Cisco Easy ××× 手工配置文档

最新推荐文章于 2025-09-08 22:07:54 发布

转载最新推荐文章于 2025-09-08 22:07:54 发布 · 66 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/linuxguest/149693

文章标签：

#运维

本文详细介绍了Cisco 7200B路由器上AAA认证配置及IKE一阶段与二阶段的安全策略设置过程，包括用户名权限设置、预共享密钥使用、客户端动态映射等关键步骤。

#1、配置easy server启动aaa认证
7200B(config)#username fenghao privilege 15 password 0 cisco
7200B(config)#aaa new-model
7200B(config)#aaa authentication login ***_xauth_list local
7200B(config)#aaa authorization exec default local
7200B(config)#aaa authorization network ***_group_list local
7200B(config)#aaa session-id common

#2、IKE阶段1.
7200B(config)#crypto isakmp policy 1
7200B(config-isakmp)#encryption aes 128
7200B(config-isakmp)#authentication pre-share
7200B(config-isakmp)#group 2
#注意，这里不需要设置预共享密钥

#3、IKE阶段1.5
7200B(config)#crypto isakmp xauth timeout 15
7200B(config)#crypto isakmp client configuration group it   #注意：IT是组名
7200B(config-isakmp-group)#key cisco                        #登陆用的密码
7200B(config-isakmp-group)#dns 192.168.1.103                #dns服务器IP
7200B(config-isakmp-group)#pool client_pool                 #client分配的IP地址池
7200B(config)#ip local pool client_pool 172.16.1.100 172.16.1.200 #设置池范围

#4、IKE阶段2
7200B(config)#crypto ipsec transform-set fenghao esp-aes 128 esp-sha-hmac

#5、动态映射
7200B(config)#crypto dynamic-map fenghao_dynmap 1
7200B(config-crypto-map)#set transform-set fenghao
7200B(config-crypto-map)#reverse-route
7200B(config)#crypto map fenghao_map client authentication list ***_xauth_list
7200B(config)#crypto map fenghao_map isakmp authorization list ***_group_list
7200B(config)#crypto map fenghao_map client configuration address respond
7200B(config)#crypto map fenghao_map 10 ipsec-isakmp dynamic fenghao_dynmap

#6、应用映射到接口
7200B(config-if)#crypto map fenghao_map #接口为×××的入口
#OK，到此完毕！

Client端口设置
Host：应用映射的端口，我的是192.168.1.101
Group Authentication
Name：it
Password：cisco
Confirm Password：cisco
暂时不支持切分通道！
一下是我的show run
7200B#show run
Building configuration...

Current configuration : 1844 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 7200B
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login ***_xauth_list local
aaa authorization exec default local
aaa authorization network ***_group_list local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
username fenghao privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group it
key cisco
dns 192.168.1.103
pool client_pool
!
!
crypto ipsec transform-set fenghao esp-aes esp-sha-hmac
!
crypto dynamic-map fenghao_dynmap 1
set transform-set fenghao
reverse-route
!
!
crypto map fenghao_map client authentication list ***_xauth_list
crypto map fenghao_map isakmp authorization list ***_group_list
crypto map fenghao_map client configuration address respond
crypto map fenghao_map 10 ipsec-isakmp dynamic fenghao_dynmap
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.101 255.255.255.0
duplex half
crypto map fenghao_map
!
interface Serial1/0
ip address 192.168.100.2 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip local pool client_pool 172.16.1.100 172.16.1.200
ip classless
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
line vty 5 1869
exec-timeout 0 0
password cisco
logging synchronous
!
!
end

转载于:https://blog.51cto.com/linuxguest/149693