I finally had time to come blog. It's not easy.
Recently, a special line program that has just completed units. Probably lasting about a month. Of course, I am the first time to configure such a network device. It's really a bit awkward, it's still blog, huh, huh. It is not too familiar. This time, I just talk about the experience in the configuration! Online related articles have a lot of say. It's all right inside.
This plan is such that the company wants to achieve its own VPN gateway access program, allowing 27 of the country to access the company's internal local area network through the VPN Client software, limited access to the internal network, and implement the login internal network. OA server to implement the external extension of the local area network and office, which may continue to do video conferencing in the future. I recommend a performance-high Cisco PIX 525 as a core device for the solution. The program has passed. Seeing the CCNP course of the completed class is finally practical, and the face is excited to release red light. Hoho, admire my color? intrinsic.
I finally hoped that PIX was coming. Open a big box, I saw him, a strong physique, handsome face ... ^ _ ^ sour, huh! Sorry.
The connection is still relatively simple, plus a 100-mega-purchased 100M card, and now PIX has three Bassing. E0, E1 and E2, where E2 is the 100-mega card like a computer network card. I put it nameif as DMZ. E0 is INSIDE, E1 is OUTSIDE. Outside is connected to the device of the optical fiber to the fiber converted RJ45. Inside picks up a new 10 mega of 2620 router. DMZ temporarily did a negative connection directly connected to Red Hat Linux 9 as a test.
The following is relatively simple, I have the configuration of the configuration on the configuration and some master of the actual configuration, I started my PIX trip. No problem in front of Nameif, Nat, Global, IP Address, Route, etc. Just a small episode when the firewall is connected to the router. I found 10 mega that connect to the firewall inside port on the router is even half-duplex, ft, how can this. I am a way to make a hand, change it into Full Duplex. Then, the network speed suddenly turned from 4m (download speed 512K) to 56K (download speed 7K). Repeated trials still. I also enhance the firewall in INSIDE to change Auto into Full Duplex. Rely, the phenomenon is still. I also recovered two card adaptive settings, and the network speed would seem like me, very quickly climbed back to the speed of the 4M line. Depressed ~~ 555 ......
The next thing is more interesting. Dynamic adding and vpngroup what is fixed statement, basically all the configured photos. But when defining vpngroup, it is difficult to make. The leaders have two hopes: 1. Cannot be classified for the VPN's access personnel; 2. Cannot static IP address to each dial-in user account. I use the ACS3.0 software. I think the first request of the leader is simple, because this has set the countermeasures in the ACS. You can set multiple vpngroups in PIX. Then set the group name one by one in the ACS. The user is then classified into these groups. Then set different IP address pools in the place where address-pool in each VPNGROUP. Rely, this will I. But in the second question (it is indeed thorough abolition, this now I still don't get out), I found a selected IP address in each user attribute in the ACS software. . English is ASSIGN IP Address. This should be able to make IP addresses to usernames with usernames. But I tried it, it's not good, because you must set up vpngroup in PIX
Address-pool
Such orders can be successfully dial, but IPCONFIG will find that the client is still the address in the address pool that is not occupied, not the address specified in the ACS. If you don't use vpngroupaddress-pool
You cannot establish a VPN connection. It's really gas. Don't you now?
Others are more smooth. After all, CCNA has also learned the basis of routing knowledge. Use a B class IP address segment to specify. That is, 10.1.0.0 255.255.0.0 such an address segment. There are many addresses ^ _ ^. Then set the IP address of the PIX IPIDE in this address segment. This ensures that the VPN user can communicate with the internal network. Then set an address in this B-class large network segment on the router in the PIX connection, but the strange thing happened. The firewall's INSIDE network card is 10.1.1.254 255.255.0.0, I set the address pool 10.1.2.1 255.255.0.0. But after this VPN client verification, this address is obtained, but it cannot be connected to the intranet. However, 10.1.1.1 255.255.0.0 can be. It is still not resolved until now.
There is another episode here, that is, Time-Range. This feature current PIX does not seem yet. That is, if you want to implement an ACL limit of an automatic time period, you should still do it on the 2620 router. Although I am not willing, there is no way. After all, the leaders have a time period.
PIX's 6.3 version is a relatively new version, this PIX I purchased is like this. The old version of the conduit command seems to be invalid on this PIX. With another NP brother, I took a long-distance test, I finally prove that Conduit is invalid on PIX6.3, and must be implemented in the form of ACLs mentioned in the document on documentation in the Cisco official website (the original is E text, bitter). Although it is good. It seems that the manual I downloaded should be changed. Not that I don't understand, this world is fast. This pipeline command is used when making a static IP mapping. The Static command combines the ACL implementation of the company's external websites and mail servers in DMZ can be implemented in this form. This way, you can define an agreement to access these servers on the public online.
There are still some other things: PIX string does not have the convenience of Router iOS, and there is no TAB key automatic completion. "?" The prompt is not good. If there is no manual, it is difficult to pass "?" To get the specific help. Some commands are also different from ROUTE. Give me the most deepest thing that WR t is used, and can be used in Conf T, it seems that the config mode on the PIX can do. This is the need to use it after Ctrl z on the router. Moreover, the amount of heat dissipation of PIX is very incomparable, and the front panel has four powerful fans in the madness. Even the cabinet placed is because they cannot guarantee cooling until now, it is still open to the door, do not dare to close. There are also many features I haven't used it yet. Isors online to use Linux syslog or Win2000 NT logs to do log servers. The specific steps have not been seen yet. And the ACS server software does not have time, and there will be time will continue to study. Seeing an order is about Account, it seems to be an Account server in the AAA authentication. I don't know if it is to be used in conjunction with ACS.
expect
I hope that PIX will launch an ACL command with Time-Range as soon as possible. Moreover, I don't know when PIX is able to support the route. At least I can use a B-class address to VPN users without such labor.
