成功配置，已经调试成功的说！ hongyi#show run Building configuration... Current configuration : 4655 bytes ! ! Last configuration change at 04:47:29 UTC Sun Apr 25 2004 by tonyxue ! NVRAM config last updated at 04:47:50 UTC Sun Apr 25 2004 by tonyxue ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname hongyi ! boot-start-marker boot-end-marker ! no logging console enable secret 5 $1$nyjl$3Q7avJNhGMGg9h8S3TxL01 ! username tonyxue password 7 110B0B0C101A1F010524 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login hongyi_authen group tacacs+ aaa authentication login no_tacasc enable aaa authentication login line_vty local aaa authorization network hongyi_author local aaa session-id common ip subnet-zero no ip source-route ! ! no ip domain lookup ip dhcp excluded-address 172.16.0.1 172.16.0.220 ! ip dhcp pool hongyi network 172.16.0.0 255.255.255.0 dns-server 202.96.209.5 202.96.209.133 default-router 172.16.0.10 lease 30 ! no ip bootp server ip cef ip inspect audit-trail ip inspect name firewall cuseeme ip inspect name firewall fragment maximum 256 timeout 1 ip inspect name firewall ftp ip inspect name firewall h323 ip inspect name firewall icmp ip inspect name firewall netshow ip inspect name firewall rcmd ip inspect name firewall realaudio ip inspect name firewall rtsp ip inspect name firewall sqlnet ip inspect name firewall streamworks ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall vdolive ip inspect name firewall http ip audit po max-events 100 vpdn enable ! vpdn-group FTTB request-dialin protocol pppoe ! no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group hongyi key ********* pool hongyi_pool ! ! crypto ipsec transform-set hongyi_set esp-3des esp-sha-hmac ! crypto dynamic-map hongyi_dynamic_map 10 set transform-set hongyi_set ! ! crypto map clientmap client authentication list hongyi_authen crypto map clientmap isakmp authorization list hongyi_author crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic hongyi_dynamic_map ! ! ! interface Ethernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet0 ip address 172.16.0.10 255.255.0.0 ip access-group Local_Ruler in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip tcp adjust-mss 1452 no ip mroute-cache speed auto no cdp enable ! interface Dialer1 mtu 1492 ip address negotiated ip access-group Outbound_Ruler in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect firewall out encapsulation ppp no ip mroute-cache dialer pool 1 no cdp enable ppp authentication pap callin ppp pap sent-username ad********* @shtel password 7 046B08133D255F7908 crypto map clientmap ! ip local pool hongyi_pool 192.168.0.1 192.168.0.254 ip nat inside source route-map nat_map interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! ! ip access-list extended Local_Ruler deny 53 any any log deny 55 any any log deny pim any any log deny tcp any any eq echo log deny tcp any any eq chargen log deny tcp any any eq 135 log deny tcp any any eq 136 log deny tcp any any eq 137 log deny tcp any any eq 138 log deny tcp any any eq 139 log deny tcp any any eq 445 log deny tcp any any eq 4444 log deny udp any any eq tftp log deny udp any any eq 135 log deny udp any any eq 136 log deny udp any any eq netbios-ns log deny udp any any eq netbios-dgm log deny udp any any eq netbios-ss log deny udp any any eq snmp log deny udp any any eq 445 log permit ip any any ip access-list extended Outbound_Ruler permit udp any any eq isakmp log permit esp any any log permit udp any any eq non500-isakmp log permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log deny ip any any log logging source-interface FastEthernet0 logging 172.16.0.100 access-list 1 deny any access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 172.16.0.0 0.0.255.255 any no cdp run ! route-map nat_map permit 10 match ip address 101 ! tacacs-server host 172.16.0.100 key 7 0459190F082958430817 tacacs-server directed-request ! line con 0 logging synchronous login authentication line_vty line aux 0 logging synchronous line vty 0 4 logging synchronous login authentication line_vty ! ! end 文章录入：aaadxmmm    责任编辑：aaadxmmm