Chinaunix首页 | 论坛 | 博客
  • 博客访问: 381805
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友

分类: 系统运维

2016-01-27 15:54:32

本文档使用这个网络设置:

pix7.x
  1. HQPIX(config)#show run
  2. PIX Version 7.0(0)102
  3. names
  4. !
  5. interface Ethernet0
  6. description WAN interface
  7. nameif outside
  8. security-level 0
  9. ip address 172.17.63.229 255.255.255.240
  10. !
  11. interface Ethernet1
  12. nameif inside
  13. security-level 100
  14. ip address 10.1.1.1 255.255.255.0
  15. !
  16. interface Ethernet2
  17. shutdown
  18. no nameif
  19. no security-level
  20. no ip address
  21. !
  22. interface Ethernet3
  23. shutdown
  24. no nameif
  25. no security-level
  26. no ip address
  27. !
  28. interface Ethernet4
  29. shutdown
  30. no nameif
  31. no security-level
  32. no ip address
  33. !
  34. interface Ethernet5
  35. shutdown
  36. no nameif
  37. no security-level
  38. no ip address
  39. !
  40. enable password 8Ry2YjIyt7RRXU24 encrypted
  41. passwd 2KFQnbNIdI.2KYOU encrypted
  42. hostname HQPIX
  43. domain-name cisco.com
  44. ftp mode passive
  45. clock timezone AEST 10

  46. access-list Ipsec-conn extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  47. access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  48. pager lines 24
  49. logging enable
  50. logging buffered debugging
  51. mtu inside 1500
  52. mtu outside 1500
  53. no failover
  54. monitor-interface inside
  55. monitor-interface outside
  56. asdm image flash:/asdmfile.50073
  57. no asdm history enable
  58. arp timeout 14400
  59. nat-control
  60. global (outside) 1 interface
  61. nat (inside) 0 access-list nonat
  62. nat (inside) 1 10.1.1.0 255.255.255.0
  63. access-group 100 in interface inside
  64. route outside 0.0.0.0 0.0.0.0 172.17.63.230 1
  65. timeout xlate 3:00:00
  66. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  67.  sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  68.  sip 0:30:00 sip_media 0:02:00
  69. timeout uauth 0:05:00 absolute
  70. aaa-server TACACS+ protocol tacacs+
  71. aaa-server RADIUS protocol radius
  72. aaa-server partner protocol tacacs+
  73. username cisco password 3USUcOPFUiMCO4Jk encrypted
  74. http server enable
  75. http 10.1.1.2 255.255.255.255 inside
  76. no snmp-server location
  77. no snmp-server contact
  78. snmp-server community public
  79. snmp-server enable traps snmp
  80. crypto ipsec transform-set avalanche esp-des esp-md5-hmac
  81. crypto ipsec security-association lifetime seconds 3600
  82. crypto ipsec df-bit clear-df outside
  83. crypto map forsberg 21 match address Ipsec-conn
  84. crypto map forsberg 21 set peer 172.17.63.230
  85. crypto map forsberg 21 set transform-set avalanche
  86. crypto map forsberg interface outside
  87. isakmp identity address
  88. isakmp enable outside
  89. isakmp policy 1 authentication pre-share
  90. isakmp policy 1 encryption 3des
  91. isakmp policy 1 hash sha
  92. isakmp policy 1 group 2
  93. isakmp policy 1 lifetime 86400
  94. isakmp policy 65535 authentication pre-share
  95. isakmp policy 65535 encryption 3des
  96. isakmp policy 65535 hash sha
  97. isakmp policy 65535 group 2
  98. isakmp policy 65535 lifetime 86400
  99. telnet timeout 5
  100. ssh timeout 5
  101. console timeout 0
  102. tunnel-group 172.17.63.230 type ipsec-l2l
  103. tunnel-group 172.17.63.230 ipsec-attributes
  104. pre-shared-key *
  105. !
  106. class-map inspection_default
  107. match default-inspection-traffic
  108. !
  109. !
  110. policy-map asa_global_fw_policy
  111. class inspection_default
  112. inspect dns maximum-length 512
  113. inspect ftp
  114. inspect h323 h225
  115. inspect h323 ras
  116. inspect netbios
  117. inspect rsh
  118. inspect rtsp
  119. inspect skinny
  120. inspect esmtp
  121. inspect sqlnet
  122. inspect sunrpc
  123. inspect tftp
  124. inspect sip
  125. inspect xdmcp
  126. inspect http
  127. !
  128. service-policy asa_global_fw_policy global
  129. Cryptochecksum:3a5851f7310d14e82bdf17e64d638738
  130. : end
  131. SV-2-8#
route

