博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 1746|回复: 0

华为与PIX防火墙VPN连接配置(实例)

[复制链接]
发表于 2007-5-16 06:06:41 | 显示全部楼层 |阅读模式
拓扑:PC(10.0.2.0/24)--PIX525---互联网-华为防火墙-PC(10.0.8.0/24)

PIX525:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname GLGLJ-FW
domain-name GLGLJ.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list 100 permit ip any 10.0.6.192 255.255.255.192
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.8.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.6.192 255.255.255.192
access-list 130 permit ip 10.0.2.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 219.151.XXX.XXX 255.255.255.192
ip address inside 10.0.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool glgljvpn 10.0.6.200-10.0.6.230
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 192.168.1.233 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.2.0 255.255.255.0 inside
pdm location 10.0.2.2 255.255.255.255 inside
pdm location 10.0.6.128 255.255.255.128 outside
pdm location 10.0.28.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 10.0.36.0 255.255.255.0 outside
pdm location 10.0.8.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 219.151.36.65 1
route outside 10.0.8.0 255.255.255.0 202.98.252.191 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 202.98.***.***
crypto map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 202.98.252.XXX netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
vpngroup glgljvpn address-pool glgljvpn
vpngroup glgljvpn idle-time 1800
vpngroup glgljvpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8963b7a70ebf7a8f852948f13ffd6a2b
: end

华为配置:
<Eudemon>dis cu
#
sysname Eudemon
#
l2tp enable
#
info-center console channel 1
#
ike local-name snjtj
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat address-group 0 202.98.XXX.XXX 202.98.252.191
nat alg enable ftp
nat alg enable dns
undo nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
undo nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable sip
#
ike proposal 10
dh group2
authentication-algorithm md5
sa duration 1000
#
ike peer peer
pre-shared-key ********
remote-address 219.151.***.***
#
ipsec proposal vpn
#
ipsec policy vpnmap 10 isakmp
security acl 3005
pfs dh-group2
ike-peer peer
proposal vpn
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
ip address 10.0.8.254 255.255.255.0
undo ip fast-forwarding qff
undo ip fast-forwarding output
#
interface Ethernet1/0
ip address 202.98.***.*** 255.255.255.0
undo ip fast-forwarding qff
undo ip fast-forwarding output
ipsec policy vpnmap
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 192.168.0.1 255.255.255.0
remote address pool 1
qos reserved-bandwidth pct 20
#
interface NULL0
#
interface LoopBack1
ip address 10.0.8.44 255.255.255.255
#
acl number 3000
rule 1 deny tcp destination-port eq 135
rule 2 deny udp destination-port eq 135
rule 3 deny tcp destination-port eq 136
rule 4 deny udp destination-port eq 136
rule 6 deny tcp source-port eq 5554 destination-port eq 9995
rule 7 deny tcp source-port eq 5554 destination-port eq 9996
rule 8 deny tcp destination-port eq 138
rule 9 deny udp destination-port eq netbios-dgm
rule 10 deny tcp destination-port eq 139
rule 11 deny tcp destination-port eq 4444
rule 12 deny udp destination-port eq tftp
rule 13 deny tcp destination-port eq 593
rule 14 deny udp destination-port eq 593
rule 15 deny udp destination-port eq 389 time-range bt
rule 16 deny udp destination-port eq 445 time-range bt
rule 17 deny tcp destination-port eq 4899
rule 18 deny tcp destination-port eq sunrpc
rule 19 deny tcp destination-port eq 6588
rule 20 deny tcp destination-port eq 1978
rule 21 deny udp destination-port eq 9995
rule 22 deny tcp destination-port eq 3389
rule 23 deny tcp destination-port eq 137
rule 24 deny udp destination-port eq snmp
rule 25 deny tcp destination-port eq 139 time-range bt
rule 26 deny tcp destination-port eq 445
rule 27 deny tcp destination-port eq 2745
rule 28 deny tcp destination-port eq 1080
rule 29 deny tcp destination-port eq 6129
rule 30 deny tcp destination-port eq 3127 time-range bt
rule 31 deny tcp destination-port eq 3128
rule 33 deny udp destination-port eq netbios-ns
rule 34 deny tcp destination-port eq 5800
rule 35 deny tcp destination-port eq 6667
rule 36 deny tcp destination-port eq 1025
rule 37 deny tcp destination-port eq 5554
rule 38 deny tcp destination-port eq 1068
rule 39 deny tcp destination-port eq 9995
rule 40 deny udp destination-port eq netbios-ssn
rule 41 deny tcp destination-port eq 539
rule 42 deny udp destination-port eq 539
rule 43 deny udp destination-port eq 1434
rule 50 permit ip
acl number 3001
rule 1 deny tcp destination-port eq 23616 time-range bt
rule 5 deny udp destination-port eq 23616 time-range bt
acl number 3002
rule 1 deny ip
acl number 3005
rule 0 deny ip source 10.0.8.0 0.0.0.255 destination 10.0.2.0 0.0.0.255
rule 4 permit ip source 10.0.8.0 0.0.0.255
rule 5 deny ip
acl number 3008
rule 5 permit ip source 10.0.8.0 0.0.0.255 destination 10.0.2.0 0.0.0.255
rule 10 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.8.0 0.0.0.255
#
time-range bt 09:00 to 18:00 working-day
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
add interface Virtual-Template1
set priority 5
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local dmz
#
firewall interzone trust untrust
packet-filter 3008 inbound
packet-filter 3008 outbound
nat outbound 3005 interface Ethernet1/0
firewall permit local ip
#
firewall interzone trust dmz
#
firewall interzone dmz untrust
#

#
ip route-static 0.0.0.0 0.0.0.0 202.98.***.***
#
acl accelerate enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher ELCB[*X^1O<<KXR5GXV@DA!!
#
return
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 05:07 , Processed in 0.098838 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表