PIX配置实验之一：Enhanced Spoke-to-Client VPN

一、要求

1、hub PIX 的软件版本V7.0

2、在本次实验中需要如下设备：

PIX - 515 version 7.0.1 (PIX1)

VPN Client version 4.6.02.0011

PIX - 515 version 6.3.4 (PIX3)

二、网络拓扑
网络结构如下:

三、配置：

1、PIX1的配置

PIX Version 7.0(1)
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.18.124.170 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 4
no ip address
!
interface Ethernet3
shutdown
nameif intf3
security-level 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domain-name cisco.com
boot system flash:/image.bin
ftp mode passive

!---设置IPSec数据流在同一个接口出入

same-security-traffic permit intra-interface

!--- 定义在hub(PIX1)和spoke(PIX3)之间需要加密的数据流
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0

!--- 定义在VPN Client networks和spoke (PIX3) 之间需要加密的数据流

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 30.30.30.0 255.255.255.0

!--- 定义一个需要做NAT转换的地址

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

!--- 建立一个允许vpn client tunnl的标准访问列表

access-list splittunnel standard permit 10.10.10.0 255.255.255.0
access-list splittunnel standard permit 30.30.30.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

!--- 为vpn client定义一个地址池

ip local pool vpnpool 192.168.10.1-192.168.10.254
no failover
monitor-interface outside
monitor-interface inside
monitor-interface intf2
monitor-interface intf3
monitor-interface intf4
monitor-interface intf5
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface

!--- IPSec透过NAT

nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS protocol tacacs
aaa-server RADIUS protocol radius

!--- 设置VPN Clients组略

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20

!--- 参看注释2.

!--- 启用并绑定split-tunnel的参数到组策略上

split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp

!--- 配置IPSec Phase 2.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!--- 为VPN Clients配置加密图

crypto dynamic-map rtpdynmap 20 set transform-set myset

本新闻共2页,当前在第1页 1 2

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!