L2TP实验 作业
拓扑图
实验需求
让FW1(PPPoE Client)模拟拨号用户,向内部服务器发送建立拨号连接的请求,并保证连通
实验步骤
安全区域
firewall zone trust
add int g1/0/0
策略security-policy
default action permit
NAS
int g1/0/1
ip address 20.1.1.1 24firewall zone trust
add int g1/0/0
firewall zone untrustadd int g1/0/1
LNS
int g1/0/0
ip add 20.1.1.2 24
int g 1/0/1
ip address 192.168.1.254 24
firewall zone trust
add int g1/0/1
firewall zone untrust
add int g1/0/0
客户端
interface Dialer 1
dialer user user1
dialer-group 1
dialer bundle 1
ip address ppp-negotiate
ppp chap user user1
ppp chap password cipher Password123
dialer-rule 1 ip permit
int g1/0/0
pppoe-client dial-bundle-number 1
服务端
interface Virtual-Template 1
ppp authentication-mode chap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[
Y/N]:y
ip address 2.2.2.2 24
firewall zone dmz
]add interface Virtual-Template 1pppoe-server bind virtual-template 1
aaa
domain default
Info: The domain default is for common users.
service-type l2tpuser-manage user user1 domain default
password Password123
创建隧道
l2tp enable
l2tp-group 1
tunnel authentication
tunnel password cipher Hello123
start l2tp ip 20.1.1.2 fullusername user1LNS
ip pool l2tp
Info: It is successful to create an IP address pool.
section 0 172.16.0.2 172.16.0.100
aaa
service-scheme l2tp
Info: Create a new service scheme.
ip-pool l2tp
domain default
Info: The domain default is for common users.
service-type l2tp
q
user-manage user user1 domain default
password Password123nterface Virtual-Template1
ppp authentication-mode chap
ip add 172.16.0.1 24
remote service-scheme l2tp
q
firewall zone dmz
add int Virtual-Template 1l2tp enable
l2tp-group 1
allow l2tp virtual-template 1 remote lac domain default
tunnel authentication
tunnel password cipher Hello123
认证
l2tp-group 1
mandatory-chap
mandatory-lcp
IP route-static 0.0.0.0 0.0.0.0 Dialer1
安全策略
security-policy
default action deny
Warning: Setting the default interzone packet filtering to deny may affect actu
al data traffic. You are advised to configure the security policy based on the a
ctual services. Are you sure you want to continue? [Y/N]y
rule name l_un
source-zone local
destination-zone untrust
source-address 20.1.1.1 32
destination-address 20.1.1.2 32
service l2tp
service protocol udp source-port 0 to 65535 desti
nation-port 1701
rule name l2tp
source-zone untrust
destination-zone local
source-address 20.1.1.1 32
destination-address 20.1.1.2 32
service l2tp
service protocol udp destination-port 1701
action permit
rule name icmp
source-zone dmz
destination-zone trust
source-address 172.16.0.0 24
destination-address 192.168.1.0 24
action permit