PIX 6.x：使用NAT在靜態定址的IOS路由器和動態定址的PIX防火牆之間配置動態IPsec的配置示例

下載選項

PDF (381.5 KB)
在多種裝置上使用 Adobe Reader 檢視
ePub (82.3 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
Mobi (Kindle) (71.2 KB)
在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視

已更新: 2018 年 9 月 20 日

文件 ID:66173

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的，無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言，或引用第三方產品的語言，因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件，讓全世界的使用者能夠以自己的語言理解支援內容。請注意，即使是最佳機器翻譯，也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責，並建議一律查看原始英文文件（提供連結）。

簡介

本文檔提供了一個示例配置，說明如何啟用IOS^®路由器以接受來自PIX防火牆的動態IPsec連線。如果專用網路10.0.0.x訪問Internet，遠端路由器將執行網路地址轉換(NAT)。從10.0.0.x到PIX後方的專用網路10.1.0.x的流量將從NAT進程中排除。PIX防火牆可以發起到路由器的連線，但路由器無法啟動到PIX的連線。

此配置使用Cisco IOS路由器來建立動態IPsec LAN-to-LAN (L2L)隧道，該隧道具有在其公共介面（外部介面）上接收動態IP地址的PIX防火牆。動態主機設定通訊協定(DHCP)提供了一種機制，可從網際網路服務提供者(ISP)動態分配IP位址。這樣，當主機不再需要這些IP地址時，便可重複使用這些地址。

有關PIX接受來自路由器的動態IPsec連線的方案的詳細資訊，請參閱使用NAT在靜態定址的PIX防火牆和動態定址的IOS路由器之間配置動態IPsec的示例。

要啟用PIX/ASA安全裝置，接受來自IOS路由器的動態IPsec連線，請參閱PIX/ASA 7.x及更高版本：使用NAT在靜態定址的PIX和動態定址的IOS路由器之間配置動態IPsec的示例。

要瞭解有關PIX/ASA安全裝置運行軟體版本7.x及更高版本的同一方案的詳細資訊，請參閱PIX/ASA 7.x及更高版本：使用NAT在靜態定址的IOS路由器和動態定址的PIX之間配置動態IPsec的示例。

Cisco IOS^®軟體版本12.4
Cisco PIX防火牆軟體版本6.3.4
Cisco安全PIX防火牆515E
思科2811路由器

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。

PIX 515E
R2（Cisco 2811路由器）

PIX 515E
PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 shut nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname PIX515E fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- The access control list (ACL) to avoid NAT on the IPsec packets. access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 !--- The ACL to apply on crypto map. !--- Include the private-network-to-private-network traffic !--- in the encryption process. access-list 101 permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 pager lines 24 logging on mtu outside 1500 mtu inside 1500 mtu intf2 1500 !--- ISP will providthe the Outside IP address. ip address outside dhcp ip address inside 10.1.0.3 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NO-NAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 10.0.0.0 255.255.255.0 172.16.1.5 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec !--- IPsec configuration, Phase 2. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac crypto map IPSEC 10 ipsec-isakmp crypto map IPSEC 10 match address 101 crypto map IPSEC 10 set peer 10.95.49.1 crypto map IPSEC 10 set transform-set DYN-TS crypto map IPSEC interface outside !--- Internet Security Association and Key Management Protocol (ISAKMP) !--- policy, Phase 1. !--- Note:* In real show run output, the pre-shared key appears as ******. isakmp enable outside isakmp key cisco123 address 10.95.49.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:f0294298e214a947fc2e03f173e4a405 : end

PIX 515E

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 shut
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX515E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- The access control list (ACL) to avoid NAT on the IPsec packets.

access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 

!--- The ACL to apply on crypto map. !--- Include the private-network-to-private-network traffic !--- in the encryption process.

access-list 101 permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500

!--- ISP will providthe the Outside IP address.


ip address outside dhcp

ip address inside 10.1.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 10.0.0.0 255.255.255.0 172.16.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec


!--- IPsec configuration, Phase 2.

crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac 
crypto map IPSEC 10 ipsec-isakmp
crypto map IPSEC 10 match address 101
crypto map IPSEC 10 set peer 10.95.49.1
crypto map IPSEC 10 set transform-set DYN-TS
crypto map IPSEC interface outside

