网络安全 频道

思科PIX防火墙VPN的配置实例

PIX Central

  Building configuration...

  : Saved

  :

  PIX Version 6.3(3)

  in terface ethernet0 auto

  interface ethernet1 auto

  nameif ethernet0 outside security0

  nameif ethernet1 inside security100

  enable password 8Ry2YjIyt7RRXU24 encrypted

  passwd 2KFQnbNIdI.2KYOU encrypted

  hostname pix-central

  fixup protocol dns maximum-length 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol skinny 2000

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names

  !--- This is traffic to PIX 2.

  access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

  !--- This is traffic to PIX 3.

  access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

  !--- Do not do Network Address Translation (NAT) on traffic to other PIXes.

  access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

  access-list 100 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

  pager lines 24

  logging on

  mtu outside 1500

  mtu inside 1500

  ip address outside 172.18.124.153 255.255.255.0

  ip address inside 10.1.1.1 255.255.255.0

  ip audit info action alarm

  ip audit attack action alarm

  pdm history enable

  arp timeout 14400

  !--- Do not do NAT on traffic to other PIXes.

  nat (inside) 0 access-list 100

  route outside 0.0.0.0 0.0.0.0 172.18.124.1 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol local

  no snmp-server location

  no snmp-server contact

  snmp-server community public

  snmp-server enable traps

  floodguard enable

  sysopt connection permit-ipsec

  crypto ipsec transform-set myset esp-des esp-md5-hmac

  !--- This is traffic to PIX 2.

  crypto map newmap 20 ipsec-isakmp

  crypto map newmap 20 match address 120

  crypto map newmap 20 set peer 172.18.124.154

  crypto map newmap 20 set transform-set myset

  !--- This is traffic to PIX 3.

  crypto map newmap 30 ipsec-isakmp

  crypto map newmap 30 match address 130

  crypto map newmap 30 set peer 172.18.124.157

  crypto map newmap 30 set transform-set myset

  crypto map newmap interface outside

  isakmp enable outside

  isakmp key ******** address 172.18.124.154 netmask 255.255.255.255

  no-xauth no-config-mode

  isakmp key ******** address 172.18.124.157 netmask 255.255.255.255

  no-xauth no-config-mode

  isakmp identity address

  isakmp policy 10 authentication pre-share

  isakmp policy 10 encryption des

  isakmp policy 10 hash md5

  isakmp policy 10 group 1

  isakmp policy 10 lifetime 1000

  telnet timeout 5

  ssh timeout 5

  console timeout 0

  terminal width 80

  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

  : end

  PIX 2

  Building configuration...

  : Saved

  :

  PIX Version 6.3(3)

  interface ethernet0 auto

  interface ethernet1 auto

  nameif ethernet0 outside security0

  nameif ethernet1 inside security100

  enable password 8Ry2YjIyt7RRXU24 encrypted

  passwd 2KFQnbNIdI.2KYOU encrypted

  hostname pix2

  fixup protocol dns maximum-length 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol skinny 2000

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names

  !--- This is traffic to PIX Central.

  access-list 110 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

  !--- Do not do NAT on traffic to PIX Central.

  access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

  pager lines 24

  logging on

  mtu outside 1500

  mtu inside 1500

  ip address outside 172.18.124.154 255.255.255.0

  ip address inside 10.2.2.1 255.255.255.0

  ip audit info action alarm

  ip audit attack action alarm

  no failover

  failover timeout 0:00:00

  failover poll 15

  no failover ip address outside

  no failover ip address inside

  pdm history enable

  arp timeout 14400

  !--- Do not do NAT on traffic to PIX Central.

  nat (inside) 0 access-list 100

  route outside 0.0.0.0 0.0.0.0 172.18.124.1 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol local

  no snmp-server location

  no snmp-server contact

  snmp-server community public

  no snmp-server enable traps

  floodguard enable

  sysopt connection permit-ipsec

  crypto ipsec transform-set myset esp-des esp-md5-hmac

  !--- This is traffic to PIX Central.

  crypto map newmap 10 ipsec-isakmp

  crypto map newmap 10 match address 110

  crypto map newmap 10 set peer 172.18.124.153

  crypto map newmap 10 set transform-set myset

  crypto map newmap interface outside

  isakmp enable outside

  isakmp key ******** address 172.18.124.153 netmask 255.255.255.255

  no-xauth no-config-mode

  isakmp identity address

  isakmp policy 10 authentication pre-share

  isakmp policy 10 encryption des

  isakmp policy 10 hash md5

  isakmp policy 10 group 1

  isakmp policy 10 lifetime 1000

  telnet timeout 5

  ssh timeout 5

  console timeout 0

  terminal width 80

  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

  : end

  PIX 3 Configuration

  Building configuration...

  : Saved

  :

  PIX Version 6.3(3)

  interface ethernet0 auto

  interface ethernet1 auto

  nameif ethernet0 outside security0

  nameif ethernet1 inside security100

  enable password 8Ry2YjIyt7RRXU24 encrypted

  passwd 2KFQnbNIdI.2KYOU encrypted

  hostname pix3

  fixup protocol dns maximum-length 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol skinny 2000

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names

  !--- This is traffic to PIX Central.

  access-list 110 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

  !--- Do not do NAT on traffic to PIX Central.

  access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

  pager lines 24

  logging on

  mtu outside 1500

  mtu inside 1500

  ip address outside 172.18.124.157 255.255.255.0

  ip address inside 10.3.3.1 255.255.255.0

  ip audit info action alarm

  ip audit attack action alarm

  no failover

  failover timeout 0:00:00

  failover poll 15

  no failover ip address outside

  no failover ip address inside

  pdm history enable

  arp timeout 14400

  !--- Do not do NAT on traffic to PIX Central.

  nat (inside) 0 access-list 100

  route outside 0.0.0.0 0.0.0.0 172.18.124.1 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol local

  no snmp-server location

  no snmp-server contact

  snmp-server community public

  no snmp-server enable traps

  floodguard enable

  sysopt connection permit-ipsec

  crypto ipsec transform-set myset esp-des esp-md5-hmac

  !--- This is traffic to PIX Central.

  crypto map newmap 10 ipsec-isakmp

  crypto map newmap 10 match address 110

  crypto map newmap 10 set peer 172.18.124.153

  crypto map newmap 10 set transform-set myset

  crypto map newmap interface outside

  isakmp enable outside

  isakmp key ******** address 172.18.124.153 netmask 255.255.255.255

  no-xauth no-config-mode

  isakmp identity address

  isakmp policy 10 authentication pre-share

  isakmp policy 10 encryption des

  isakmp policy 10 hash md5

  isakmp policy 10 group 1

  isakmp policy 10 lifetime 1000

  telnet timeout 5

  ssh timeout 5

  console timeout 0

  terminal width 80

  Cryptochecksum:aa3bbd8c6275d214b153e1e0bc0173e4

  : end

0
相关文章