Chinaunix首页 | 论坛 | 博客
  • 博客访问: 380867
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友

分类: 系统运维

2016-01-27 15:41:01

网络图

本文档使用以下网络设置:

ASA 8.2版本
  1. ASA# show run
  2. : Saved
  3. ASA Version 8.2
  4. !
  5. hostname ASA
  6. enable password 8Ry2YjIyt7RRXU24 encrypted
  7. names
  8. !

  9. !--- Configure the outside interface.
  10. !

  11. interface Ethernet0/1
  12.  nameif outside
  13.  security-level 0
  14.  ip address 172.16.1.1 255.255.255.0

  15. !--- Configure the inside interface.
  16. !

  17. interface Ethernet0/2
  18.  nameif inside
  19.  security-level 100
  20.  ip address 10.10.10.1 255.255.255.0




  21. !-- Output suppressed
  22. !

  23. passwd 2KFQnbNIdI.2KYOU encrypted
  24. ftp mode passive
  25. dns server-group DefaultDNS
  26.  domain-name default.domain.invalid

  27. access-list 100 extended permit ip any any
  28. access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0
  29. 10.20.10.0 255.255.255.0


  30. !--- This access list (inside_nat0_outbound) is used
  31. !--- with the nat zero command. This prevents traffic which
  32. !--- matches the access list from undergoing network address translation (NAT).
  33. !--- The traffic specified by this ACL is traffic that is to be encrypted and
  34. !--- sent across the VPN tunnel. This ACL is intentionally
  35. !--- the same as (outside_1_cryptomap).
  36. !--- Two separate access lists should always be used in this configuration.

  37. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0
  38. 10.20.10.0 255.255.255.0

  39. !--- This access list (outside_cryptomap) is used
  40. !--- with the crypto map outside_map
  41. !--- to determine which traffic should be encrypted and sent
  42. !--- across the tunnel.
  43. !--- This ACL is intentionally the same as (inside_nat0_outbound).
  44. !--- Two separate access lists should always be used in this configuration.

  45. pager lines 24
  46. mtu inside 1500
  47. mtu outside 1500
  48. no failover
  49. asdm image disk0:/asdm-613.bin
  50. asdm history enable
  51. arp timeout 14400
  52. global (outside) 1 interface
  53. nat (inside) 1 10.10.10.0 255.255.255.0

  54. nat (inside) 0 access-list inside_nat0_outbound

  55. !--- NAT 0 prevents NAT for networks specified in
  56. !--- the ACL inside_nat0_outbound.


  57. access-group 100 in interface outside
  58. route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

  59. timeout xlate 3:00:00
  60. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  61. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  62. timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  63. timeout uauth 0:05:00 absolute
  64. http server enable
  65. http 0.0.0.0 0.0.0.0 dmz
  66. no snmp-server location
  67. no snmp-server contact


  68. !--- PHASE 2 CONFIGURATION ---!
  69. !--- The encryption types for Phase 2 are defined here.

  70. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

  71. !--- Define the transform set for Phase 2.



  72. crypto map outside_map 1 match address outside_1_cryptomap

  73. !--- Define which traffic should be sent to the IPsec peer.


  74. crypto map outside_map 1 set peer 172.17.1.1

  75. !--- Sets the IPsec peer


  76. crypto map outside_map 1 set transform-set ESP-DES-SHA

  77. !--- Sets the IPsec transform set "ESP-AES-256-SHA"
  78. !--- to be used with the crypto map entry "outside_map".


  79. crypto map outside_map interface outside

  80. !--- Specifies the interface to be used with
  81. !--- the settings defined in this configuration.


  82. !--- PHASE 1 CONFIGURATION ---!

  83. !--- This configuration uses isakmp policy 10.
  84. !--- The configuration commands here define the Phase
  85. !--- 1 policy parameters that are used.


  86. crypto isakmp enable outside
  87. crypto isakmp policy 10
  88.  authentication pre-share
  89.  encryption des
  90.  hash sha
  91.  group 1
  92.  lifetime 86400
  93. telnet timeout 5
  94. ssh timeout 5
  95. console timeout 0
  96. threat-detection basic-threat
  97. threat-detection statistics access-list
  98. !

  99.  

  100. tunnel-group 172.17.1.1 type ipsec-l2l

  101. !--- In order to create and manage the database of connection-specific
  102. !--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
  103. !--- tunnel-group in global configuration mode.
  104. !--- For L2L connections the name of the tunnel group MUST be the IP
  105. !--- address of the IPsec peer.



  106. tunnel-group 172.17.1.1 ipsec-attributes
  107.  pre-shared-key *

  108. !--- Enter the pre-shared-key in order to configure the
  109. !--- authentication method.


