其实四台Cisco防火墙的VPN同两台防火墙做VPN没什么大的区别,只是一定要注意路由的配置(我就是在这上面花了很长的时间,不是多写就是少写了,多少都是不会通的);在四台Cisco pix做VPN中,有两种方式,一种是采用一个中心的方式,另一种就是分散式的(我自己起的名字J),
以下,是施工图以及四个Cisco pix的详细配置:
详细配置如下:
中心pix1:
: Saved
: Written by enable_15 at 23:10:31.763 UTC Thu Apr 24 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NHvIO9dsDwOK8b/k encrypted
passwd NHvIO9dsDwOK8b/k encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list hyzc permit icmp any any
access-list hyzc permit tcp any any
access-list hyzc permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.240
ip address inside 172.17.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group hyzc in interface outside
route outside 0.0.0.0 0.0.0.0 218.7.16.49 1
route inside 172.17.0.0 255.255.0.0 172.17.5.20 1
route outside 172.17.17.0 255.255.255.0 192.168.0.4 1
route outside 172.17.16.0 255.255.255.0 192.168.0.1 1
route outside 172.16.0.0 255.255.255.0 192.168.0.3 1
route outside 172.17.18.0 255.255.255.0 218.7.16.52 1
route outside 172.17.18.64 255.255.255.0 218.7.16.49 1
route outside 218.7.248.100 255.255.255.252 218.7.16.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyjt 20 ipsec-isakmp
crypto map tohyjt 20 match address 101
crypto map tohyjt 20 set peer 192.168.0.3
crypto map tohyjt 20 set peer 192.168.0.4
crypto map tohyjt 20 set peer 192.168.0.1
crypto map tohyjt 20 set transform-set strong
crypto map tohyjt interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.3 netmask 255.255.255.255
isakmp key cisco address 192.168.0.4 netmask 255.255.255.255
isakmp key cisco address 192.168.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 218.7.16.49 255.255.255.255 inside
telnet 172.17.5.20 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:8982919a8bfa10ba09cddee3f2da0e6a
: end
pix2配置:
: Saved
: Written by enable_15 at 00:00:48.042 UTC Fri Apr 25 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N.swjdczcTdUzgrS encrypted
passwd N.swjdczcTdUzgrS encrypted
hostname HYZCrc
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.17.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list 101 permit ip 172.17.17.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list hyzc permit icmp any any
access-list hyzc permit tcp any any
access-list hyzc permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.4 255.255.255.252
ip address inside 172.17.17.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 218.7.37.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyzc 20 set peer 192.168.0.2
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.17.17.253 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f63109daf8abcaf74a4f3b30ab01b48a
: end
pix3配置:
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X8QPBTnOSyX6X9Y9 encrypted
passwd X8QPBTnOSyX6X9Y9 encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list hy_in permit tcp any host 218.7.24.163 eq 8080
access-list hy_in permit tcp any host 218.7.24.162 eq pop3
access-list hy_in permit tcp any host 218.7.24.162 eq smtp
access-list hy_in permit icmp any any
access-list hy_in permit tcp any host 218.7.24.169
access-list hy_in permit tcp any host 218.7.24.171
access-list hy_in permit tcp any host 218.7.24.172
access-list hy_in permit tcp any host 218.7.24.173 eq 500
access-list hy_in permit udp any host 218.7.24.173 eq isakmp
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.3 255.255.255.252
ip address inside 172.16.16.5 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group hy_in in interface outside
route outside 0.0.0.0 0.0.0.0 218.7.248.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyzc 20 set peer 218.7.248.134
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 218.7.248.134netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:e4784293ff665fc559df92cb2d1d430e
: end
pix4配置:
: Saved
: Written by enable_15 at 00:00:48.042 UTC Fri Apr 25 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N.swjdczcTdUzgrS encrypted
passwd N.swjdczcTdUzgrS encrypted
hostname HYZCrc
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.16.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.16.0 255.255.255.0
access-list hi permit icmp any any
access-list hi permit tcp any any
access-list hi permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.252
ip address inside 172.17.16.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 218.7.37.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyjt 20 set peer 192.168.0.2
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.17.16.253 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f63109daf8abcaf74a4f3b30ab01b48a
: end
在以上的配置中,主要是中心点的路由,要注意,在配置过程开始时,sh isakmp sa 发现链路以建立,可是就是Ping不通,发现是因为没有针对于所在地的路由,还有就是当打开debug命令监控时,debug crypto isakmp ; debug crypto ipsec ;时,在内网的机器执行ping命令后,没有任何反映,后发现缺少命令激活扩展列表,具体命令:nat (inside) 0 access-list 101,
在就是我在pix3时内部多加了两条路由,静态的到中心的路由,在pix3以内怎么也Ping不出去,后来去掉以后发现通过。看来多写也是不行的。从总的来说,两台pix做vpn同多台机器做vpn没什么什么大的区别,主要是多写几条peer,也就是crypto map tohyjt 20 set peer 192.168.0.2(中间的名字 tohyjt这个没什么实际的规定,想写什么就写什么,但是最好是一致)和isakmp key cisco address ;在就是前面所提的路由(在中心点的配置中可以看到,在这里我隐去了真正的ip,主要是为客户的安全考虑,而已一个私有的IP网段来设定。。。。。。
更多请看Cisco与华为技术网(Vlan9.com)VPN技术、Cisco IOS、Cisco路由器配置手册专题,或进入论坛讨论。
相关专题
- VPN技术 (1104篇文章)
- Cisco IOS (3014篇文章)
- Cisco路由器配置手册 (4829篇文章)
- Cisco交换机专题 (4303篇文章)
- 网络管理实用手册 (17972篇文章)
- 网络故障手册 (13166篇文章)
- 思科交换机配置 (4305篇文章)
- Cisco防火墙专题 (4625篇文章)
- Cisco认证 (2791篇文章)
- SSL VPN详细知识介绍专题 (1104篇文章)
论坛精华
阅读排行榜
- Cisco VPN解决方案 (1317次浏览)
- 思科VPN 3000集中器系列远程访问VPN解决方 (1219次浏览)
- 思科虚拟专用网(VPN)解决方案 (636次浏览)
- Cisco 的解决方案中 PIX VPN的两个问题 (325次浏览)
- Cisco IOS Cookbook 中文精简版第十二章隧道 (177次浏览)
- 思科VPN解决方案西门子医疗应用案例 (57次浏览)
- 应用技术实例 在Cisco的PIX上来实现VPN (54次浏览)
- 四台Cisco防火墙实现VPN网络 (41次浏览)
- Cisco VPN软件解决方案客户端本地权限提升的 (39次浏览)
- 思科四口VPN企业级路由器清货价为1480元 (37次浏览)
最新技术文档
- 思科VPN 3000集中器系列远程访问VPN解决方案 12-22
- 思科虚拟专用网(VPN)解决方案 12-22
- Cisco VPN解决方案 12-22
- Cisco 的解决方案中 PIX VPN的两个问题 12-20
- Cisco IOS Cookbook 中文精简版第十二章隧道和VPN 12-11
- 日本NTT通信部署思科IP-VPN视频服务 10-22
- 应用技术实例 在Cisco的PIX上来实现VPN 10-22
- Cisco VPN软件解决方案客户端本地权限提升的漏洞 10-21
- 思科四口VPN企业级路由器清货价为1480元 10-06
- Cisco VPN集线器FTP任意文件访问漏洞 08-17
热门关键字导读