Chinaunix首页 | 论坛 | 博客

w787815的ChinaUnix博客

首页 |  博文目录 |  关于我

w787815

  • 博客访问: 370704
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友
最近访客
推荐博文
相关博文
PIX/ASA 7.x与IOS路由器静态到静态IPSec配置示例

分类: 系统运维

2016-01-27 15:54:32

本文档使用这个网络设置:

pix7.x
  1. HQPIX(config)#show run
  2. PIX Version 7.0(0)102
  3. names
  4. !
  5. interface Ethernet0
  6. description WAN interface
  7. nameif outside
  8. security-level 0
  9. ip address 172.17.63.229 255.255.255.240
  10. !
  11. interface Ethernet1
  12. nameif inside
  13. security-level 100
  14. ip address 10.1.1.1 255.255.255.0
  15. !
  16. interface Ethernet2
  17. shutdown
  18. no nameif
  19. no security-level
  20. no ip address
  21. !
  22. interface Ethernet3
  23. shutdown
  24. no nameif
  25. no security-level
  26. no ip address
  27. !
  28. interface Ethernet4
  29. shutdown
  30. no nameif
  31. no security-level
  32. no ip address
  33. !
  34. interface Ethernet5
  35. shutdown
  36. no nameif
  37. no security-level
  38. no ip address
  39. !
  40. enable password 8Ry2YjIyt7RRXU24 encrypted
  41. passwd 2KFQnbNIdI.2KYOU encrypted
  42. hostname HQPIX
  43. domain-name cisco.com
  44. ftp mode passive
  45. clock timezone AEST 10

  47. access-list Ipsec-conn extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  48. access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  49. pager lines 24
  50. logging enable
  51. logging buffered debugging
  52. mtu inside 1500
  53. mtu outside 1500
  54. no failover
  55. monitor-interface inside
  56. monitor-interface outside
  57. asdm image flash:/asdmfile.50073
  58. no asdm history enable
  59. arp timeout 14400
  60. nat-control
  61. global (outside) 1 interface
  62. nat (inside) 0 access-list nonat
  63. nat (inside) 1 10.1.1.0 255.255.255.0
  64. access-group 100 in interface inside
  65. route outside 0.0.0.0 0.0.0.0 172.17.63.230 1
  66. timeout xlate 3:00:00
  67. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  68.  sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  69.  sip 0:30:00 sip_media 0:02:00
  70. timeout uauth 0:05:00 absolute
  71. aaa-server TACACS+ protocol tacacs+
  72. aaa-server RADIUS protocol radius
  73. aaa-server partner protocol tacacs+
  74. username cisco password 3USUcOPFUiMCO4Jk encrypted
  75. http server enable
  76. http 10.1.1.2 255.255.255.255 inside
  77. no snmp-server location
  78. no snmp-server contact
  79. snmp-server community public
  80. snmp-server enable traps snmp
  81. crypto ipsec transform-set avalanche esp-des esp-md5-hmac
  82. crypto ipsec security-association lifetime seconds 3600
  83. crypto ipsec df-bit clear-df outside
  84. crypto map forsberg 21 match address Ipsec-conn
  85. crypto map forsberg 21 set peer 172.17.63.230
  86. crypto map forsberg 21 set transform-set avalanche
  87. crypto map forsberg interface outside
  88. isakmp identity address
  89. isakmp enable outside
  90. isakmp policy 1 authentication pre-share
  91. isakmp policy 1 encryption 3des
  92. isakmp policy 1 hash sha
  93. isakmp policy 1 group 2
  94. isakmp policy 1 lifetime 86400
  95. isakmp policy 65535 authentication pre-share
  96. isakmp policy 65535 encryption 3des
  97. isakmp policy 65535 hash sha
  98. isakmp policy 65535 group 2
  99. isakmp policy 65535 lifetime 86400
  100. telnet timeout 5
  101. ssh timeout 5
  102. console timeout 0
  103. tunnel-group 172.17.63.230 type ipsec-l2l
  104. tunnel-group 172.17.63.230 ipsec-attributes
  105. pre-shared-key *
  106. !
  107. class-map inspection_default
  108. match default-inspection-traffic
  109. !
  110. !
  111. policy-map asa_global_fw_policy
  112. class inspection_default
  113. inspect dns maximum-length 512
  114. inspect ftp
  115. inspect h323 h225
  116. inspect h323 ras
  117. inspect netbios
  118. inspect rsh
  119. inspect rtsp
  120. inspect skinny
  121. inspect esmtp
  122. inspect sqlnet
  123. inspect sunrpc
  124. inspect tftp
  125. inspect sip
  126. inspect xdmcp
  127. inspect http
  128. !
  129. service-policy asa_global_fw_policy global
  130. Cryptochecksum:3a5851f7310d14e82bdf17e64d638738
  131. : end
  132. SV-2-8#
route

