中国思科华为3Com微软网络技术社区 › 论坛 › 「思科技术交流区」 › 「CCIP/CCSP等讨论区」 › 考试资料 › 如何配置Cisco pix实现VPN访问

报CCNP送CCNA培训获取名企职位	誉天RHCE+CCNP班，不就业退学费	ITAA返利回归季,最高优惠25%	艾迪飞五一培训优惠进行中
泰克实验室启动CCNA免费重考活动	团购CCNA课程,仅需99元,名额有限!	武汉引航CCNP就业班	深圳思科培训首选嘉华盛世
赛贝尔计算机入侵与防范实验室	ThinkMo新盟教育天津独家CCIE培训	武汉引航CCIE包过班火热上线	武汉引航2012年“五一”思科培训优惠

返回列表

查看: 10662|回复: 1

[转载] 如何配置Cisco pix实现VPN访问 [复制链接]

枫速向航

56CTO.com管理员

CCIE-RSed -CCIE-Security ing

Rank: 30

TA的每日心情

	奋斗前天 08:01

签到天数: 134 天

[LV.7]常住居民III

最后登录: 2012-5-20
在线时间: 5496 小时
金币: 21465
注册时间: 2007-4-24
积分: 19233
帖子: 2627
主题: 925
精华: 30
UID: 3

发表于 2007-5-16 19:41:29 |显示全部楼层

PIX-Shanghai> en

Password: **********

PIX-Shanghai# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

na meif ethernet1 inside security100

enable password S2MnpAQ0MxnL encrypted

passwd pAQ0MxOQLJnL encrypted

hostname PIX-Shanghai

domain-name ciscofan.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 218.242.194.97 www.ciscofan.com

object-group network LAN_Interne_ICE

network-object 128.1.0.0 255.255.0.0

network-object 10.101.0.0 255.255.0.0

network-object 10.102.0.0 255.254.0.0

network-object 10.104.0.0 255.248.0.0

network-object 10.112.0.0 255.252.0.0

network-object 10.116.0.0 255.254.0.0

network-object 192.168.10.0 255.255.254.0

network-object 192.168.12.0 255.255.252.0

network-object 192.168.16.0 255.255.240.0

network-object 192.168.32.0 255.255.240.0

network-object 192.168.48.0 255.255.254.0

network-object 192.168.50.0 255.255.255.0

object-group network LAN_Remota

network-object 10.200.62.0 255.255.255.0

access-list acl_out permit ip any any

access-list acl_out permit icmp any any

access-list acl_in permit ip any any

access-list acl_in permit icmp any any

access-list acl_nat0 permit ip object-group LAN_Remota object-group LAN_Interne_

ICE

access-list cryptomap permit ip object-group LAN_Remota object-group LAN_Interne

_ICE

pager lines 24

logging on

logging timestamp

logging trap debugging

logging host outside 212.17.199.170

icmp permit host 212.17.199.170 outside

icmp permit host 212.17.199.198 outside

icmp permit host 217.56.45.123 outside

icmp permit host 217.56.45.122 outside

icmp permit host 80.23.50.226 outside

icmp permit host 212.17.199.167 outside

icmp permit host 217.17.199.198 outside

icmp permit host 80.20.218.100 outside

icmp permit host 80.20.218.108 outside

icmp permit host 211.152.x.x outside

mtu outside 1500

mtu inside 1500

ip address outside 211.152.x.x 255.255.255.240

ip address inside 10.200.62.1 255.255.255.0

ip audit name ids_attack attack action drop reset

ip audit interface outside ids_attack

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 211.152.x.x

nat (inside) 0 access-list acl_nat0

nat (inside) 1 10.200.62.0 255.255.255.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 211.152.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 193.204.114.232 source outside

http server enable

http 212.17.199.170 255.255.255.255 outside

http 212.17.199.198 255.255.255.255 outside

http 217.56.45.123 255.255.255.255 outside

http 217.56.45.122 255.255.255.255 outside

snmp-server host outside 212.17.199.170

snmp-server host outside 212.17.199.198

no snmp-server location

no snmp-server contact

snmp-server community ciscofanvpn

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address cryptomap

crypto map outside_map 20 set peer 213.215.136.251

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 120 kilobyte

s 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 120

ca identity ca1 www.ciscofan.com:/certsrv/mscep/mscep.dll

ca configure ca1 ra 1 20 crloptional

telnet timeout 5

ssh 212.17.199.170 255.255.255.255 outside

ssh 212.17.199.198 255.255.255.255 outside

ssh 217.56.45.123 255.255.255.255 outside

ssh 217.56.45.122 255.255.255.255 outside

ssh 80.23.50.226 255.255.255.255 outside

ssh 212.17.199.167 255.255.255.255 outside

ssh 80.20.218.100 255.255.255.255 outside

ssh 80.20.218.108 255.255.255.255 outside

ssh timeout 60

console timeout 0

terminal width 80

Cryptochecksum:e99eb892f5c2b5d02540352ad9d72cce

: end

PIX-Shanghai#

fixup, protocol, VPN