Chinaunix首页 | 论坛 | 博客
  • 博客访问: 384053
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友

分类: 系统运维

2016-01-27 15:30:38

防火墙版本PIX/ASA 7.x,网络拓扑如下

route
  1. Router#show running-config
  2. Current configuration : 1354 bytes
  3. !
  4. version 12.4
  5. service timestamps debug datetime msec
  6. service timestamps log datetime msec
  7. no service password-encryption
  8. !
  9. hostname Router
  10. !
  11. boot-start-marker
  12. boot-end-marker
  13. !
  14. !
  15. no aaa new-model
  16. !
  17. resource policy
  18. !
  19. ip cef


  20. !--- Configuration for IKE policies. !--- Enables the IKE policy configuration (config-isakmp) !--- command mode, where you can specify the parameters that !--- are used during an IKE negotiation.


  21. crypto isakmp policy 1
  22.  encr 3des
  23.  hash md5
  24.  authentication pre-share
  25.  group 2


  26. !--- Specifies the preshared key "cisco123" which should !--- be identical at both peers. This is a global !--- configuration mode command.


  27. crypto isakmp key cisco123 address 192.168.1.2
  28. !
  29. !

  30. !--- Configuration for IPsec policies. !--- Enables the crypto transform configuration mode, !--- where you can specify the transform sets that are used !--- during an IPsec negotiation.


  31. crypto ipsec transform-set pix-set esp-3des esp-md5-hmac


  32. !--- Indicates that IKE is used to establish !--- the IPsec Security Association for protecting the !--- traffic specified by this crypto map entry.


  33. crypto map pix 10 ipsec-isakmp


  34. !--- Sets the IP address of the remote end.


  35.  set peer 192.168.1.2


  36. !--- Configures IPsec to use the transform-set !--- "pix-set" defined earlier in this configuration.


  37.  set transform-set pix-set


  38. !--- Specifies the interesting traffic to be encrypted.


  39.  match address 101
  40. !
  41. !
  42. !
  43. !
  44. interface Ethernet0/0

  45. !--- The interface dynamically learns its IP address !--- from the service provider.

  46.  
  47.  ip address DHCP

  48.  ip virtual-reassembly
  49.  half-duplex

  50. !--- Configures the interface to use the !--- crypto map "pix" for IPsec.

  51.  crypto map pix
  52. !
  53. interface FastEthernet1/0
  54.  no ip address
  55.  shutdown
  56.  duplex auto
  57.  speed auto
  58. !
  59. interface Serial2/0
  60.  ip address 10.1.1.2 255.255.255.0
  61.  ip nat inside
  62.  ip virtual-reassembly
  63.  no fair-queue
  64. !
  65. interface Serial2/1
  66.  no ip address
  67.  shutdown
  68. !
  69. interface Serial2/2
  70.  no ip address
  71.  shutdown
  72. !
  73. interface Serial2/3
  74.  no ip address
  75.  shutdown
  76. !
  77. ip http server
  78. no ip http secure-server
  79. !
  80. ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  81. !
  82. ip nat inside source route-map nonat interface Ethernet0/0 overload
  83. !

  84. !--- This crypto ACL 101 -permit identifies the !--- matching traffic flows to be protected via encryption.


  85. access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255


  86. !--- This ACL 110 identifies the traffic flows using route map and !--- are PATed via outside interface (Ethernet0/0).


  87. access-list 110 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
  88. access-list 110 permit ip 10.1.1.0 0.0.0.255 any


  89. !
  90. route-map nonat permit 10
  91.  match ip address 110
  92. !
  93. !
  94. control-plane
  95. !

  96. !
  97. line con 0
  98. line aux 0
  99. line vty 0 4
  100. !
  101. !
  102. end
pix7.x

  1. pixfirewall#show running-config
  2.  PIX Version 7.2(1)
  3. !
  4. hostname pixfirewall
  5. enable password 8Ry2YjIyt7RRXU24 encrypted
  6. names
  7. !

  8. !--- Configure the outside and inside interfaces.

