w787815

w787815

关注
发信
关注(28)粉丝(399)

PIX/ASA 8.x与IOS路由器静态到静态IPSec配置示例

网络图
PIX/ASA 8.x与IOS路由器静态到静态IPSec配置示例-LMLPHP
本文档使用以下网络设置:
ASA 8.2版本
  1. ASA# show run
  2. : Saved
  3. ASA Version 8.2
  4. !
  5. hostname ASA
  6. enable password 8Ry2YjIyt7RRXU24 encrypted
  7. names
  8. !

  10. !--- Configure the outside interface.
  11. !

  13. interface Ethernet0/1
  14.  nameif outside
  15.  security-level 0
  16.  ip address 172.16.1.1 255.255.255.0

  18. !--- Configure the inside interface.
  19. !

  21. interface Ethernet0/2
  22.  nameif inside
  23.  security-level 100
  24.  ip address 10.10.10.1 255.255.255.0




  29. !-- Output suppressed
  30. !

  32. passwd 2KFQnbNIdI.2KYOU encrypted
  33. ftp mode passive
  34. dns server-group DefaultDNS
  35.  domain-name default.domain.invalid

  37. access-list 100 extended permit ip any any
  38. access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0
  39. 10.20.10.0 255.255.255.0


  42. !--- This access list (inside_nat0_outbound) is used
  43. !--- with the nat zero command. This prevents traffic which
  44. !--- matches the access list from undergoing network address translation (NAT).
  45. !--- The traffic specified by this ACL is traffic that is to be encrypted and
  46. !--- sent across the VPN tunnel. This ACL is intentionally
  47. !--- the same as (outside_1_cryptomap).
  48. !--- Two separate access lists should always be used in this configuration.

  50. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0
  51. 10.20.10.0 255.255.255.0

  53. !--- This access list (outside_cryptomap) is used
  54. !--- with the crypto map outside_map
  55. !--- to determine which traffic should be encrypted and sent
  56. !--- across the tunnel.
  57. !--- This ACL is intentionally the same as (inside_nat0_outbound).
  58. !--- Two separate access lists should always be used in this configuration.

  60. pager lines 24
  61. mtu inside 1500
  62. mtu outside 1500
  63. no failover
  64. asdm image disk0:/asdm-613.bin
  65. asdm history enable
  66. arp timeout 14400
  67. global (outside) 1 interface
  68. nat (inside) 1 10.10.10.0 255.255.255.0

  70. nat (inside) 0 access-list inside_nat0_outbound

  72. !--- NAT 0 prevents NAT for networks specified in
  73. !--- the ACL inside_nat0_outbound.


  76. access-group 100 in interface outside
  77. route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

  79. timeout xlate 3:00:00
  80. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  81. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  82. timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  83. timeout uauth 0:05:00 absolute
  84. http server enable
  85. http 0.0.0.0 0.0.0.0 dmz
  86. no snmp-server location
  87. no snmp-server contact


  90. !--- PHASE 2 CONFIGURATION ---!
  91. !--- The encryption types for Phase 2 are defined here.

  93. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

  95. !--- Define the transform set for Phase 2.



  99. crypto map outside_map 1 match address outside_1_cryptomap

  101. !--- Define which traffic should be sent to the IPsec peer.


  104. crypto map outside_map 1 set peer 172.17.1.1

  106. !--- Sets the IPsec peer


  109. crypto map outside_map 1 set transform-set ESP-DES-SHA

  111. !--- Sets the IPsec transform set "ESP-AES-256-SHA"
  112. !--- to be used with the crypto map entry "outside_map".


  115. crypto map outside_map interface outside

  117. !--- Specifies the interface to be used with
  118. !--- the settings defined in this configuration.


  121. !--- PHASE 1 CONFIGURATION ---!

  123. !--- This configuration uses isakmp policy 10.
  124. !--- The configuration commands here define the Phase
  125. !--- 1 policy parameters that are used.


  128. crypto isakmp enable outside
  129. crypto isakmp policy 10
  130.  authentication pre-share
  131.  encryption des
  132.  hash sha
  133.  group 1
  134.  lifetime 86400
  135. telnet timeout 5
  136. ssh timeout 5
  137. console timeout 0
  138. threat-detection basic-threat
  139. threat-detection statistics access-list
  140. !

  142.  

  144. tunnel-group 172.17.1.1 type ipsec-l2l

  146. !--- In order to create and manage the database of connection-specific
  147. !--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
  148. !--- tunnel-group in global configuration mode.
  149. !--- For L2L connections the name of the tunnel group MUST be the IP
  150. !--- address of the IPsec peer.



  154. tunnel-group 172.17.1.1 ipsec-attributes
  155.  pre-shared-key *

  157. !--- Enter the pre-shared-key in order to configure the
  158. !--- authentication method.


