本文档使用这个网络设置:

pix7.x

1. HQPIX(config)#show run
   
2. PIX Version 7.0(0)102
   
3. names
   
4. !
   
5. interface Ethernet0
   
6. description WAN interface
   
7. nameif outside
   
8. security-level 0
   
9. ip address 172.17.63.229 255.255.255.240
   
10. !
    
11. interface Ethernet1
    
12. nameif inside
    
13. security-level 100
    
14. ip address 10.1.1.1 255.255.255.0
    
15. !
    
16. interface Ethernet2
    
17. shutdown
    
18. no nameif
    
19. no security-level
    
20. no ip address
    
21. !
    
22. interface Ethernet3
    
23. shutdown
    
24. no nameif
    
25. no security-level
    
26. no ip address
    
27. !
    
28. interface Ethernet4
    
29. shutdown
    
30. no nameif
    
31. no security-level
    
32. no ip address
    
33. !
    
34. interface Ethernet5
    
35. shutdown
    
36. no nameif
    
37. no security-level
    
38. no ip address
    
39. !
    
40. enable password 8Ry2YjIyt7RRXU24 encrypted
    
41. passwd 2KFQnbNIdI.2KYOU encrypted
    
42. hostname HQPIX
    
43. domain-name cisco.com
    
44. ftp mode passive
    
45. clock timezone AEST 10
    
46. 
    
47. access-list Ipsec-conn extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
    
48. access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
    
49. pager lines 24
    
50. logging enable
    
51. logging buffered debugging
    
52. mtu inside 1500
    
53. mtu outside 1500
    
54. no failover
    
55. monitor-interface inside
    
56. monitor-interface outside
    
57. asdm image flash:/asdmfile.50073
    
58. no asdm history enable
    
59. arp timeout 14400
    
60. nat-control
    
61. global (outside) 1 interface
    
62. nat (inside) 0 access-list nonat
    
63. nat (inside) 1 10.1.1.0 255.255.255.0
    
64. access-group 100 in interface inside
    
65. route outside 0.0.0.0 0.0.0.0 172.17.63.230 1
    
66. timeout xlate 3:00:00
    
67. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    
68.  sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    
69.  sip 0:30:00 sip_media 0:02:00
    
70. timeout uauth 0:05:00 absolute
    
71. aaa-server TACACS+ protocol tacacs+
    
72. aaa-server RADIUS protocol radius
    
73. aaa-server partner protocol tacacs+
    
74. username cisco password 3USUcOPFUiMCO4Jk encrypted
    
75. http server enable
    
76. http 10.1.1.2 255.255.255.255 inside
    
77. no snmp-server location
    
78. no snmp-server contact
    
79. snmp-server community public
    
80. snmp-server enable traps snmp
    
81. crypto ipsec transform-set avalanche esp-des esp-md5-hmac
    
82. crypto ipsec security-association lifetime seconds 3600
    
83. crypto ipsec df-bit clear-df outside
    
84. crypto map forsberg 21 match address Ipsec-conn
    
85. crypto map forsberg 21 set peer 172.17.63.230
    
86. crypto map forsberg 21 set transform-set avalanche
    
87. crypto map forsberg interface outside
    
88. isakmp identity address
    
89. isakmp enable outside
    
90. isakmp policy 1 authentication pre-share
    
91. isakmp policy 1 encryption 3des
    
92. isakmp policy 1 hash sha
    
93. isakmp policy 1 group 2
    
94. isakmp policy 1 lifetime 86400
    
95. isakmp policy 65535 authentication pre-share
    
96. isakmp policy 65535 encryption 3des
    
97. isakmp policy 65535 hash sha
    
98. isakmp policy 65535 group 2
    
99. isakmp policy 65535 lifetime 86400
    
100. telnet timeout 5
     
101. ssh timeout 5
     
102. console timeout 0
     
103. tunnel-group 172.17.63.230 type ipsec-l2l
     
104. tunnel-group 172.17.63.230 ipsec-attributes
     
105. pre-shared-key *
     
106. !
     
107. class-map inspection_default
     
108. match default-inspection-traffic
     
109. !
     
110. !
     
