文字Configuring PIX Firewall 1 with VPN Tunneling

Step 1 Define a host name:

hostname NewYork

Step 2 Configure an ISAKMP policy:

isakmp enable outside

isakmp policy 9 authentication PRe-share

isakmp policy 9 encrypt des

Step 3 Configure a pre-shared key and associate with the peer:

crypto isakmp key cisco1234 address 209.165.200.229

Step 4 Configure the supported ipSec transforms:

crypto ipsec transform-set strong esp-des esp-sha-hmac

Step 5 Create an access list:

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

Step 6 Exclude traffic between the intranets from NAT:

nat 0 access-list 90

This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.

Step 7 Enable NAT for all other traffic:

nat (inside) 1 0 0

Step 8 Assign a pool of global addresses for NAT and PAT:

global (outside) 1 209.165.202.129-209.165.202.159

global (outside) 1 209.165.202.160

The pool of registered addresses are only used for connections to the public Internet.

Step 9 Define a crypto map:

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose 20 set peer 209.165.200.229

Step 10 Apply the crypto map to the outside interface:

crypto map toSanJose interface outside

Step 11 Specify that IPSec traffic be implicitly trusted (permitted):

sysopt connection permit-ipsec

Configuring PIX Firewall 2 for VPN Tunneling

Step 1 Define a host name:

hostname SanJose

Step 2 Define the domain name:

domain-name example.com

Step 3 Create a net static:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Step 4 Configure the ISAKMP policy:

isakmp enable outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

Step 5 Configure a pre-shared key and associate it with the peer:

crypto isakmp key cisco1234 address 209.165.201.8

Step 6 Configure IPSec supported transforms:

crypto ipsec transform-set strong esp-3des esp-sha-hmac

Step 7 Create an access list:

access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0

Step 8 Exclude traffic between the intranets from NAT:

nat 0 access-list 80

This excludes traffic matching access list 80 from NAT. The nat 0 command is always processed before any other nat commands.

Step 9 Enable NAT for all other traffic:

nat (inside) 1 0 0

Step 10 Assign a pool of global addresses for NAT and PAT:

global (outside) 1 209.165.202.160-209.165.202.89

global (outside) 1 209.165.202.190

The pool of registered addresses are only used for connections to the public Internet.

Step 11 Define a crypto map:

crypto map newyork 10 ipsec-isakmp

crypto map newyork 10 match address 80

crypto map newyork 10 set transform-set strong

crypto map newyork 10 set peer 209.165.201.8

Step 12 Apply the crypto map to an interface:

crypto map newyork interface outside

Step 13 Specify that IPSec traffic be implicitly trusted (permitted):

sysopt connection permit-ipsec

 

 

 

免责声明：本文为网络用户发布，其观点仅代表作者个人观点，与本站无关，本站仅提供信息存储服务。文中陈述内容未经本站证实，其真实性、完整性、及时性本站不作任何保证或承诺，请读者仅作参考，并请自行核实相关内容。