Chinaunix首页 | 论坛 | 博客

w787815的ChinaUnix博客

首页 |  博文目录 |  关于我

w787815

  • 博客访问: 381802
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友
最近访客
推荐博文
相关博文
PIX/ASA 7.x动态IOS路由器和静态PIX之间的动态IPSec配置示例

分类: 系统运维

2016-01-27 15:30:38

防火墙版本PIX/ASA 7.x,网络拓扑如下

route
  1. Router#show running-config
  2. Current configuration : 1354 bytes
  3. !
  4. version 12.4
  5. service timestamps debug datetime msec
  6. service timestamps log datetime msec
  7. no service password-encryption
  8. !
  9. hostname Router
  10. !
  11. boot-start-marker
  12. boot-end-marker
  13. !
  14. !
  15. no aaa new-model
  16. !
  17. resource policy
  18. !
  19. ip cef


  22. !--- Configuration for IKE policies. !--- Enables the IKE policy configuration (config-isakmp) !--- command mode, where you can specify the parameters that !--- are used during an IKE negotiation.


  25. crypto isakmp policy 1
  26.  encr 3des
  27.  hash md5
  28.  authentication pre-share
  29.  group 2


  32. !--- Specifies the preshared key "cisco123" which should !--- be identical at both peers. This is a global !--- configuration mode command.


  35. crypto isakmp key cisco123 address 192.168.1.2
  36. !
  37. !

  39. !--- Configuration for IPsec policies. !--- Enables the crypto transform configuration mode, !--- where you can specify the transform sets that are used !--- during an IPsec negotiation.


  42. crypto ipsec transform-set pix-set esp-3des esp-md5-hmac


  45. !--- Indicates that IKE is used to establish !--- the IPsec Security Association for protecting the !--- traffic specified by this crypto map entry.


  48. crypto map pix 10 ipsec-isakmp


  51. !--- Sets the IP address of the remote end.


  54.  set peer 192.168.1.2


  57. !--- Configures IPsec to use the transform-set !--- "pix-set" defined earlier in this configuration.


  60.  set transform-set pix-set


  63. !--- Specifies the interesting traffic to be encrypted.


  66.  match address 101
  67. !
  68. !
  69. !
  70. !
  71. interface Ethernet0/0

  73. !--- The interface dynamically learns its IP address !--- from the service provider.

  75.  
  76.  ip address DHCP

  78.  ip virtual-reassembly
  79.  half-duplex

  81. !--- Configures the interface to use the !--- crypto map "pix" for IPsec.

  83.  crypto map pix
  84. !
  85. interface FastEthernet1/0
  86.  no ip address
  87.  shutdown
  88.  duplex auto
  89.  speed auto
  90. !
  91. interface Serial2/0
  92.  ip address 10.1.1.2 255.255.255.0
  93.  ip nat inside
  94.  ip virtual-reassembly
  95.  no fair-queue
  96. !
  97. interface Serial2/1
  98.  no ip address
  99.  shutdown
  100. !
  101. interface Serial2/2
  102.  no ip address
  103.  shutdown
  104. !
  105. interface Serial2/3
  106.  no ip address
  107.  shutdown
  108. !
  109. ip http server
  110. no ip http secure-server
  111. !
  112. ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  113. !
  114. ip nat inside source route-map nonat interface Ethernet0/0 overload
  115. !

  117. !--- This crypto ACL 101 -permit identifies the !--- matching traffic flows to be protected via encryption.


  120. access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255


  123. !--- This ACL 110 identifies the traffic flows using route map and !--- are PATed via outside interface (Ethernet0/0).


  126. access-list 110 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
  127. access-list 110 permit ip 10.1.1.0 0.0.0.255 any


  130. !
  131. route-map nonat permit 10
  132.  match ip address 110
  133. !
  134. !
  135. control-plane
  136. !

  138. !
  139. line con 0
  140. line aux 0
  141. line vty 0 4
  142. !
  143. !
  144. end
pix7.x

  1. pixfirewall#show running-config
  2.  PIX Version 7.2(1)
  3. !
  4. hostname pixfirewall
  5. enable password 8Ry2YjIyt7RRXU24 encrypted
  6. names
  7. !

  9. !--- Configure the outside and inside interfaces.