111. policy-map asa_global_fw_policy
     
112. class inspection_default
     
113. inspect dns maximum-length 512
     
114. inspect ftp
     
115. inspect h323 h225
     
116. inspect h323 ras
     
117. inspect netbios
     
118. inspect rsh
     
119. inspect rtsp
     
120. inspect skinny
     
121. inspect esmtp
     
122. inspect sqlnet
     
123. inspect sunrpc
     
124. inspect tftp
     
125. inspect sip
     
126. inspect xdmcp
     
127. inspect http
     
128. !
     
129. service-policy asa_global_fw_policy global
     
130. Cryptochecksum:3a5851f7310d14e82bdf17e64d638738
     
131. : end
     
132. SV-2-8#

route

1. BranchRouter#show run
   
2. Building configuration...
   
3.  
   
4. Current configuration : 1719 bytes
   
5. !
   
6. ! Last configuration change at 13:03:25 AEST Tue Apr 5 2005
   
7. ! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005
   
8. !
   
9. version 12.2
   
10. service timestamps debug datetime msec
    
11. service timestamps log uptime
    
12. no service password-encryption
    
13. !
    
14. hostname BranchRouter
    
15. !
    
16. logging queue-limit 100
    
17. logging buffered 4096 debugging
    
18. !
    
19. username cisco privilege 15 password 0 cisco
    
20. memory-size iomem 15
    
21. clock timezone AEST 10
    
22. ip subnet-zero
    
23. !
    
24. !
    
25. !
    
26. ip audit notify log
    
27. ip audit po max-events 100
    
28. !
    
29. !
    
30. !
    
31. crypto isakmp policy 11
    
32. encr 3des
    
33. authentication pre-share
    
34. group 2
    
35. crypto isakmp key cisco123 address 172.17.63.229
    
36. !
    
37. !
    
38. crypto ipsec transform-set sharks esp-des esp-md5-hmac
    
39. !
    
40. crypto map nolan 11 ipsec-isakmp
    
41. set peer 172.17.63.229
    
42. set transform-set sharks
    
43. match address 120
    
44. !
    
45. !
    
46. !
    
47. !
    
48. !
    
49. !
    
50. !
    
51. !
    
52. !
    
53. !
    
54. no voice hpi capture buffer
    
55. no voice hpi capture destination
    
56. !
    
57. !
    
58. mta receive maximum-recipients 0
    
59. !
    
60. !
    
61. !
    
62. !
    
63. interface Ethernet0/0
    
64. ip address 172.17.63.230 255.255.255.240
    
65. ip nat outside
    
66. no ip route-cache
    
67. no ip mroute-cache
    
68. half-duplex
    
69. crypto map nolan
    
70. !
    
71. interface Ethernet0/1
    
72. ip address 10.2.2.1 255.255.255.0
    
73. ip nat inside
    
74. half-duplex
    
75. !
    
76. ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0
    
77. ip nat inside source route-map nonat pool branch overload
    
78. no ip http server
    
79. no ip http secure-server
    
80. ip classless
    
81. ip route 10.1.1.0 255.255.255.0 172.17.63.229
    
82. !
    
83. !
    
84. !
    
85. access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    
86. access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    
87. access-list 130 permit ip 10.2.2.0 0.0.0.255 any
    
88. !
    
89. route-map nonat permit 10
    
90. match ip address 130
    
91. !
    
92. call rsvp-sync
    
93. !
    
94. !
    
95. mgcp profile default
    
96. !
    
97. dial-peer cor custom
    
98. !
    
99. !
    
100. !
     
101. !
     
102. !
     
103. line con 0
     
104. line aux 0
     
105. line vty 0 4
     
106. login
     
107. !
     
108. !
     
109. end

1. 清除安全关联 (SA)
   
2. 
   
3. 在 PIX 的特权模式下使用以下这些命令：
   
4. 
   
5. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。
   
6. 
   
7. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
   
8. show crypto isakmp sa
   
9. show crypto ipsec sa
   
10. show crypto engine connections active - 显示有关加密和解密数据包（仅限路由器）的当前连接和信息。
    
11. 
    
12. PIX 安全设备 - debug 输出
    
13. 
    
14. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。
    
15. 
    
16. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。
    
17. 
    
18. 远程 IOS 路由器 - debug 输出
    
19. 
    
20. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。
    
21. 
    
22. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。