w787815

w787815

关注
发信
关注(28)粉丝(399)

静态IOS路由器和动态PIX之间的动态IPSec配置示例

在静态寻址IOS路由器和动态地寻址PIX之间的动态IPSec与NAT的配置示例
Cisco ASA 5500 系列版本 7.x 运行类似 PIX 版本 7.x 的软件版本。本文档中的配置适用于这两个产品系列。
在 PIX 上,access-list 和 nat 0 命令协同工作。当 10.1.1.0 网络上的用户访问 10.2.1.0 网络时,将使用访问列表允许 10.1.1.0 网络数据流在没有 NAT 的情况下进行加密。在路由器上,将使用 access-list 命令允许 10.2.1.0 网络数据流在没有 NAT 的情况下进行加密。然而,当同样用户去别处(类似互联网)时,他们翻译对外部接口IP地址通过端口地址转换(PAT)。
要使通过隧道的数据流不经过 PAT,而使到达 Internet 的数据流经过 PAT,则必须在 PIX 安全设备上使用以下配置命令。
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
静态IOS路由器和动态PIX之间的动态IPSec配置示例-LMLPHP
pix 7.0以上版本
  1. pixfirewall#show running-config
  2.  PIX Version 7.2(2)
  3. !
  4. hostname pixfirewall
  5. enable password 8Ry2YjIyt7RRXU24 encrypted
  6. names
  7. !

  9. !--- The interface dynamically learns its IP address
  10. !--- from the service provider.

  12. interface Ethernet0
  13.  nameif outside
  14.  security-level 0
  15.  ip address dhcp
  16. !
  17. interface Ethernet1
  18.  nameif inside
  19.  security-level 100
  20.  ip address 10.1.1.2 255.255.255.0
  21. !
  22. !


  25. !-- Output is suppressed.

  27. !
  28. passwd 2KFQnbNIdI.2KYOU encrypted
  29. ftp mode passive



  33. !--- This is the access list (IPsec-traffic) used for the VPN interesting traffic
  34. !--- to be encrypted.



  38. access-list IPSec-traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0


  41. !--- This access list (nonat) is used for a nat zero command that prevents
  42. !--- traffic which matches the access list from undergoing NAT.


  45. access-list NO-NAT extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0


  48. pager lines 24
  49. mtu inside 1500
  50. mtu outside 1500
  51. no failover
  52. icmp unreachable rate-limit 1 burst-size 1
  53. no asdm history enable
  54. arp timeout 14400


  57.   
  58. !--- NAT 0 prevents NAT for networks specified in the ACL - nonat.
  59. !--- The nat 1 command specifies PAT using the
  60. !--- outside interface for all other traffic.


  63. global (outside) 1 interface
  64. nat (inside) 0 access-list NO-NAT
  65. nat (inside) 1 0.0.0.0 0.0.0.0

  67. route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

  69. timeout xlate 3:00:00
  70. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  71. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  72. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  73. timeout uauth 0:05:00 absolute
  74. no snmp-server location
  75. no snmp-server contact
  76. snmp-server enable traps snmp authentication linkup linkdown coldstart


  79. !--- PHASE 2 CONFIGURATION ---!
  80. !--- The encryption types for Phase 2 are defined here.
  81. !--- A triple single DES encryption with
  82. !--- the md5 hash algorithm is used.


  85. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac


  88. !--- Define which traffic should be sent to the IPsec peer.



  92. crypto map IPSEC 10 match address IPSec-traffic


  95. !--- Sets the IPsec peer.


  98. crypto map IPSEC 10 set peer 192.168.1.2


  101. !--- Sets the IPsec transform set "DYN-TS"
  102. !--- to be used with the crypto map entry "IPSEC".


  105. crypto map IPSEC 10 set transform-set DYN-TS


  108. !--- Specifies the interface to be used with
  109. !--- the settings defined in this configuration.


  112. crypto map IPSEC interface outside


  115. !--- Enables IPsec on the outside interface.

  117. crypto isakmp enable outside


  120. !--- PHASE 1 CONFIGURATION ---!

  122. !--- This configuration uses isakmp policy 10.
  123. !--- Policy 65535 is included in the configuration by default.
  124. !--- The configuration commands here define the Phase
  125. !--- 1 policy parameters that are used.

  127. crypto isakmp policy 10
  128.  authentication pre-share
  129.  encryption des
  130.  hash md5
  131.  group 1
  132.  lifetime 86400


  135. crypto isakmp policy 65535
  136.  authentication pre-share
  137.  encryption 3des
  138.  hash sha
  139.  group 2
  140.  lifetime 86400

  142. !--- In order to create and manage the database of connection-specific records
  143. !--- for IPsec-L2L—IPsec tunnels, use the tunnel-group
  144. !--- command in global configuration mode.
  145. !--- For L2L connections the name of the tunnel group MUST be the IP
  146. !--- address of the IPsec peer.


