添加时间: 2008-2-24 13:02:33  作者: Cisco指导  阅读次数:52   来源: http://www.d9soft.com

        一个网段内，但总是ping不通outside地址，但同样的配置在6.2版本的

515E上使用时是没有问题的，好奇怪啊？？

icmp pemit any outside

pix vpn设置好了，DDN方式可以上，为什么家里的adsl不行？

配置如下：pix520

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 Outside security0
nameif ethernet1 inside security100
nameif ethernet2 Outside-DMZ security50
enable password GyBjREM5Y/fIjrzB encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname PIX-yinhetech
domain-name test.cn
clock timezone CST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.128.1.0 notebookpoolIP
access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0
access-list 101 permit ip 10.10.0.0 255.255.0.0 any
access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any
access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any
access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any
access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0
access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any
pager lines 24
logging on
logging standby
logging buffered debugging
logging trap notifications
icmp deny any Outside
mtu Outside 1500
mtu inside 1500
mtu Outside-DMZ 1500
ip address Outside ***.***.***.** 255.255.255.240
ip address inside 10.127.1.253 255.255.255.0
ip address Outside-DMZ 172.18.3.254 255.255.255.0
ip verify reverse-path interface Outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool notebookpool 10.128.1.1-10.128.1.250

no failover
failover timeout 0:00:00
failover poll 15
no failover ip address Outside
no failover ip address inside
no failover ip address Outside-DMZ
pdm history enable
arp timeout 14400
global (Outside) 1 ***.***.***.** netmask 255.255.255.240
global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.128.0.0 0 0
access-group 101 in interface inside
route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1
route inside 10.0.0.0 255.128.0.0 10.127.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.74 255.255.255.255 inside
http 10.10.10.88 255.255.255.255 inside
snmp-server host inside 10.10.10.10
snmp-server host inside 10.10.10.74
snmp-server location soft_yuan_internet
snmp-server contact bill
snmp-server community public
snmp-server enable traps
tftp-server inside 10.10.10.74 /
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp identity address
isakmp keepalive 60 5
isakmp nat-traversal 120
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup notebookpc address-pool notebookpool
vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68
vpngroup notebookpc default-domain yhgroup.cn
vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl
vpngroup notebookpc idle-time 1800
vpngroup notebookpc password ********
telnet 10.0.0.0 255.128.0.0 inside
telnet 10.10.10.110 255.255.255.255 inside
telnet 10.10.10.110 255.255.255.255 Outside-DMZ
telnet timeout 31
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35

 

surf_qj (普通用户)

对了，是使用cisco system VPN Client 4.01登录的，家里adsl可以连上VPN，但是不能访问，DDN就可以

CiscoPIX防火墙的问题集锦(2) 第 [1] [2] [3]  下一页

 

 

思科认证分类导航

• Cisco动态
• Cisco指导
• Cisco介绍
• Cisco试题

本类经典文章推荐

• CISCO认证增长60％新认证推陈出新
• 加快千兆网络普及以太网技术动向
• WinGate与Internet连接共享
• WinGate3.0安装指导
• 远程传输的两种技术优劣各异
• Cisco认证指导:基础中文命令集
• IOS软件结构读书笔记
• 路由器基础配置及传输协议
• 网络安全:IPv6安全威胁
• 路由技术:路由器远程管理实例

Cisco指导阅读排行

• Cisco路由器访问控制列表详解
• EPON与GPON的综合比较
• 我的CISCO认证学习笔记总结
• CCNA考试主要知识点指导
• Cisco指导:IOS命令大全（一）
• 使用IPSec阻止特定网络协议和端口
• Cisco路由器上配置pppoe拨号
• VPN实例配置方案:IPSec配置
• CCNA认证介绍（思科认证网络工程师...
• GSM数字移动通信无线网络规划设计...

思科认证阅读总排行

• Cisco路由器访问控制列表详解
• EPON与GPON的综合比较
• CCNA简介
• 我的CISCO认证学习笔记总结
• 思科考试认证（CISCO） CCNA考试就...
• Cisco经验介绍:CCNP培训日记(2)
• CCNA考试主要知识点指导
• Cisco指导:IOS命令大全（一）
• Cisco经验介绍:ping命令之解惑
• 使用IPSec阻止特定网络协议和端口

广告位置