FTTB+NAT+DHCP+pppoe+CBAC+*** client+Authentication AAA

成功配置，已经调试成功的说！

hongyi#show run

Building configuration...

Current configuration : 4655 bytes

!

! Last configuration change at 04:47:29 UTC Sun Apr 25 by tonyxue

! NVRAM config last updated at 04:47:50 UTC Sun Apr 25 by tonyxue

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname hongyi

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret 5 $1$nyjl$3Q7avJNhGMGg9h8S3TxL01

!

username tonyxue password 7 110B0B0C101A1F010524

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login hongyi_authen group tacacs+

aaa authentication login no_tacasc enable

aaa authentication login line_vty local

aaa authorization network hongyi_author local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

no ip domain lookup

ip dhcp excluded-address 172.16.0.1 172.16.0.220

!

ip dhcp pool hongyi

network 172.16.0.0 255.255.255.0

dns-server 202.96.209.5 202.96.209.133

default-router 172.16.0.10

lease 30

!

no ip bootp server

ip cef

ip inspect audit-trail

ip inspect name firewall cuseeme

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall ftp

ip inspect name firewall h323

ip inspect name firewall icmp

ip inspect name firewall netshow

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall rtsp

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall vdolive

ip inspect name firewall http

ip audit po max-events 100

vpdn enable

!

vpdn-group FTTB

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group hongyi

key *********

pool hongyi_pool

!

!

crypto ipsec transform-set hongyi_set esp-3des esp-sha-hmac

!

crypto dynamic-map hongyi_dynamic_map 10

set transform-set hongyi_set

!

!

crypto map clientmap client authentication list hongyi_authen

crypto map clientmap isakmp authorization list hongyi_author

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic hongyi_dynamic_map

!

!

!

interface Ethernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0

ip address 172.16.0.10 255.255.0.0

ip access-group Local_Ruler in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

speed auto

no cdp enable

!

interface Dialer1

mtu 1492

ip address negotiated

ip access-group Outbound_Ruler in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect firewall out

encapsulation ppp

no ip mroute-cache

dialer pool 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username ad********* @shtel password 7 046B08133D255F7908

crypto map clientmap

!

ip local pool hongyi_pool 192.168.0.1 192.168.0.254

ip nat inside source route-map nat_map interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

!

ip access-list extended Local_Ruler

deny 53 any any log

deny 55 any any log

deny pim any any log

deny tcp any any eq echo log

deny tcp any any eq chargen log

deny tcp any any eq 135 log

deny tcp any any eq 136 log

deny tcp any any eq 137 log

deny tcp any any eq 138 log

deny tcp any any eq 139 log

deny tcp any any eq 445 log

deny tcp any any eq 4444 log

deny udp any any eq tftp log

deny udp any any eq 135 log

deny udp any any eq 136 log

deny udp any any eq netbios-ns log

deny udp any any eq netbios-dgm log

deny udp any any eq netbios-ss log

deny udp any any eq snmp log

deny udp any any eq 445 log

permit ip any any

ip access-list extended Outbound_Ruler

permit udp any any eq isakmp log

permit esp any any log

permit udp any any eq non500-isakmp log

permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log

deny ip any any log

logging source-interface FastEthernet0

logging 172.16.0.100

access-list 1 deny any

access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

no cdp run

!

route-map nat_map permit 10

match ip address 101

!

tacacs-server host 172.16.0.100 key 7 0459190F082958430817

tacacs-server directed-request

!

line con 0

logging synchronous

login authentication line_vty

line aux 0

logging synchronous

line vty 0 4

logging synchronous

login authentication line_vty

!

!

end