!--- Internet Security Association and Key Management Protocol (ISAKMP) !--- policy, Phase 1. !--- Note: In real show run output, the pre-shared key appears as *******.

isakmp enable outside
isakmp key cisco123 address 10.95.49.1 netmask 255.255.255.255 
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f0294298e214a947fc2e03f173e4a405
: end

R2（Cisco 2811路由器）
R2#show running-configuration Building configuration... Current configuration : 1916 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname r1800 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ! ! no ip ips deny-action ips-interface ! no ftp-server write-enable ! ! !--- ISAKMP policy, Phase 1. crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0 ! ! !--- IPsec policy, Phase 2. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac ! crypto dynamic-map DYN 10 set transform-set DYN-TS match address 101 ! ! crypto map IPSEC 10 ipsec-isakmp dynamic DYN ! ! ! interface FastEthernet0/0 ip address 10.95.49.1 255.255.255.0 ip nat outside ip virtual-reassembly load-interval 30 duplex auto speed auto crypto map IPSEC ! interface FastEthernet0/1 ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 10.1.0.0 255.255.255.0 10.95.49.2 ! ip http server no ip http secure-server !--- Except the private network from the NAT process. ip nat inside source list 102 interface FastEthernet0/0 overload ! !--- Include the private-network-to-private-network !--- traffic in the encryption process. access-list 101 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255 !--- Except the private network from the NAT process. access-list 102 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 102 permit ip 10.0.0.0 0.0.0.255 any ! ! control-plane ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 login ! end

R2（Cisco 2811路由器）

R2#show running-configuration
Building configuration...

Current configuration : 1916 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname r1800
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef 
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
! 

!--- ISAKMP policy, Phase 1.

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0
!
!

!--- IPsec policy, Phase 2.

crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac 
!
crypto dynamic-map DYN 10
set transform-set DYN-TS 
match address 101
!
!
crypto map IPSEC 10 ipsec-isakmp dynamic DYN 
!
!
!
interface FastEthernet0/0
ip address 10.95.49.1 255.255.255.0
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map IPSEC
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 10.1.0.0 255.255.255.0 10.95.49.2
!
ip http server
no ip http secure-server

!--- Except the private network from the NAT process.

ip nat inside source list 102 interface FastEthernet0/0 overload
!

!--- Include the private-network-to-private-network !--- traffic in the encryption process.

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255


!--- Except the private network from the NAT process.

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login 
!
end

驗證

使用本節內容，確認您的組態是否正常運作。

輸出直譯器工具(僅供註冊客戶使用) (OIT)支援某些show指令。使用OIT檢視對show命令輸出的分析。

show crypto isakmp sa -顯示對等體上的所有當前IKE安全關聯(SA)。
show crypto ipsec sa -顯示當前(IPsec) SA使用的設定。
show crypto engine connections active -顯示當前連線及加密和解密資料包的相關資訊（僅限路由器）。

您必須清除兩個對等體上的SA。

在配置模式下執行以下PIX命令。

clear crypto isakmp sa -清除第1階段SA。
clear crypto ipsec sa -清除第2階段SA。

在啟用模式下執行以下路由器命令。

clear crypto isakmp -清除第1階段SA。
clear crypto sa -清除第2階段SA。

疑難排解

使用本節內容，對組態進行疑難排解。

疑難排解指令

輸出直譯器工具(僅供註冊客戶使用) (OIT)支援某些show指令。使用OIT檢視對show命令輸出的分析。

附註：使用 debug 指令之前，請先參閱有關 Debug 指令的重要資訊。

show crypto isakmp sa -檢視對等體上的所有當前IKE SA。
show crypto ipsec sa -顯示當前(IPsec) SA使用的設定。
show crypto engine connections active -顯示當前連線及加密和解密資料包的相關資訊（僅限路由器）。

PIX 6.x：使用NAT在靜態定址的IOS路由器和動態定址的PIX防火牆之間配置動態IPsec的配置示例

下載選項

無偏見用語

關於此翻譯

目錄

簡介

必要條件

需求

採用元件

慣例

設定

網路圖表

組態

驗證

疑難排解

疑難排解指令

相關資訊

修訂記錄

這份文件是否有所幫助？

讓思科協助您

本文件適用於這些產品