防火墙版本PIX/ASA 7.x，网络拓扑如下

route

1. Router#show running-config
   
2. Current configuration : 1354 bytes
   
3. !
   
4. version 12.4
   
5. service timestamps debug datetime msec
   
6. service timestamps log datetime msec
   
7. no service password-encryption
   
8. !
   
9. hostname Router
   
10. !
    
11. boot-start-marker
    
12. boot-end-marker
    
13. !
    
14. !
    
15. no aaa new-model
    
16. !
    
17. resource policy
    
18. !
    
19. ip cef
    
20. 
    
21. 
    
22. !--- Configuration for IKE policies. !--- Enables the IKE policy configuration (config-isakmp) !--- command mode, where you can specify the parameters that !--- are used during an IKE negotiation.
    
23. 
    
24. 
    
25. crypto isakmp policy 1
    
26.  encr 3des
    
27.  hash md5
    
28.  authentication pre-share
    
29.  group 2
    
30. 
    
31. 
    
32. !--- Specifies the preshared key "cisco123" which should !--- be identical at both peers. This is a global !--- configuration mode command.
    
33. 
    
34. 
    
35. crypto isakmp key cisco123 address 192.168.1.2
    
36. !
    
37. !
    
38. 
    
39. !--- Configuration for IPsec policies. !--- Enables the crypto transform configuration mode, !--- where you can specify the transform sets that are used !--- during an IPsec negotiation.
    
40. 
    
41. 
    
42. crypto ipsec transform-set pix-set esp-3des esp-md5-hmac
    
43. 
    
44. 
    
45. !--- Indicates that IKE is used to establish !--- the IPsec Security Association for protecting the !--- traffic specified by this crypto map entry.
    
46. 
    
47. 
    
48. crypto map pix 10 ipsec-isakmp
    
49. 
    
50. 
    
51. !--- Sets the IP address of the remote end.
    
52. 
    
53. 
    
54.  set peer 192.168.1.2
    
55. 
    
56. 
    
57. !--- Configures IPsec to use the transform-set !--- "pix-set" defined earlier in this configuration.
    
58. 
    
59. 
    
60.  set transform-set pix-set
    
61. 
    
62. 
    
63. !--- Specifies the interesting traffic to be encrypted.
    
64. 
    
65. 
    
66.  match address 101
    
67. !
    
68. !
    
69. !
    
70. !
    
71. interface Ethernet0/0
    
72. 
    
73. !--- The interface dynamically learns its IP address !--- from the service provider.
    
74. 
    
75.  
    
76.  ip address DHCP
    
77. 
    
78.  ip virtual-reassembly
    
79.  half-duplex
    
80. 
    
81. !--- Configures the interface to use the !--- crypto map "pix" for IPsec.
    
82. 
    
83.  crypto map pix
    
84. !
    
85. interface FastEthernet1/0
    
86.  no ip address
    
87.  shutdown
    
88.  duplex auto
    
89.  speed auto
    
90. !
    
91. interface Serial2/0
    
92.  ip address 10.1.1.2 255.255.255.0
    
93.  ip nat inside
    
94.  ip virtual-reassembly
    
95.  no fair-queue
    
96. !
    
97. interface Serial2/1
    
98.  no ip address
    
99.  shutdown
    
100. !
     
101. interface Serial2/2
     
102.  no ip address
     
103.  shutdown
     
104. !
     
105. interface Serial2/3
     
106.  no ip address
     
107.  shutdown
     
108. !
     
109. ip http server
     
110. no ip http secure-server
     
111. !
     
112. ip route 0.0.0.0 0.0.0.0 Ethernet0/0
     
113. !
     
114. ip nat inside source route-map nonat interface Ethernet0/0 overload
     
115. !
     
116. 
     
117. !--- This crypto ACL 101 -permit identifies the !--- matching traffic flows to be protected via encryption.
     
118. 
     
119. 
     
120. access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
     
121. 
     
122. 
     
123. !--- This ACL 110 identifies the traffic flows using route map and !--- are PATed via outside interface (Ethernet0/0).
     
124. 
     
125. 
     
126. access-list 110 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
     
127. access-list 110 permit ip 10.1.1.0 0.0.0.255 any
     
128. 
     
129. 
     
130. !
     
131. route-map nonat permit 10
     
132.  match ip address 110
     
133. !
     
134. !
     
135. control-plane
     
136. !
     
137. 
     
138. !
     
139. line con 0
     
140. line aux 0
     
141. line vty 0 4
     
142. !
     
143. !
     
144. end

pix7.x

1. pixfirewall#show running-config
   
2.  PIX Version 7.2(1)
   
3. !
   
4. hostname pixfirewall
   
5. enable password 8Ry2YjIyt7RRXU24 encrypted
   
6. names
   
7. !
   
8. 
   
9. !--- Configure the outside and inside interfaces.
   
10. 
    