  11. interface Ethernet0
  12.  nameif outside
  13.  security-level 0
  14.  ip address 192.168.1.2 255.255.255.0
  15. !
  16. interface Ethernet1
  17.  nameif inside
  18.  security-level 100
  19.  ip address 10.2.2.1 255.255.255.0
  20. !
  21. !

  23.  !--- Output is suppressed.

  25. !
  26. passwd 2KFQnbNIdI.2KYOU encrypted
  27. ftp mode passive


  30. !--- This access list is used for a nat zero command that prevents !--- traffic which matches the access list from undergoing NAT.


  33. access-list nonat extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

  35. pager lines 24
  36. mtu outside 1500
  37. mtu inside 1500
  38. no failover
  39. no asdm history enable
  40. arp timeout 14400


  43.  !--- NAT 0 prevents NAT for networks specified in the ACL - nonat. !--- The nat 1 command specifies PAT using !--- the outside interface for all other traffic.


  46. global (outside) 1 interface
  47. nat (inside) 0 access-list nonat
  48. nat (inside) 1 0.0.0.0 0.0.0.0

  50. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  52. timeout xlate 3:00:00
  53. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  54. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  55. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  56. timeout uauth 0:05:00 absolute
  57. no snmp-server location
  58. no snmp-server contact
  59. snmp-server enable traps snmp authentication linkup linkdown coldstart


  62. !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. !--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.


  65. crypto ipsec transform-set router-set esp-3des esp-md5-hmac


  68. !--- Defines a dynamic crypto map with !--- the specified encryption settings.


  71. crypto dynamic-map cisco 1 set transform-set router-set


  74. !--- Enable Reverse Route Injection (RRI), which allows the Security Appliance !--- to learn routing information for connected clients.


  77. crypto dynamic-map cisco 1 set reverse-route


  80. !--- Binds the dynamic map to the IPsec/ISAKMP process.


  83. crypto map dyn-map 10 ipsec-isakmp dynamic cisco


  86. !--- Specifies the interface to be used with !--- the settings defined in this configuration.


  89. crypto map dyn-map interface outside


  92. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- Policy 65535 is included in the config by default. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used.

  94. crypto isakmp policy 10
  95.  authentication pre-share
  96.  encryption 3des
  97.  hash md5
  98.  group 2
  99.  lifetime 86400

  101. crypto isakmp policy 65535
  102.  authentication pre-share
  103.  encryption 3des
  104.  hash sha
  105.  group 2
  106.  lifetime 86400

  108. !--- The security appliance provides the default tunnel groups !--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key !--- (cisco123) to authenticate the remote router.


  111. tunnel-group DefaultL2LGroup ipsec-attributes
  112.  pre-shared-key *

  114. telnet timeout 5
  115. ssh timeout 5
  116. console timeout 0
  117. !
  118. class-map inspection_default
  119.  match default-inspection-traffic
  120. !
  121. !
  122. policy-map type inspect dns preset_dns_map
  123.  parameters
  124.   message-length maximum 512
  125. policy-map global_policy
  126.  class inspection_default
  127.   inspect dns preset_dns_map
  128.   inspect ftp
  129.   inspect h323 h225
  130.   inspect h323 ras
  131.   inspect netbios
  132.   inspect rsh
  133.   inspect rtsp
  134.   inspect skinny
  135.   inspect esmtp
  136.   inspect sqlnet
  137.   inspect sunrpc
  138.   inspect tftp
  139.   inspect sip
  140.   inspect xdmcp
  141. !
  142. service-policy global_policy global
  143. prompt hostname context
  144. Cryptochecksum:6ed4a7bce392a439d0a16e86743e2663

  1. 清除安全关联 (SA)

  3. 在 PIX 的特权模式下使用以下这些命令:

  5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  8. show crypto isakmp sa
  9. show crypto ipsec sa
  10. PIX 安全设备 - debug 输出

  12. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  14. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  16. 远程 IOS 路由器 - debug 输出

  18. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  20. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


阅读(1598) | 评论(0) | 转发(0) |
0

上一篇:静态IOS路由器和动态PIX之间的动态IPSec配置示例

下一篇:PIX/ASA 8.x与IOS路由器静态到静态IPSec配置示例

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6