  110. telnet timeout 5
  111. ssh timeout 5
  112. console timeout 0
  113. threat-detection basic-threat
  114. threat-detection statistics access-list
  115. !
  116. class-map inspection_default
  117.  match default-inspection-traffic
  118. !
  119. !



  120. !-- Output

  121. username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15
  122. Cryptochecksum:be38dfaef777a339b9e1c89202572a7d
  123. : end
cisco路由器:

  1. Building configuration...

  2. Current configuration : 2403 bytes
  3. !
  4. version 12.4
  5. service timestamps debug datetime msec
  6. service timestamps log datetime msec
  7. service password-encryption
  8. !
  9. hostname R3
  10. !
  11. boot-start-marker
  12. boot-end-marker
  13. !
  14. no logging buffered
  15. !
  16. username cisco123 privilege 15 password 7 1511021F07257A767B
  17. no aaa new-model
  18. ip subnet-zero
  19. !
  20. !
  21. ip cef
  22. !
  23. !
  24. ip ips po max-events 100
  25. no ftp-server write-enable
  26. !


  27. !--- Configuration for IKE policies.
  28. !--- Enables the IKE policy configuration (config-isakmp)
  29. !--- command mode, where you can specify the parameters that
  30. !--- are used during an IKE negotiation. Encryption and Policy details are hidden
  31. !---as the default values are chosen.


  32. crypto isakmp policy 2
  33.  authentication pre-share


  34. !--- Specifies the pre-shared key "cisco123" which should
  35. !--- be identical at both peers. This is a global
  36. !--- configuration mode command.

  37. crypto isakmp key cisco123 address 172.16.1.1
  38. !
  39. !

  40. !--- Configuration for IPsec policies.
  41. !--- Enables the crypto transform configuration mode,
  42. !--- where you can specify the transform sets that are used
  43. !--- during an IPsec negotiation.

  44. crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
  45. !


  46. !--- Indicates that IKE is used to establish
  47. !--- the IPsec Security Association for protecting the
  48. !--- traffic specified by this crypto map entry.

  49. crypto map SDM_CMAP_1 1 ipsec-isakmp
  50.  description Tunnel to172.16.1.1
  51.  

  52. !--- Sets the IP address of the remote end.

  53.  set peer 172.16.1.1
  54.  

  55. !--- Configures IPsec to use the transform-set
  56. !--- "ASA-IPSEC" defined earlier in this configuration.
  57.  
  58.  set transform-set ASA-IPSEC
  59.  

  60. !--- !--- Specifies the interesting traffic to be encrypted.

  61.  match address 100
  62. !
  63. !
  64. !

  65. !--- Configures the interface to use the
  66. !--- crypto map "SDM_CMAP_1" for IPsec.

  67. interface FastEthernet0
  68.  ip address 172.17.1.1 255.255.255.0
  69.  duplex auto
  70.  speed auto
  71.  crypto map SDM_CMAP_1
  72. !
  73. interface FastEthernet1
  74.  ip address 10.20.10.2 255.255.255.0
  75.  duplex auto
  76.  speed auto
  77. !
  78. interface FastEthernet2
  79.  no ip address
  80. !
  81. interface Vlan1
  82.  ip address 10.77.241.109 255.255.255.192
  83. !
  84. ip classless
  85. ip route 10.10.10.0 255.255.255.0 172.17.1.2
  86. ip route 10.77.233.0 255.255.255.0 10.77.241.65
  87. ip route 172.16.1.0 255.255.255.0 172.17.1.2
  88. !
  89. !
  90. ip nat inside source route-map nonat interface FastEthernet0 overload
  91. !
  92. ip http server
  93. ip http authentication local
  94. ip http secure-server
  95. !

  96. !--- Configure the access-lists and map them to the Crypto map configured.

  97. access-list 100 remark SDM_ACL Category=4
  98. access-list 100 remark IPSec Rule
  99. access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  100. !
  101. !
  102. !

  103. !--- This ACL 110 identifies the traffic flows using route map

  104. access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  105. access-list 110 permit ip 10.20.10.0 0.0.0.255 any
  106. route-map nonat permit 10
  107.  match ip address 110
  108. !
  109. control-plane
  110. !
  111. !
  112. line con 0
  113.  login local
  114. line aux 0
  115. line vty 0 4
  116.  privilege level 15
  117.  login local
  118.  transport input telnet ssh
  119. !
  120. end

点击(此处)折叠或打开

  1. 清除安全关联 (SA)

  2. 在 PIX 的特权模式下使用以下这些命令:

  3. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  4. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  5. show crypto isakmp sa
  6. show crypto ipsec sa
  7. show crypto engine connections active - 显示有关加密和解密数据包(仅限路由器)的当前连接和信息。

  8. PIX 安全设备 - debug 输出

  9. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  10. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  11. 远程 IOS 路由器 - debug 输出

  12. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  13. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


阅读(1383) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~