可以真正为我拼写出来,我将不胜感激。提前致谢。请注意,我已经通过 ASDM 上的 IPSec 和 AnyConnect 向导,并且那里有配置,但是它不起作用,我 d 更喜欢为 PPTP 使用 Win 2012 RRAS 服务器,因为客户端工作站已经为其配置。此外,我被 ISP 限制为一个公共 IP。

ASA Version 8.2(5)

hostname ciscoasa

enable password uXZJvr7TNDFcspD4 encrypted

passwd uXZJvr7TNDFcspD4 encrypted

names

interface Ethernet0/0

 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/7

 switchport access vlan 5

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

interface Vlan2

 nameif outside

 security-level 0

 ip address 1.outside.ip.1 255.255.255.0

interface Vlan5

 nameif dmz

 security-level 50

 ip address 192.168.2.1 255.255.255.0

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list domainVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.224 
255.255.255.248

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool VPN_IP_Pool 192.168.1.225-192.168.1.230 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1.outside.gateway.ip.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-
AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA 
ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

 crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 10

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.254 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 enable outside

 svc enable

group-policy domainVPN internal

group-policy domainVPN attributes

 wins-server value 1.inside.dc.ip.1 1.inside.dc2.1

 dns-server value 1.inside.dc.ip.1 1.inside.dc2.1

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value domainVPN_splitTunnelAcl

 default-domain value domain.local

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username username password 6phXKPxOcSDjp7J7 encrypted privilege 0

username username attributes

 vpn-group-policy domainVPN

tunnel-group domainVPN type remote-access

tunnel-group domainVPN general-attributes

 address-pool VPN_IP_Pool

 default-group-policy domainVPN

tunnel-group domainVPN ipsec-attributes

 pre-shared-key *****

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

 address-pool VPN_IP_Pool

class-map inspection_default

 match default-inspection-traffic

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇数据包处理器如何检测以太网标头中是否存在 vlan 标记? 下一篇有没有办法在 Bird 路由守护进程中查看 BGP 邻居的当前队列大小?