我自己配置好的实例,放上来让大家参考一下!
[Quidway]dis cu
#
sysname Quidway
#
super password level 3 cipher 5W97B'/VOV+Q=^Q`MAF4<1!!
#
l2tp enable
l2tpmoreexam enable
#
ike local-name 12
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
nat address-group 30 X.X.X.X X.X.X.X (规定NAT地址池)
#
firewall statistic system enable
#
dns resolve
dns server 202.103.X.X
#
radius scheme system
#
domain system
accounting optional
ip pool 1 192.168.1.2 192.168.1.254 (规定VPN的地址池)
#
local-user admin
password cipher 5W97B'/VOV+Q=^Q`MAF4<1!!
service-type telnet
level 3
local-user text (设置VPN用户)
password cipher OUM!K%F<+$[Q=^Q`MAF4<1!!
level 3
service-type ppp
#
acl number 3001
description bingduliebiao
rule 0 deny tcp source-port eq 3127
rule 1 deny tcp source-port eq 1025
rule 2 deny tcp source-port eq 5554
rule 3 deny tcp source-port eq 9996
rule 4 deny tcp source-port eq 1068
rule 5 deny tcp source-port eq 135
rule 6 deny udp source-port eq 135
rule 8 deny udp source-port eq netbios-ns
rule 9 deny tcp source-port eq 138
rule 10 deny udp source-port eq netbios-dgm
rule 11 deny tcp source-port eq 139
rule 13 deny tcp source-port eq 593
rule 14 deny tcp source-port eq 4444
rule 15 deny tcp source-port eq 5800
rule 16 deny tcp source-port eq 5900
rule 19 deny tcp source-port eq 445
rule 20 deny udp source-port eq 445
rule 30 deny tcp destination-port eq 3127
rule 32 deny tcp destination-port eq 5554
rule 33 deny tcp destination-port eq 9996
rule 34 deny tcp destination-port eq 1068
rule 35 deny tcp destination-port eq 135
rule 36 deny udp destination-port eq 135
rule 37 deny tcp destination-port eq 137
rule 38 deny udp destination-port eq netbios-ns
rule 39 deny tcp destination-port eq 138
rule 40 deny udp destination-port eq netbios-dgm
rule 41 deny tcp destination-port eq 139
rule 43 deny tcp destination-port eq 593
rule 44 deny tcp destination-port eq 4444
rule 45 deny tcp destination-port eq 5800
rule 46 deny tcp destination-port eq 5900
rule 48 deny tcp destination-port eq 8998
rule 49 deny tcp destination-port eq 445
rule 51 deny udp destination-port eq 1434
acl number 3333 (规定VPN用户网段到内网网段数据不经过NAT)
rule 0 deny ip source 172.16.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 172.16.188.0 0.0.0.255
#
interface Virtual-Template1 (设置VPN用户的接入口)
ppp authentication-mode pap
ip address 192.168.1.1 255.255.255.0
remote address pool 1
#
interface Aux0
undo detect dsr-dtr
async mode flow
#
interface Ethernet0/0
flow-control
ip address 172.16.188.1 255.255.255.0
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface Ethernet0/1
flow-control
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface Ethernet0/2
flow-control
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface Ethernet0/3
flow-control
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface Ethernet1/0
flow-control
ip address X.X.X.X 255.255.255.0
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
nat outbound 3333 address-group 30
nat server protocol tcp global X.X.X.X www inside 172.16.188.254 www (映射服务)
nat server protocol tcp global X.X.X.X ftp inside 172.16.188.253 ftp
#
interface Ethernet1/1
flow-control
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface Ethernet1/2
flow-control
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
add interface Ethernet1/1
add interface Ethernet1/2
add interface Virtual-Template1
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
l2tp-group 1
undo tunnel authentication
mandatory-lcp
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 X.X.X.X preference 60 (设置路由)
#
user-interface con 0
authentication-mode password
set authentication password cipher 5W97B'/VOV+Q=^Q`MAF4<1!!
user-interface aux 0
user-interface vty 0 4
set authentication password cipher 5W97B'/VOV+Q=^Q`MAF4<1!!
idle-timeout 3600 0
#
return
[Quidway]



在PC客户端的配置(系统为Win XP)
1、 新建连接，选择“连接到我的工作场所的网络”，选择“虚拟专用网络连接”，输入名称，建议选择“不拨初始连接”，输入LNS地址。完成新建连接。
2、 打开新建连接的属性。
在安全设置中，选择高级。“数据加密”一栏中，选择“可选加密（没有加密也可以连接）”，“可允许这些协议”一项中，选择“PAP”和“CHAP”。
3、双击该连接，输入用户名和密码，拨号。
4、拨号成功后，通过“ipconfig”可以看到所获得的IP地址。
说明：
Windows下的L2TP功能缺省启动证书方式的IPSEC，应当首先在注册表中禁用。
方法如下：
执行regedit命令，找到如下位置
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
加入如下注册项：
Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1
注:已经做好的文件,见附件.

[ 本帖最后由 等爱的波斯猫 于 2007-6-12 16:38 编辑 ]

先收下了
谢了

是 不 是 一道门防火墙啊 ？

不是一道门的,是新出的F100-S

多谢楼主放出分享
学习一下

谢谢了，收下．

acl number 3333 (规定VPN用户网段到内网网段数据不经过NAT)
rule 0 deny ip source 172.16.188.0 0.0.0.255 destination 192.168.1.0 0.0.0.2

禁止源地址172.16.188.0/24段访问目的地址192.168.1.0 0.0.0.2 ,按照反掩码来计算,是192.168.1.0-2 ,楼主是否复制错误.应该是192.168.1.0 0.0.0.255 ?而且还应该有个反方向?

[ 本帖最后由 yewei0158 于 2007-6-10 11:13 编辑 ]

学习了，谢谢LZ

谢谢8楼的!是的,是复制的时候出现的问题!
这个是规定从内部的地址到外部地址的数据不进行NAT转换,回程的不需要写!

ddddd ....................