|
|
Pixvpn配置.doc
市局(一个中心7 个分支,其中中心采用pix515,7个分支采用501,7 个分支中5个为固定IP,2 个为adsl拨号)
PIX Version 6.3(4)
interface ethernet0 auto 激活端口
interface ethernet1 auto 激活端口
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password enO4Olec9w1AmAwd encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname pixfirewall
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 103 permit ip 10.32.10.0 255.255.255.0 172.16.103.0 255.255.255.0 设置到XX的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.103.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.102.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.101.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.104.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.105.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.106.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 150 permit ip 10.32.10.0 255.255.255.0 172.16.107.0 255.255.255.0 设置到XX的不做NAT的数据流
access-list 102 permit ip 10.32.10.0 255.255.255.0 172.16.102.0 255.255.255.0 设置到XX的数据流
access-list 101 permit ip 10.32.10.0 255.255.255.0 172.16.101.0 255.255.255.0 设置到XX的数据流
access-list 104 permit ip 10.32.10.0 255.255.255.0 172.16.104.0 255.255.255.0 设置到XX的数据流
access-list 105 permit ip 10.32.10.0 255.255.255.0 172.16.105.0 255.255.255.0 设置到XX的数据流
access-list 106 permit ip 10.32.10.0 255.255.255.0 172.16.106.0 255.255.255.0 设置到XX的数据流
access-list 107 permit ip 10.32.10.0 255.255.255.0 172.16.107.0 255.255.255.0 设置到XX的数据流
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.X.X.X 255.255.255.248 设置外网端口地址
ip address inside 172.16.100.2 255.255.255.0 设置内网端口地址
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface 设置NAT转换通过外网端口的地址
nat (inside) 0 access-list 150 设置匹配150 访问控制列表的数据流不做NAT转换
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 设置其他的所有数据NAT出去
conduit permit ip any any 允许所有IP流量
conduit permit icmp any any 允许所有ICMP流量
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 缺省路由到外网网关
route inside 10.32.10.0 255.255.255.0 172.16.100.1 1 设置到内网3550的路由
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local 设置认证方式为本地认证
aaa authentication ssh console LOCAL 设置SSH 认证方式通过本地验证
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec 指定IPSec被允许
crypto ipsec transform-set shiju esp-3des esp-sha-hmac 配置交换集
crypto dynamic-map cisco 10 match address 106 配置动态加密图匹配访问控制列表106
crypto dynamic-map cisco 10 set transform-set shiju 配置动态加密图匹配交换集shiju
crypto dynamic-map cisco 20 match address 107 配置动态加密图匹配访问控制列表107
crypto dynamic-map cisco 20 set transform-set shiju 配置动态加密图匹配交换集shiju
crypto map shiju 10 ipsec-isakmp 配置加密图shiju,序列号为10,使用自动IKE 加密
crypto map shiju 10 match address 101 配置加密图shiju,序列号为10,匹配访问控制列表101
crypto map shiju 10 set peer X.X.X.X 配置加密图shiju,序列号为10,设置对端的外网端口的地址
crypto map shiju 10 set transform-set shiju 配置加密图shiju,序列号为10,匹配交换机shiju
crypto map shiju 20 ipsec-isakmp 配置加密图shiju,序列号为20,使用自动IKE 加密
crypto map shiju 20 match address 102 配置加密图shiju,序列号为20,匹配访问控制列表102
crypto map shiju 20 set peer X.X.X.X 配置加密图shiju,序列号为20,设置对端的外网端口的地址
crypto map shiju 20 set transform-set shiju 配置加密图shiju,序列号为20,匹配交换机shiju
crypto map shiju 30 ipsec-isakmp 配置加密图shiju,序列号为30,使用自动IKE 加密
crypto map shiju 30 match address 103 配置加密图shiju,序列号为30,匹配访问控制列表103
crypto map shiju 30 set peer X.X.X.X 配置加密图shiju,序列号为30,设置对端的外网端口的地址
crypto map shiju 30 set transform-set shiju 配置加密图shiju,序列号为30,匹配交换机shiju
crypto map shiju 40 ipsec-isakmp 配置加密图shiju,序列号为40,使用自动IKE 加密
crypto map shiju 40 match address 104 配置加密图shiju,序列号为40,匹配访问控制列表104
crypto map shiju 40 set peer X.X.X.X 配置加密图shiju,序列号为40,设置对端的外网端口的地址
crypto map shiju 40 set transform-set shiju 配置加密图shiju,序列号为40,匹配交换机shiju