11. interface Ethernet0
    
12.  nameif outside
    
13.  security-level 0
    
14.  ip address 192.168.1.2 255.255.255.0
    
15. !
    
16. interface Ethernet1
    
17.  nameif inside
    
18.  security-level 100
    
19.  ip address 10.2.2.1 255.255.255.0
    
20. !
    
21. !
    
22. 
    
23.  !--- Output is suppressed.
    
24. 
    
25. !
    
26. passwd 2KFQnbNIdI.2KYOU encrypted
    
27. ftp mode passive
    
28. 
    
29. 
    
30. !--- This access list is used for a nat zero command that prevents !--- traffic which matches the access list from undergoing NAT.
    
31. 
    
32. 
    
33. access-list nonat extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
    
34. 
    
35. pager lines 24
    
36. mtu outside 1500
    
37. mtu inside 1500
    
38. no failover
    
39. no asdm history enable
    
40. arp timeout 14400
    
41. 
    
42. 
    
43.  !--- NAT 0 prevents NAT for networks specified in the ACL - nonat. !--- The nat 1 command specifies PAT using !--- the outside interface for all other traffic.
    
44. 
    
45. 
    
46. global (outside) 1 interface
    
47. nat (inside) 0 access-list nonat
    
48. nat (inside) 1 0.0.0.0 0.0.0.0
    
49. 
    
50. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    
51. 
    
52. timeout xlate 3:00:00
    
53. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    
54. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    
55. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    
56. timeout uauth 0:05:00 absolute
    
57. no snmp-server location
    
58. no snmp-server contact
    
59. snmp-server enable traps snmp authentication linkup linkdown coldstart
    
60. 
    
61. 
    
62. !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. !--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.
    
63. 
    
64. 
    
65. crypto ipsec transform-set router-set esp-3des esp-md5-hmac
    
66. 
    
67. 
    
68. !--- Defines a dynamic crypto map with !--- the specified encryption settings.
    
69. 
    
70. 
    
71. crypto dynamic-map cisco 1 set transform-set router-set
    
72. 
    
73. 
    
74. !--- Enable Reverse Route Injection (RRI), which allows the Security Appliance !--- to learn routing information for connected clients.
    
75. 
    
76. 
    
77. crypto dynamic-map cisco 1 set reverse-route
    
78. 
    
79. 
    
80. !--- Binds the dynamic map to the IPsec/ISAKMP process.
    
81. 
    
82. 
    
83. crypto map dyn-map 10 ipsec-isakmp dynamic cisco
    
84. 
    
85. 
    
86. !--- Specifies the interface to be used with !--- the settings defined in this configuration.
    
87. 
    
88. 
    
89. crypto map dyn-map interface outside
    
90. 
    
91. 
    
92. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- Policy 65535 is included in the config by default. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used.
    
93. 
    
94. crypto isakmp policy 10
    
95.  authentication pre-share
    
96.  encryption 3des
    
97.  hash md5
    
98.  group 2
    
99.  lifetime 86400
    
100. 
     
101. crypto isakmp policy 65535
     
102.  authentication pre-share
     
103.  encryption 3des
     
104.  hash sha
     
105.  group 2
     
106.  lifetime 86400
     
107. 
     
108. !--- The security appliance provides the default tunnel groups !--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key !--- (cisco123) to authenticate the remote router.
     
109. 
     
110. 
     
111. tunnel-group DefaultL2LGroup ipsec-attributes
     
112.  pre-shared-key *
     
113. 
     
114. telnet timeout 5
     
115. ssh timeout 5
     
116. console timeout 0
     
117. !
     
118. class-map inspection_default
     
119.  match default-inspection-traffic
     
120. !
     
121. !
     
122. policy-map type inspect dns preset_dns_map
     
123.  parameters
     
124.   message-length maximum 512
     
125. policy-map global_policy
     
126.  class inspection_default
     
127.   inspect dns preset_dns_map
     
128.   inspect ftp
     
129.   inspect h323 h225
     
130.   inspect h323 ras
     
131.   inspect netbios
     
132.   inspect rsh
     
133.   inspect rtsp
     
134.   inspect skinny
     
135.   inspect esmtp
     
136.   inspect sqlnet
     
137.   inspect sunrpc
     
138.   inspect tftp
     
139.   inspect sip
     
140.   inspect xdmcp
     
141. !
     
142. service-policy global_policy global
     
143. prompt hostname context
     
144. Cryptochecksum:6ed4a7bce392a439d0a16e86743e2663

1. 清除安全关联 (SA)
   
2. 
   
3. 在 PIX 的特权模式下使用以下这些命令：
   
4. 
   
5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。
   
6. 
   
7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
   
8. show crypto isakmp sa
   
9. show crypto ipsec sa
   
10. PIX 安全设备 - debug 输出
    
11. 
    
12. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。
    
13. 
    
14. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。
    
15. 
    
16. 远程 IOS 路由器 - debug 输出
    
17. 
    
18. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。
    
19. 
    
20. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。