西安网站设计制作一般多少钱新媒体营销的发展趋势

二.实验需求

​ 让FW1（PPPoE Client）模拟拨号用户，向内部服务器发送建立拨号连接的请求，并保证连通。

三.实验配置

接口配置

[PPPoE Client]int g 0/0/0
[PPPoE Client-GigabitEthernet0/0/0]service-manage all permit #LAC
[USG6000V1-GigabitEthernet0/0/0]ip address  192.168.0.2 24
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit 
[USG6000V1-GigabitEthernet0/0/0]int g 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 20.1.1.1 24[LNS-GigabitEthernet0/0/0]ip address 192.168.0.3 24
[LNS-GigabitEthernet0/0/0]service-manage all permit 
[LNS-GigabitEthernet0/0/0]int g 1/0/0
[LNS-GigabitEthernet1/0/0]ip address 20.1.1.2 24
[LNS-GigabitEthernet1/0/0]int g 1/0/1
[LNS-GigabitEthernet1/0/1]ip add 192.168.1.254 24

区域划分

[PPPoE Client]firewall zone trust 
[PPPoE Client-zone-trust]add int g 1/0/0[LNS]firewall zone untrust 
[LNS-zone-untrust]add int g 1/0/0	
[LNS]firewall zone trust 
[LNS-zone-trust]add int g 1/0/1[nas]firewall zone untrust 
[nas-zone-untrust]add int g 1/0/1
[nas]firewall zone trust 
[nas-zone-trust]add int g  1/0/0

L2TP配置

1、建立PPPoE连接，设定拨号接口VT接口

Client（PPPoE Client）

[PPPoE Client]interface Dialer 1
[PPPoE Client-Dialer1]dialer user user1     ----- 设定拨号用户名
[PPPoE Client-Dialer1]dialer-group 1     ---- 创建拨号组
[PPPoE Client-Dialer1]dialer bundle 1     ------ 设定拨号程序捆绑包
[PPPoE Client-Dialer1]ip address ppp-negotiate      ------ 设定IP地址获取方式为PPP邻居分配，PPP邻居通过IPCP协议进行分配，即PPP的NCP协商过程所用协议
[PPPoE Client-Dialer1]ppp chap user user1
[PPPoE Client-Dialer1]ppp chap password cipher Password123[PPPoE Client]dialer-rule 1 ip permit       ------ 配置拨号访问控制列表，允许所有IPv4报文通过拨号口，数字1必须与拨号组编号相同。[PPPoE Client]int g 1/0/0
[PPPoE Client-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1 ---在物理接口上启动PPPoE Client程序，绑定拨号程序包，编号为1

server

[NAS]interface Virtual-Template 1
[NAS-Virtual-Template1]ppp authentication-mode chap      ----- 修改认证模式
[NAS-Virtual-Template1]ip address 2.2.2.2 24      ---- （配置的IP地址仅是为了激活该接口）[NAS]firewall zone dmz
[NAS-zone-dmz]add interface Virtual-Template 1[NAS]interface GigabitEthernet 1/0/0	
[NAS-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1     ----- 将VT接口绑定在物理接口[NAS]aaa	
[NAS-aaa]domain default 
[NAS-aaa-domain-default]service-type l2tp       ----- 设定认证域的服务类型为L2TP设定用户名和密码信息：
[NAS]user-manage user user1 domain default 
[NAS-localuser-user1]password Password123

2.建立L2TP隧道

NAS(LAC)配置

[NAS]l2tp enable        ----- 启动L2TP协议
[NAS]l2tp-group 1       ----- 设置L2TP组名
[NAS-l2tp-1]tunnel authentication       ----- 开启隧道认证
[NAS-l2tp-1]tunnel password cipher Hello123      ---- 配置隧道密码信息
[NAS-l2tp-1]tunnel name lac     ----- 设置隧道名称
[NAS-l2tp-1]start l2tp ip 20.1.1.2 fullusername user1      ---- 设定LAC模式和LNS地址，以及设置认证用户的方式为“完全用户认证”，并指定用户名

LNS配置

[LNS]ip pool l2tp     --- 创建地址池
[LNS-ip-pool-l2tp]section 0 172.16.1.2 172.16.1.100[LNS]aaa
[LNS-aaa]service-scheme l2tp
[LNS-aaa-service-l2tp]ip-pool l2tp
[LNS-aaa]domain default 	
[LNS-aaa-domain-default]service-type l2tp [LNS]user-manage user user1 domain default 
[LNS-localuser-user1]password Password123[LNS]interface Virtual-Template 1
[LNS-Virtual-Template1]ppp authentication-mode chap
[LNS-Virtual-Template1]ip address 172.16.0.1 24
[LNS-Virtual-Template1]remote service-scheme l2tp[LNS]firewall zone dmz 	
[LNS-zone-dmz]add interface Virtual-Template 1[LNS]l2tp enable 
[LNS]l2tp-group 1
[LNS-l2tp-1]allow l2tp virtual-template 1 remote lac domain default
[LNS-l2tp-1]tunnel authentication 
[LNS-l2tp-1]tunnel password cipher Hello123

3.路由补充

[PPPoE Client]ip route-static 0.0.0.0 0 Dialer 1       ---- 出接口方式
# 将Dialer 1接口划分到dmz区域，方便发包：
[PPPoE Client]firewall zone dmz 
[PPPoE Client-zone-dmz]add interface Dialer 1

安全配置

sdfvfgs

[PPPoE Client]security-policy
[PPPoE Client-policy-security]default action permit[NAS]security-policy
[NAS-policy-security]default action permit[LNS]security-policy
[LNS-policy-security]default action permit [PPPoE Client]ping 192.168.1.1PING 192.168.1.1: 56  data bytes, press CTRL_C to breakRequest time outReply from 192.168.1.1: bytes=56 Sequence=2 ttl=254 time=3 msReply from 192.168.1.1: bytes=56 Sequence=3 ttl=254 time=2 msReply from 192.168.1.1: bytes=56 Sequence=4 ttl=254 time=2 msReply from 192.168.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms

NAS

[NAS]security-policy 
[NAS-policy-security]default action deny     ----- 先恢复默认策略为拒绝
[NAS-policy-security]rule name local_to_untrustsource-zone localdestination-zone untrustsource-address 20.1.1.1 mask 255.255.255.255destination-address 20.1.1.2 mask 255.255.255.255service l2tpservice protocol udp source-port 0 to 65535 destination-port 1701action permit

LNS

[LNS]security-policy 	
[LNS-policy-security]default action deny 
[LNS-policy-security]dis this
security-policyrule name untrust_to_localsource-zone untrustdestination-zone localsource-address 20.1.1.1 mask 255.255.255.255destination-address 20.1.1.2 mask 255.255.255.255service l2tpservice protocol udp destination-port 1701action permitrule name dmz_to_trustsource-zone dmzdestination-zone trustsource-address 172.16.1.0 mask 255.255.255.0destination-address 192.168.1.0 mask 255.255.255.0action permit