以下是我的Pix525的配置,客户端时:Cisco Systems VPN Client Version 4.0.1 (Rel),现在我的客户端能拨到防火墙上,也能购获得192.168.8.1的地址,也能够Ping通192.168.2.1的防火墙下连的三层交换机和三层下的一些电脑,但是就是不能Ping通pix525的内网口(192.168.2.2),因为我想在外网通过vpn拨到内网来telnet管理pix525,但是现在不能实现了,不知道差在什么地方
各位高手请指教一二!!
pixfirewall# show ru
: Saved
:
PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .0Og..3I24sT2LBf encrypted
passwd .0Og..3I24sT2LBf encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq netbios-ssn
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 6667
access-list 101 deny udp any any eq 1025
access-list 101 permit ip any any
access-list no-nat permit ip 192.168.0.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
logging on
logging trap errors
logging host inside 192.168.0.14
mtu outside 1500
mtu inside 1500
ip address outside 238.52.38.139 255.255.255.248
ip address inside 192.168.2.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dialer 192.168.8.1-192.168.8.200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 238.52.38.141 192.168.15.14 netmask 255.255.255.255 0 0
static (inside,outside) 238.52.38.138 192.168.15.11 netmask 255.255.255.255 0 0
static (inside,outside) 238.52.38.140 192.168.15.52 netmask 255.255.255.255 0 0
access-group 101 in interface inside
conduit permit tcp host 238.52.38.141 eq 8001 any
conduit permit tcp host 238.52.38.141 eq 8014 any
conduit permit tcp host 238.52.38.141 eq 8002 any
conduit permit tcp host 238.52.38.141 eq 9731 any
conduit permit tcp host 238.52.38.141 eq 9732 any
conduit permit tcp host 238.52.38.141 eq 2332 any
conduit permit tcp host 238.52.38.141 eq 9933 any
conduit permit tcp host 238.52.38.141 eq 9934 any
conduit permit icmp any any
conduit permit tcp host 238.52.38.138 eq 4899 any
conduit permit tcp host 238.52.38.141 eq 4899 any
conduit permit tcp host 238.52.38.140 eq 4899 any
conduit permit tcp host 238.52.38.138 eq www any
conduit permit tcp host 238.52.38.138 eq 1433 any
route outside 0.0.0.0 0.0.0.0 238.52.38.137 1
route inside 192.168.0.0 255.255.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.14 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aaades esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer client configuration address initiate
crypto map vpnpeer client configuration address respond
crypto map vpnpeer client authentication LOCAL
crypto map vpnpeer interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dialer outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup student0 address-pool dialer
vpngroup student0 split-tunnel no-nat
vpngroup student0 idle-time 1800
vpngroup student0 password ********
telnet 192.168.0.14 255.255.255.255 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 238.52.38.208 255.255.255.248 inside
ssh timeout 5
console timeout 0
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 2
terminal width 80
Cryptochecksum:bd2e43aaf0f68e0aacc921157fdeccf8
: end
pixfirewall#
以下是三层的配置的部分配置:
vlan 1
#
vlan 2
#
vlan 3
#
vlan 4
#
vlan 5
#
vlan 6
#
vlan 7
#
vlan 8
#
vlan 9
#
vlan 10
#
vlan 11
#
vlan 12
#
vlan 100
#
interface Vlan-interface2
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.2.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.3.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.6.1 255.255.255.0
#
interface Vlan-interface7
ip address 192.168.7.1 255.255.255.0
#
interface Vlan-interface8
ip address 192.168.15.1 255.255.255.0
#
interface Vlan-interface9
ip address 192.168.9.1 255.255.255.0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface11
ip address 192.168.11.1 255.255.255.0
#
interface Vlan-interface12
ip address 192.168.12.1 255.255.255.0
---- More ----
dingZAI DING先telnet到交换机,然后再交换机里telnet PIX最初由 麦客属马 发布先telnet到交换机,然后再交换机里telnet PIX
谢谢斑竹大哥,呵呵,我就是这么干的,倒也实现了,可我就是想明白为什么直接Ping不通呢?
如何才能ping通呢?
好像在你的PIX里面的配置没有看到有关于允许192.168.8.0这个网段的IP去TELNET最初由 blueflying 发布好像在你的PIX里面的配置没有看到有关于允许192.168.8.0这个网段的IP去TELNET
access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.8.0 255.255.255.0 这个应该可以呀,要不真么写应该,谢谢先
!
顶起来