crypto map shiju 50 ipsec-isakmp 配置加密图shiju,序列号为50,使用自动IKE 加密
crypto map shiju 50 match address 105 配置加密图shiju,序列号为50,匹配访问控制列表105
crypto map shiju 50 set peer X.X.X.X 配置加密图shiju,序列号为50,设置对端的外网端口的地址
crypto map shiju 50 set transform-set shiju 配置加密图shiju,序列号为50,匹配交换机shiju
crypto map shiju 60 ipsec-isakmp dynamic cisco 配置加密图shiju,序列号为60,匹配动态加密图
crypto map shiju interface outside 在外网口应用加密图shiju
isakmp enable outside 在外网口启用IKE
isakmp key ******** address X.X.X.X netmask 255.255.255.255 设置与对段的匹配密钥
isakmp key ******** address X.X.X.X netmask 255.255.255.255 设置与对段的匹配密钥
isakmp key ******** address X.X.X.X netmask 255.255.255.255 设置与对段的匹配密钥
isakmp key ******** address X.X.X.X netmask 255.255.255.255 设置与对段的匹配密钥
isakmp key ******** address X.X.X.X netmask 255.255.255.255 设置与对段的匹配密钥
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 设置动态对段的缺省全匹配
isakmp identity address
isakmp policy 1 authentication pre-share 设置IKE 策略使用预共享密钥
isakmp policy 1 encryption 3des 设置加密方式为3des
isakmp policy 1 hash md5 设置验证方式为md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.32.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
username shiju password U2dTboE86KuyqaoW encrypted privilege 2
terminal width 80
Cryptochecksum:0b135a2788353924c6877b93087ae944
: end
固定IP分支1:
PIX Version 6.3(4)
interface ethernet0 auto 激活端口
interface ethernet1 100full 激活端口
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password enO4Olec9w1AmAwd encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname Baoying
domain-name baoying.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.16.101.0 255.255.255.0 10.32.10.0 255.255.255.0 设置VPN 数据流
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248 设置外网端口地址
ip address inside 172.16.101.1 255.255.255.0 设置内网端口地址
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface 设置NAT转换通过外网端口地址
nat (inside) 0 access-list 101 设置不做NAT转换的数据流
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 设置其他数据流做NAT转换
conduit permit icmp any any
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set yzhb2005 esp-3des esp-sha-hmac
crypto map toshiju 1 ipsec-isakmp
crypto map toshiju 1 match address 101
crypto map toshiju 1 set peer X.X.X.X
crypto map toshiju 1 set transform-set yzhb2005
crypto map toshiju interface outside
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.101.10-172.16.101.254 inside
dhcpd dns
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd enable inside
username baoying password guZhMT2eUCdthgag encrypted privilege 2
terminal width 80
Cryptochecksum:ae91e6ee9abe910553da7eb20cb86d73
: end
ADSL非固定 IP分支
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password enO4Olec9w1AmAwd encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname weiyang
domain-name baoying.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.16.106.0 255.255.255.0 10.32.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 172.16.106.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit ip any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set yzhb2005 esp-3des esp-sha-hmac
crypto map toshiju 1 ipsec-isakmp
crypto map toshiju 1 match address 101
crypto map toshiju 1 set peer 218.106.100.11
crypto map toshiju 1 set transform-set yzhb2005
crypto map toshiju interface outside
isakmp enable outside
isakmp key yzhb2005 address X.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxx
vpdn group pppoex ppp authentication pap
vpdn username xxxxx password *********
terminal width 80
Cryptochecksum:ae91e6ee9abe910553da7eb20cb86d73
: end |
|
IP卡
狗仔卡
发表于 2007-8-21 12:24:22
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