  149. tunnel-group 192.168.1.2 type ipsec-l2l


  152. !--- Enter the pre-shared-key in IPsec-attribute parameters
  153. !--- in order to configure the authentication method.


  156. tunnel-group 192.168.1.2 ipsec-attributes
  157.  pre-shared-key *

  159. telnet timeout 5
  160. ssh timeout 5
  161. console timeout 0
  162. !
  163. class-map inspection_default
  164.  match default-inspection-traffic
  165. !
  166. !
  167. policy-map type inspect dns preset_dns_map
  168.  parameters
  169.   message-length maximum 512
  170. policy-map global_policy
  171.  class inspection_default
  172.   inspect dns preset_dns_map
  173.   inspect ftp
  174.   inspect h323 h225
  175.   inspect h323 ras
  176.   inspect netbios
  177.   inspect rsh
  178.   inspect rtsp
  179.   inspect skinny
  180.   inspect esmtp
  181.   inspect sqlnet
  182.   inspect sunrpc
  183.   inspect tftp
  184.   inspect sip
  185.   inspect xdmcp
  186. !
  187. service-policy global_policy global
  188. prompt hostname context
  189. Cryptochecksum:d609c9eaf51c154f147b3b4ba3c834e0
  190. : end
  191. pixfirewall#
route配置
  1. Router#show running-config
  2. Current configuration : 1354 bytes
  3. !
  4. version 12.4
  5. service timestamps debug datetime msec
  6. service timestamps log datetime msec
  7. no service password-encryption
  8. !
  9. hostname Router
  10. !
  11. boot-start-marker
  12. boot-end-marker
  13. !
  14. !
  15. no aaa new-model
  16. !
  17. resource policy
  18. !
  19. !
  20. !
  21. ip cef
  22. !


  25. !--- Configuration for IKE policies.
  26. !--- Enables the IKE policy configuration (config-isakmp)
  27. !--- command mode, where you can specify the parameters that
  28. !--- are used during an IKE negotiation.


  31. crypto isakmp policy 10
  32.  hash md5
  33.  authentication pre-share


  36. !--- Specifies the preshared key "cisco123" which should
  37. !--- be identical at both peers. This is a global
  38. !--- configuration mode command. It accepts any peer which matches
  39. !--- the pre-shared key.

  41. crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  42. !

  44. !--- Configuration for IPsec policies.
  45. !--- Enables the crypto transform configuration mode,
  46. !--- where you can specify the transform sets that are used
  47. !--- during an IPsec negotiation.


  50. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac


  53. !--- IPsec policy, Phase 2.


  56. crypto dynamic-map DYN 10



  60. !--- Configures IPsec to use the transform-set
  61. !--- "DYN-TS" defined earlier in this configuration.


  64.  set transform-set DYN-TS



  68. crypto map IPSEC 10 ipsec-isakmp dynamic DYN
  69. !
  70. interface Ethernet0/0
  71.  ip address 192.168.1.2 255.255.255.0
  72.  ip nat outside
  73.  ip virtual-reassembly
  74.  half-duplex

  76. !--- Configures the interface to use the
  77. !--- crypto map "IPSEC" for IPsec.

  79.  crypto map IPSEC
  80. !
  81. interface FastEthernet1/0
  82.  ip address 10.2.1.1 255.255.255.0
  83.  ip nat inside
  84.  ip virtual-reassembly
  85.  duplex auto
  86.  speed auto
  87. !
  88. interface Serial2/0
  89.  no ip address
  90.  shutdown
  91.  no fair-queue
  92. !
  93. interface Serial2/1
  94.  no ip address
  95.  shutdown
  96. !
  97. interface Serial2/2
  98.  no ip address
  99.  shutdown
  100. !
  101. interface Serial2/3
  102.  no ip address
  103.  shutdown
  104. !
  105. ip http server
  106. no ip http secure-server
  107. !
  108. ip route 0.0.0.0 0.0.0.0 192.168.1.1
  109. !
  110. ip nat inside source list 100 interface Ethernet0/0 overload
  111. !

  113. !--- This ACL 100 identifies the traffic flows and be PATed
  114. !--- via the outside interface( Ethernet0/0).


  117. access-list 100 deny ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  118. access-list 100 permit ip 10.2.1.0 0.0.0.255 any



  122. control-plane
  123. !

  125. !
  126. line con 0
  127. line aux 0
  128. line vty 0 4
  129. !
  130. !
  131. end

  1. 清除安全关联 (SA)

  3. 在 PIX 的特权模式下使用以下这些命令:

  5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  8. show crypto isakmp sa
  9. show crypto ipsec sa
  10. PIX 安全设备 - debug 输出

  12. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  14. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  16. 远程 IOS 路由器 - debug 输出

  18. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  20. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。




10-11 08:35
Powered by LMLPHP ©2025 w787815 0.076598