8.        远程拨入×××<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

相关的ASA配置命令如下:

 

access-list inside_access_in extended permit ip object-group remotegroup any

access-list inside_access_in extended permit icmp object-group remotegroup any

access-list remote***_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

 

access-list ***client_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

 

 

ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0

 

group-policy remote*** attributes

 dns-server value 202.96.128.68 192.168.40.16

 default-domain value test.com.cn

username jiang password Csmep3VzvPQPCbkx encrypted privilege 15

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

 

tunnel-group remote*** type ipsec-ra

tunnel-group remote*** general-attributes

 address-pool dialuserIP

 default-group-policy remote***

tunnel-group remote*** ipsec-attributes

 pre-shared-key *

 

客户端设置如下:

 

9.        日志服务器配置

logging enable

logging timestamp

logging emblem

logging trap informational

logging asdm warnings

logging host inside 192.168.40.115 format emblem

logging permit-hostdown

 ***-simultaneous-logins 3

 

10.   Snmp网管配置

snmp-server host inside 192.168.40.47 community testsnmp

snmp-server location DG-GTEST

snmp-server contact jiangdaoyou:6162

snmp-server community testsnmp

snmp-server enable traps snmp authentication linkup linkdown coldstart

 

注:指定主机后,192.168.40.47才可能进行管理

 

11.   ACS配置

  安装后管理:http://ip:2002 通过ACS可以进行授权、认证等等很多功能

    因内容太多,暂省略
12.   AAA配置

Aaa服务器配置:

aaa-server radius_dg host dc03.xxxx.com

 key dfdfdfdf146**U

 authentication-port 1812

 accounting-port 1813

 radius-common-pw dfdfdfdf146**U

 

对于拨入***的配置

tunnel-group vg_testerp general-attributes

 address-pool cisco***user

 authentication-server-group radius_dg

 default-group-policy vg_testerp

13.   升级IOS

copy tftp://192.168.40.180/asa/asa721-k8.bin disk0:/asa721-k8.bin

boot <?xml:namespace prefix = st1 ns = "Tencent" />system disk0:/asa721-k8.bin (多个Image时使用)

 

14.   疑难杂症

1)        在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 192.168.40.251

输入命令:management-access inside (通过ASDM不能设置这一项)

 

2)        NAT有时不能快速启作用

使用命令:clear xlate即可