IT猫扑社区 » 『 网络安全技术专区 』 » 防火墙技术 » Cisco PIX VPN Site-to-Site 配置文档

xinxin 发表于 2008-2-27 10:33

Cisco PIX VPN Site-to-Site 配置文档

图片：
[img=554,249]http://eraple.blog.ccidnet.com/attachment/70536_f787ff4869e5049.jpg[/img]

[size=3]Cisco PIX VPN Site-to-Site 配置文档[/size]

PIX1# 配置及注释

interface Ethernet0   
description inside
speed 100
duplex full
nameif inside   //定义PIX 的inside 区域
security-level 100
ip address 10.10.10.2 255.255.255.0   //inside区域 内网地址

interface Ethernet1
description ISP
speed 100
duplex full
nameif outside   //定义PIX的outside 区域
security-level 0
ip address 124.254.1.1 255.255.255.248 //定义外网ISP 公网地址

passwd 2KFQnbNIdI.2KYOU encrypted

[color=#ff0000]access-list 103 extended permit icmp any any   //PIX 默认不允许ICMP 流量通过
access-list 103 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 //定义外网访问inside 区域的流量[/color]
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 //定义匹配感兴趣的流量 通过VPN TUNNEL
access-list ip-nat extended permit ip 192.168.1.0 255.255.255.0 any //定义匹配PAT的流量
global (outside) 1 interface   //定义外网PAT 端口
nat (inside) 0 access-list 101   //定义VPN access-list
nat (inside) 1 access-list ip-nat   //定义匹配ip-nat 流量做PAT
[color=#ff0000]access-group 103 in interface outside   //定义匹配外网流量应用在outside[/color]
route inside 192.168.1.0 255.255.255.0 10.10.10.1 1   //定义内网路由
route outside 0.0.0.0 0.0.0.0 124.254.1.2 1   //定义外网默认路由
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac //定义转换集使用3des 加密 sha 验证
crypto map CISCO 10 match address 101   //定义加密图匹配ACL 流量
crypto map CISCO 10 set peer 124.254.1.2   //定义VPN 对端IP
crypto map CISCO 10 set transform-set ccsp   //定义transform 为ccsp
crypto map CISCO interface outside   //定义加密图应用在outside口
crypto isakmp identity address   
crypto isakmp enable outside   //定义outside 打开isakmp
crypto isakmp policy 10   //定义isakmp 策略
authentication pre-share   //定义验证方式为预共享
encryption 3des   //定义加密方式 3DES
hash sha   // 定义校验 sha
group 2   //定义密钥为1024 bit
lifetime 86400   //定义 sa 生存周期
crypto isakmp nat-traversal 10   //打开nat 透明
tunnel-group 124.254.1.2 type ipsec-l2l   //定义vpngroup ip psec remote access类型
tunnel-group 124.254.1.2 ipsec-attributes   //定义ipsec 属性
pre-shared-key *   // 定义预共享的密钥为cisco 123

-----------------------------------------------------------------------------------------------------------
PIX2# 配置及注释
interface Ethernet0
description ISP   
speed 100
duplex full
nameif outside   //定义outside区域
security-level 0   //定义安全级别为0(默认)
ip address 124.254.1.2 255.255.255.248   //定义外网IP地址


interface Ethernet1
description inside
speed 100
duplex full
nameif inside   //定义inside区域
security-level 100   //定义安全级别为100(默认)
ip address 10.20.20.2 255.255.255.0   //定义内网IP地址


passwd 2KFQnbNIdI.2KYOU encrypted

[color=#ff0000]access-list 103 extended permit icmp any any   //PIX 7.0 默认不允许ICMP 流量
access-list 103 extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq telnet   //定义外网访问inside 区域的流量
access-list 103 extended permit tcp any host 124.254.1.3 eq telnet //定义任何IP 可以访问124.254.1.3 telnet[/color]
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0   //定义感兴趣的流量通过VPN-TUNNEL
access-list ip-nat extended permit ip 192.168.2.0 255.255.255.0 any //定义匹配PAT 的流量
global (outside) 1 interface   //在outside 启用PAT
nat (inside) 0 access-list 101   //匹配ACL 101 VPN流量
nat (inside) 1 access-list ip-nat   //定义匹配ip-nat 流量做PAT
static (inside,outside) 124.254.1.3 10.20.20.1 netmask 255.255.255.255 //定义外网IP 124.254.1.3 静态映射到内网IP 10.20.20.1
[color=#ff0000]access-group 103 in interface outside //定义匹配外网流量可以访问inside 区域[/color]
route outside 0.0.0.0 0.0.0.0 124.254.1.1 1   //定义外网默认路由
route inside 192.168.2.0 255.255.255.0 10.20.20.1 1   //定义内网路由