  1. BranchRouter#show run
  2. Building configuration...
  3.  
  4. Current configuration : 1719 bytes
  5. !
  6. ! Last configuration change at 13:03:25 AEST Tue Apr 5 2005
  7. ! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005
  8. !
  9. version 12.2
  10. service timestamps debug datetime msec
  11. service timestamps log uptime
  12. no service password-encryption
  13. !
  14. hostname BranchRouter
  15. !
  16. logging queue-limit 100
  17. logging buffered 4096 debugging
  18. !
  19. username cisco privilege 15 password 0 cisco
  20. memory-size iomem 15
  21. clock timezone AEST 10
  22. ip subnet-zero
  23. !
  24. !
  25. !
  26. ip audit notify log
  27. ip audit po max-events 100
  28. !
  29. !
  30. !
  31. crypto isakmp policy 11
  32. encr 3des
  33. authentication pre-share
  34. group 2
  35. crypto isakmp key cisco123 address 172.17.63.229
  36. !
  37. !
  38. crypto ipsec transform-set sharks esp-des esp-md5-hmac
  39. !
  40. crypto map nolan 11 ipsec-isakmp
  41. set peer 172.17.63.229
  42. set transform-set sharks
  43. match address 120
  44. !
  45. !
  46. !
  47. !
  48. !
  49. !
  50. !
  51. !
  52. !
  53. !
  54. no voice hpi capture buffer
  55. no voice hpi capture destination
  56. !
  57. !
  58. mta receive maximum-recipients 0
  59. !
  60. !
  61. !
  62. !
  63. interface Ethernet0/0
  64. ip address 172.17.63.230 255.255.255.240
  65. ip nat outside
  66. no ip route-cache
  67. no ip mroute-cache
  68. half-duplex
  69. crypto map nolan
  70. !
  71. interface Ethernet0/1
  72. ip address 10.2.2.1 255.255.255.0
  73. ip nat inside
  74. half-duplex
  75. !
  76. ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0
  77. ip nat inside source route-map nonat pool branch overload
  78. no ip http server
  79. no ip http secure-server
  80. ip classless
  81. ip route 10.1.1.0 255.255.255.0 172.17.63.229
  82. !
  83. !
  84. !
  85. access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  86. access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  87. access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  88. !
  89. route-map nonat permit 10
  90. match ip address 130
  91. !
  92. call rsvp-sync
  93. !
  94. !
  95. mgcp profile default
  96. !
  97. dial-peer cor custom
  98. !
  99. !
  100. !
  101. !
  102. !
  103. line con 0
  104. line aux 0
  105. line vty 0 4
  106. login
  107. !
  108. !
  109. end

  1. 清除安全关联 (SA)

  3. 在 PIX 的特权模式下使用以下这些命令:

  5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  8. show crypto isakmp sa
  9. show crypto ipsec sa
  10. show crypto engine connections active - 显示有关加密和解密数据包(仅限路由器)的当前连接和信息。

  12. PIX 安全设备 - debug 输出

  14. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  16. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  18. 远程 IOS 路由器 - debug 输出

  20. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  22. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


阅读(1334) | 评论(0) | 转发(0) |
0

上一篇:PIX/ASA 8.x与IOS路由器静态到静态IPSec配置示例

下一篇:centos根分区大小增加

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6