  1. BranchRouter#show run
  2. Building configuration...
  3.  
  4. Current configuration : 1719 bytes
  5. !
  6. ! Last configuration change at 13:03:25 AEST Tue Apr 5 2005
  7. ! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005
  8. !
  9. version 12.2
  10. service timestamps debug datetime msec
  11. service timestamps log uptime
  12. no service password-encryption
  13. !
  14. hostname BranchRouter
  15. !
  16. logging queue-limit 100
  17. logging buffered 4096 debugging
  18. !
  19. username cisco privilege 15 password 0 cisco
  20. memory-size iomem 15
  21. clock timezone AEST 10
  22. ip subnet-zero
  23. !
  24. !
  25. !
  26. ip audit notify log
  27. ip audit po max-events 100
  28. !
  29. !
  30. !
  31. crypto isakmp policy 11
  32. encr 3des
  33. authentication pre-share
  34. group 2
  35. crypto isakmp key cisco123 address 172.17.63.229
  36. !
  37. !
  38. crypto ipsec transform-set sharks esp-des esp-md5-hmac
  39. !
  40. crypto map nolan 11 ipsec-isakmp
  41. set peer 172.17.63.229
  42. set transform-set sharks
  43. match address 120
  44. !
  45. !
  46. !
  47. !
  48. !
  49. !
  50. !
  51. !
  52. !
  53. !
  54. no voice hpi capture buffer
  55. no voice hpi capture destination
  56. !
  57. !
  58. mta receive maximum-recipients 0
  59. !
  60. !
  61. !
  62. !
  63. interface Ethernet0/0
  64. ip address 172.17.63.230 255.255.255.240
  65. ip nat outside
  66. no ip route-cache
  67. no ip mroute-cache
  68. half-duplex
  69. crypto map nolan
  70. !
  71. interface Ethernet0/1
  72. ip address 10.2.2.1 255.255.255.0
  73. ip nat inside
  74. half-duplex
  75. !
  76. ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0
  77. ip nat inside source route-map nonat pool branch overload
  78. no ip http server
  79. no ip http secure-server
  80. ip classless
  81. ip route 10.1.1.0 255.255.255.0 172.17.63.229
  82. !
  83. !
  84. !
  85. access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  86. access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  87. access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  88. !
  89. route-map nonat permit 10
  90. match ip address 130
  91. !
  92. call rsvp-sync
  93. !
  94. !
  95. mgcp profile default
  96. !
  97. dial-peer cor custom
  98. !
  99. !
  100. !
  101. !
  102. !
  103. line con 0
  104. line aux 0
  105. line vty 0 4
  106. login
  107. !
  108. !
  109. end

  1. 清除安全关联 (SA)

  2. 在 PIX 的特权模式下使用以下这些命令:

  3. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  4. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  5. show crypto isakmp sa
  6. show crypto ipsec sa
  7. show crypto engine connections active - 显示有关加密和解密数据包(仅限路由器)的当前连接和信息。

  8. PIX 安全设备 - debug 输出

  9. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  10. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  11. 远程 IOS 路由器 - debug 输出

  12. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  13. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


阅读(1388) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~