两个点的VPN配置实例

来源： 作者： 出处：Vlan9.com 2007-07-30 进入论坛

• 关 键 词：
• telnet
• ipsec
• snmp
• http

　　一个两个点的VPN配置，Router Cisco 2610XM．
　　
　　version 12.2
　　service timestamps debug datetime localtime
　　service timestamps log datetime localtime
　　no service password-encryption
　　!
　　hostname Router
　　!
　　no logging buffered
　　enable secret 5 $1$gxXJ$xJJKhbeYZS4PTDrZNG8nJ0
　　!
　　ip subnet-zero
　　!
　　!
　　no ip domain-lookup
　　!
　　ip audit notify log
　　ip audit po max-events 100
　　!
　　crypto isakmp policy 1
　　encr 3des
　　hash md5
　　authentication pre-share
　　group 2
　　crypto isakmp key kc#14C11320/yhm-guiyang address 202.232.88.132
　　crypto isakmp key kc#14C11320/beijing-guiyang address 218.247.171.165
　　crypto isakmp keepalive 10
　　!
　　!
　　crypto ipsec transform-set RTPSET esp-3des esp-md5-hmac
　　!
　　crypto map RTP 10 ipsec-isakmp
　　set peer 202.232.88.132
　　set transform-set RTPSET
　　match address 100
　　crypto map RTP 20 ipsec-isakmp
　　set peer 218.247.171.165
　　set transform-set RTPSET
　　match address 102
　　!
　　!
　　!
　　!
　　!
　　!
　　!
　　!
　　fax interface-type fax-mail
　　mta receive maximum-recipients 0
　　!
　　!
　　!
　　!
　　interface FastEthernet0/0
　　ip address xxx.xxx.46.2 255.255.255.224
　　ip access-group 101 in
　　ip nat outside
　　duplex auto
　　speed auto
　　crypto map RTP
　　!
　　interface FastEthernet0/1
　　ip address 10.78.10.1 255.255.248.0 secondary
　　ip address 10.78.9.1 255.255.248.0
　　ip nat inside
　　duplex auto
　　speed auto
　　!
　　ip nat pool internet 61.243.46.3 61.243.46.3 netmask 255.255.255.224
　　ip nat inside source route-map nonat pool internet overload
　　ip classless
　　ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
　　no ip http server
　　ip pim bidir-enable
　　!
　　!
　　logging trap debugging
　　access-list 10 permit any
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.18.0.0 0.0.255.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.11.8.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.11.72.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.13.16.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.8.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.16.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.32.40.0 0.0.7.255
　　access-list 100 permit ip 10.78.0.0 0.0.255.255 10.33.16.0 0.0.7.255
　　access-list 101 deny 53 any any
　　access-list 101 deny 55 any any
　　access-list 101 deny 77 any any
　　access-list 101 deny pim any any
　　access-list 101 permit udp 10.18.100.0 0.0.0.255 any eq snmp
　　access-list 101 deny udp any any eq snmp
　　access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq telnet
　　access-list 101 permit tcp 202.232.88.128 0.0.0.63 any eq telnet
　　access-list 101 deny tcp any any eq telnet
　　access-list 101 permit ip any any
　　access-list 101 permit esp any any
　　access-list 102 permit ip 10.78.0.0 0.0.255.255 10.79.8.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.18.0.0 0.0.255.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.11.8.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.11.72.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.13.16.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.8.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.16.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.32.40.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.33.16.0 0.0.7.255
　　access-list 110 deny ip 10.78.0.0 0.0.255.255 10.79.8.0 0.0.7.255
　　access-list 110 permit ip 10.78.0.0 0.0.255.255 any
　　!
　　route-map nonat permit 10
　　match ip address 110
　　!
　　snmp-server community public RO
　　call rsvp-sync
　　!
　　!
　　mgcp profile default
　　!
　　mgcp profile defaullogin
　　!
　　dial-peer cor custom
　　!
　　!
　　!
　　!
　　banner motd C
　　S/N:JMX0636L32C
　　
　　!
　　line con 0
　　line aux 0
　　password
　　login
　　modem InOut
　　modem autoconfigure type default
　　transport input all
　　stopbits 1
　　speed 115200
　　flowcontrol hardware
　　line vty 0 4
　　password
　　login
　　!
　　!
　　end 更多请看Cisco与华为技术网（Vlan9.com）VPN技术、SSL VPN详细知识介绍专题专题，或进入论坛讨论。