  9. interface Ethernet0
  10.  nameif outside
  11.  security-level 0
  12.  ip address 192.168.1.2 255.255.255.0
  13. !
  14. interface Ethernet1
  15.  nameif inside
  16.  security-level 100
  17.  ip address 10.2.2.1 255.255.255.0
  18. !
  19. !

  20.  !--- Output is suppressed.

  21. !
  22. passwd 2KFQnbNIdI.2KYOU encrypted
  23. ftp mode passive


  24. !--- This access list is used for a nat zero command that prevents !--- traffic which matches the access list from undergoing NAT.


  25. access-list nonat extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

  26. pager lines 24
  27. mtu outside 1500
  28. mtu inside 1500
  29. no failover
  30. no asdm history enable
  31. arp timeout 14400


  32.  !--- NAT 0 prevents NAT for networks specified in the ACL - nonat. !--- The nat 1 command specifies PAT using !--- the outside interface for all other traffic.


  33. global (outside) 1 interface
  34. nat (inside) 0 access-list nonat
  35. nat (inside) 1 0.0.0.0 0.0.0.0

  36. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  37. timeout xlate 3:00:00
  38. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  39. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  40. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  41. timeout uauth 0:05:00 absolute
  42. no snmp-server location
  43. no snmp-server contact
  44. snmp-server enable traps snmp authentication linkup linkdown coldstart


  45. !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. !--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.


  46. crypto ipsec transform-set router-set esp-3des esp-md5-hmac


  47. !--- Defines a dynamic crypto map with !--- the specified encryption settings.


  48. crypto dynamic-map cisco 1 set transform-set router-set


  49. !--- Enable Reverse Route Injection (RRI), which allows the Security Appliance !--- to learn routing information for connected clients.


  50. crypto dynamic-map cisco 1 set reverse-route


  51. !--- Binds the dynamic map to the IPsec/ISAKMP process.


  52. crypto map dyn-map 10 ipsec-isakmp dynamic cisco


  53. !--- Specifies the interface to be used with !--- the settings defined in this configuration.


  54. crypto map dyn-map interface outside


  55. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- Policy 65535 is included in the config by default. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used.

  56. crypto isakmp policy 10
  57.  authentication pre-share
  58.  encryption 3des
  59.  hash md5
  60.  group 2
  61.  lifetime 86400

  62. crypto isakmp policy 65535
  63.  authentication pre-share
  64.  encryption 3des
  65.  hash sha
  66.  group 2
  67.  lifetime 86400

  68. !--- The security appliance provides the default tunnel groups !--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key !--- (cisco123) to authenticate the remote router.


  69. tunnel-group DefaultL2LGroup ipsec-attributes
  70.  pre-shared-key *

  71. telnet timeout 5
  72. ssh timeout 5
  73. console timeout 0
  74. !
  75. class-map inspection_default
  76.  match default-inspection-traffic
  77. !
  78. !
  79. policy-map type inspect dns preset_dns_map
  80.  parameters
  81.   message-length maximum 512
  82. policy-map global_policy
  83.  class inspection_default
  84.   inspect dns preset_dns_map
  85.   inspect ftp
  86.   inspect h323 h225
  87.   inspect h323 ras
  88.   inspect netbios
  89.   inspect rsh
  90.   inspect rtsp
  91.   inspect skinny
  92.   inspect esmtp
  93.   inspect sqlnet
  94.   inspect sunrpc
  95.   inspect tftp
  96.   inspect sip
  97.   inspect xdmcp
  98. !
  99. service-policy global_policy global
  100. prompt hostname context
  101. Cryptochecksum:6ed4a7bce392a439d0a16e86743e2663

  1. 清除安全关联 (SA)

  2. 在 PIX 的特权模式下使用以下这些命令:

  3. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  4. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  5. show crypto isakmp sa
  6. show crypto ipsec sa
  7. PIX 安全设备 - debug 输出

  8. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  9. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  10. 远程 IOS 路由器 - debug 输出

  11. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  12. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


阅读(1647) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~