  161. telnet timeout 5
  162. ssh timeout 5
  163. console timeout 0
  164. threat-detection basic-threat
  165. threat-detection statistics access-list
  166. !
  167. class-map inspection_default
  168.  match default-inspection-traffic
  169. !
  170. !



  174. !-- Output

  176. username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15
  177. Cryptochecksum:be38dfaef777a339b9e1c89202572a7d
  178. : end
cisco路由器:

  1. Building configuration...

  3. Current configuration : 2403 bytes
  4. !
  5. version 12.4
  6. service timestamps debug datetime msec
  7. service timestamps log datetime msec
  8. service password-encryption
  9. !
  10. hostname R3
  11. !
  12. boot-start-marker
  13. boot-end-marker
  14. !
  15. no logging buffered
  16. !
  17. username cisco123 privilege 15 password 7 1511021F07257A767B
  18. no aaa new-model
  19. ip subnet-zero
  20. !
  21. !
  22. ip cef
  23. !
  24. !
  25. ip ips po max-events 100
  26. no ftp-server write-enable
  27. !


  30. !--- Configuration for IKE policies.
  31. !--- Enables the IKE policy configuration (config-isakmp)
  32. !--- command mode, where you can specify the parameters that
  33. !--- are used during an IKE negotiation. Encryption and Policy details are hidden
  34. !---as the default values are chosen.


  37. crypto isakmp policy 2
  38.  authentication pre-share


  41. !--- Specifies the pre-shared key "cisco123" which should
  42. !--- be identical at both peers. This is a global
  43. !--- configuration mode command.

  45. crypto isakmp key cisco123 address 172.16.1.1
  46. !
  47. !

  49. !--- Configuration for IPsec policies.
  50. !--- Enables the crypto transform configuration mode,
  51. !--- where you can specify the transform sets that are used
  52. !--- during an IPsec negotiation.

  54. crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
  55. !


  58. !--- Indicates that IKE is used to establish
  59. !--- the IPsec Security Association for protecting the
  60. !--- traffic specified by this crypto map entry.

  62. crypto map SDM_CMAP_1 1 ipsec-isakmp
  63.  description Tunnel to172.16.1.1
  64.  

  66. !--- Sets the IP address of the remote end.

  68.  set peer 172.16.1.1
  69.  

  71. !--- Configures IPsec to use the transform-set
  72. !--- "ASA-IPSEC" defined earlier in this configuration.
  73.  
  74.  set transform-set ASA-IPSEC
  75.  

  77. !--- !--- Specifies the interesting traffic to be encrypted.

  79.  match address 100
  80. !
  81. !
  82. !

  84. !--- Configures the interface to use the
  85. !--- crypto map "SDM_CMAP_1" for IPsec.

  87. interface FastEthernet0
  88.  ip address 172.17.1.1 255.255.255.0
  89.  duplex auto
  90.  speed auto
  91.  crypto map SDM_CMAP_1
  92. !
  93. interface FastEthernet1
  94.  ip address 10.20.10.2 255.255.255.0
  95.  duplex auto
  96.  speed auto
  97. !
  98. interface FastEthernet2
  99.  no ip address
  100. !
  101. interface Vlan1
  102.  ip address 10.77.241.109 255.255.255.192
  103. !
  104. ip classless
  105. ip route 10.10.10.0 255.255.255.0 172.17.1.2
  106. ip route 10.77.233.0 255.255.255.0 10.77.241.65
  107. ip route 172.16.1.0 255.255.255.0 172.17.1.2
  108. !
  109. !
  110. ip nat inside source route-map nonat interface FastEthernet0 overload
  111. !
  112. ip http server
  113. ip http authentication local
  114. ip http secure-server
  115. !

  117. !--- Configure the access-lists and map them to the Crypto map configured.

  119. access-list 100 remark SDM_ACL Category=4
  120. access-list 100 remark IPSec Rule
  121. access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  122. !
  123. !
  124. !

  126. !--- This ACL 110 identifies the traffic flows using route map

  128. access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  129. access-list 110 permit ip 10.20.10.0 0.0.0.255 any
  130. route-map nonat permit 10
  131.  match ip address 110
  132. !
  133. control-plane
  134. !
  135. !
  136. line con 0
  137.  login local
  138. line aux 0
  139. line vty 0 4
  140.  privilege level 15
  141.  login local
  142.  transport input telnet ssh
  143. !
  144. end

点击(此处)折叠或打开

  1. 清除安全关联 (SA)

  3. 在 PIX 的特权模式下使用以下这些命令:

  5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  8. show crypto isakmp sa
  9. show crypto ipsec sa
  10. show crypto engine connections active - 显示有关加密和解密数据包(仅限路由器)的当前连接和信息。

  12. PIX 安全设备 - debug 输出

  14. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  16. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  18. 远程 IOS 路由器 - debug 输出

  20. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  22. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


10-11 08:40
Powered by LMLPHP ©2025 w787815 0.072824