[color=#ff0000]//以下不做描述 同PIX1[/color]
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
crypto map CISCO 10 match address 101
crypto map CISCO 10 set peer 124.254.1.1
crypto map CISCO 10 set transform-set ccsp
crypto map CISCO interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha   
group 2   
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group 124.254.1.1 type ipsec-l2l
tunnel-group 124.254.1.1 ipsec-attributes
pre-shared-key *
-----------------------------------------------------------------------------------------------------------
RTA# 配置及注释
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0   //定义上联口内网IP
no ip unreachables
speed 100
full-duplex

interface FastEthernet1/0   
ip address 192.168.1.1 255.255.255.0   //定义下联口内网IP
no ip redirects
no ip unreachables
speed 100
full-duplex

ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.2   //定义默认路由
-----------------------------------------------------------------------------------------------------------
RTB# 配置及注释

username cisco pri 15 password ccie   //定义本地用户名cisco 级别15 密码为ccie

interface FastEthernet0/0
ip address 10.20.20.1 255.255.255.0   //定义上联口内网IP
no ip redirects
no ip unreachables
speed 100
full-duplex

interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0   //定义下联口内网IP
no ip redirects
no ip unreachables
speed 100
full-duplex

ip classless
ip route 0.0.0.0 0.0.0.0 10.20.20.2   //定义默认路由
ip http server     //打开Web 80服务

line vty 0 4
exec-timeout 0 0
logging synchronous
login local     //打开telnet登录为本地验证


-----------------------------------------------------------------------------------------------------------
实验结果:
IP 地址: 192.168.1.100 255.255.255.0

C:\Documents and Settings\Administrator>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=178ms TTL=254
Reply from 192.168.2.1: bytes=32 time=299ms TTL=254
Reply from 192.168.2.1: bytes=32 time=220ms TTL=254
Reply from 192.168.2.1: bytes=32 time=382ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 178ms, Maximum = 382ms, Average = 269ms
-------------------------------------------------------------------------------------------------------------------
PIX1# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.1
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 124.254.1.2
[color=#ff0000]#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4[/color]
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 124.254.1.1, remote crypto endpt.: 124.254.1.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B32B15FE
inbound esp sas:
spi: 0x250BEDC1 (621538753)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: CISCO
sa timing: remaining key lifetime (kB/sec): (3824998/28703)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB32B15FE (3005945342)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: CISCO
sa timing: remaining key lifetime (kB/sec): (3824998/28703)
IV size: 8 bytes
replay detection support: Y
---------------------------------------------------------------------------------------------------------

xinxin 发表于 2008-2-27 10:33

PIX2# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.2
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 124.254.1.1
[color=#ff0000]#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
[/color]#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 124.254.1.2, remote crypto endpt.: 124.254.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 250BEDC1
inbound esp sas:
spi: 0xB32B15FE (3005945342)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: CISCO
sa timing: remaining key lifetime (kB/sec): (4274998/28681)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x250BEDC1 (621538753)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: CISCO
sa timing: remaining key lifetime (kB/sec): (4274998/28681)
IV size: 8 bytes
replay detection support: Y
------------------------------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator>ping 124.254.1.3 -t
Pinging 124.254.1.3 with 32 bytes of data:
Reply from 124.254.1.3: bytes=32 time=235ms TTL=254
Reply from 124.254.1.3: bytes=32 time=356ms TTL=254
Reply from 124.254.1.3: bytes=32 time=209ms TTL=254
Reply from 124.254.1.3: bytes=32 time=209ms TTL=254
Reply from 124.254.1.3: bytes=32 time=207ms TTL=254
Ping statistics for 124.254.1.3:
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 207ms, Maximum = 356ms, Average = 243ms
[color=#ff0000]PIX1# sh xlate
1 in use, 1 most used
PAT Global 124.254.1.1(2) Local 192.168.1.100 ICMP id 512
PIX2# sh xlate
1 in use, 1 most used
Global 124.254.1.3 Local 10.20.20.1
[/color]-------------------------------------------------------------------------------------------------------------
Telnet 流量:

[color=#ff0000]RTB#sh user
Line   User   Host(s)   Idle   Location
* 0 con 0   idle   00:00:00   
66 vty 0   idle   00:00:06 124.254.1.1
[/color]
PIX1# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.1
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 124.254.1.2
[color=#0000ff]#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0[/color]
PIX2# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.2
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 124.254.1.1
[color=#0000ff]#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
[/color]
[color=#ff0000]RTB#sh user
Line   User   Host(s)   Idle   Location
* 0 con 0   idle   00:00:00   
66 vty 0   cisco   idle   00:00:01 192.168.1.100 [/color]

Interface   User   Mode   Idle   Peer Address
PIX1# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.1
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 124.254.1.2
[color=#ff0000]#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15[/color]
PIX2# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.2
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 124.254.1.1
[color=#ff0000]#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17[/color]
----------------------------------------------------------------------------------------------------------------------
www 服务

访问 [url=http://124.254.1.3/][color=#3d7db3]http://124.254.1.3[/color][/url]

Cisco Systems
Accessing Cisco 3620 "RTB"
Telnet - to the router.
Show interfaces - display the status of the interfaces.
Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
Connectivity test - ping the nameserver.
Show tech-support - display information commonly needed by tech support.
QoS Device Manager - Configure and monitor QoS through the web interface.
PIX1# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.1
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 124.254.1.2
[color=#0000ff]#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15[/color]

PIX2# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.2
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 124.254.1.1
[color=#0000ff]#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17[/color]

访问 [url=http://192.168.2.1/][color=#3d7db3]http://192.168.2.1[/color][/url]
Cisco Systems
Accessing Cisco 3620 "RTB"
Telnet - to the router.
Show interfaces - display the status of the interfaces.
Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
Connectivity test - ping the nameserver.
Show tech-support - display information commonly needed by tech support.
QoS Device Manager - Configure and monitor QoS through the web interface
PIX1# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.1
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 124.254.1.2
[color=#ff0000]#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
[/color]#pkts compressed: 0, #pkts decompressed: 0
PIX2# sh crypto ipsec sa
interface: outside
Crypto map tag: CISCO, seq num: 10, local addr: 124.254.1.2
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 124.254.1.1
[color=#ff0000]#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
[/color]--------------------------------------------------------------------------------------------------------------------
[color=#ff0000]Note:[/color]


PIX2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 103; 4 elements
access-list 103 line 1 extended permit icmp any any (hitcnt=11) 0x48254972
access-list 103 line 2 extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq telnet (hitcnt=1) 0xa2c41d69
access-list 103 line 3 extended permit tcp any host 124.254.1.3 eq telnet (hitcnt=4) 0x6aecf52d
access-list 103 line 4 extended permit tcp any host 124.254.1.3 eq www (hitcnt=1) 0x2573aa31

[color=#0000ff]当access-list 103 lin 4 变成access-list 103 line 4 extended permit tcp any host 10.20.20.1 eq www (hitcnt=0) 0xf0eb2052
[/color]在去访问 124.254.1.3 www 服务的时候
无法显示网页
您正在查找的页当前不可用。 网站可能遇到支持问题，或者您需要 调整您的浏览器设置。

--------------------------------------------------------------------------------
在去访问 10.20.20.1 www 服务的时候
access-list 103 line 4 extended permit tcp any host 10.20.20.1 eq www (hitcnt=2) 0xf0eb2052
在去访问 124.254.1.3 www 服务的时候
无法显示网页
您正在查找的页当前不可用。 网站可能遇到支持问题，或者您需要 调整您的浏览器设置


可以看到 access-list 103 lin 4 有[color=#ff0000] hitcnt=2[/color] 的匹配 ，但是就是访问不了。
access-list 103 lin 4 允许任何人访问 124.254.1.3 www服务 而不是10.20.20.1www服务 ,是因为当源地址是192.168.1.100 的用户访问 10.20.20.1 的时候，触发PIX1 的PAT 转换，http的流量 到达PIX2 上没有NAT 转换条目对应10.20.20.1 所以http 80 流量丢弃.

[color=#ff0000]access-list 103 line 4 extended permit tcp any host 124.254.1.3 eq www (hitcnt=1) 0x2573aa31[/color]

则访问正常:
Cisco Systems
Accessing Cisco 3620 "RTB"

查看完整版本: Cisco PIX VPN Site-to-Site 配置文档