在通過L2L IPsec隧道連線的遠端網路上用於入站主機轉換的PIX防火牆配置示例

簡介

本文檔介紹用於轉換通過兩個Cisco安全PIX防火牆之間的LAN到LAN IPsec隧道的主機源IP的步驟。每個PIX防火牆後面都有一個受保護的專用網路。此概念也適用於轉換子網而不是單個主機。

注意：使用以下步驟在PIX/ASA 7.x中配置相同的方案：

• 要為PIX/ASA 7.x配置站點到站點VPN隧道，請參閱PIX/ASA 7.x:簡單的PIX到PIX VPN隧道配置示例。

• 用於入站通訊的static命令與6.x和7.x的命令類似，如本文檔所述。

• 本文檔中使用的show、clear和debug命令在PIX 6.x和7.x中類似。

必要條件

需求

繼續本配置示例之前，請確保已在介面上配置了IP地址的PIX防火牆並具有基本連線。

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• Cisco PIX 506E防火牆

• Cisco安全PIX防火牆軟體版本6.3(3)

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。

慣例

請參閱思科技術提示慣例以瞭解更多有關文件慣例的資訊。

設定

本節提供用於設定本文件中所述功能的資訊。

註：使用Command Lookup Tool(僅供已註冊客戶使用)可獲取本節中使用的命令的詳細資訊。

網路圖表

本檔案會使用以下網路設定：

IP地址為192.168.100.2的主機在PIX防火牆上轉換為主機名為PIXfirst的192.168.50.2。此轉譯對主機及其目的地是透明的。

注意：除非啟用該應用程式的修正，否則預設情況下不會轉換任何嵌入式IP地址。嵌入式IP地址是應用程式套件含在IP資料包的資料負載部分中的地址。網路位址轉譯(NAT)只會修改IP封包的外部IP標頭。它不會修改某些應用程式可以嵌入IP的原始資料包的資料負載。這有時會導致這些應用程式無法正常工作。

組態

本檔案會使用以下設定：

• PIXfirst配置

• PIXsecond配置

PIXfirst(config)#write terminal

Building configuration...

: Saved

:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXfirst
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Define encryption domain (interesting traffic) !--- for the IPsec tunnel.

access-list 110 permit ip host 192.168.1.2 host 192.168.100.2


!--- Accept the private network traffic from the NAT process.

access-list 120 permit ip host 192.168.1.2 host 192.168.50.2 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Bypass translation for traffic that goes over the IPsec tunnel.


nat (inside) 0 access-list 120


!--- Inbound translation for the host located on the remote network.


static (outside,inside) 192.168.50.2 192.168.100.2 netmask 255.255.255.255 0 0 
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable



!--- Accept traffic that comes over the IPsec tunnel from !--- Adaptive Security Algorithm (ASA) rules and !--- access control lists (ACLs) configured on the outside interface.


sysopt connection permit-ipsec


!--- Create the Phase 2 policy for actual data encryption.


crypto ipsec transform-set chevelle esp-des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 110
crypto map transam 1 set peer 10.2.1.1
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside


!--- Pre-shared key for the IPsec peer.

isakmp key ******** address 10.2.1.1 netmask 255.255.255.255 


!--- Create the Phase 1 policy.


isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:778f934d42c037a978b8b5236a93b5f4

: end


[OK]

PIXfirst(config)#

PIXsecond(config)#write terminal

Building configuration...

: Saved

:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXsecond
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Accept the private network traffic from the NAT process.


access-list nonat permit ip host 192.168.100.2 host 192.168.1.2 


!--- Define encryption domain (interesting traffic) for the IPsec tunnel.


access-list 110 permit ip host 192.168.100.2 host 192.168.1.2 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.2.1.1 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Bypass translation for traffic that goes over the IPsec tunnel.


nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 10.2.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Accept traffic that comes over the IPsec tunnel from ASA rules and !--- ACLs configured on the outside interface.


sysopt connection permit-ipsec


!--- Create the Phase 2 policy for actual data encryption.


crypto ipsec transform-set chevelle esp-des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 110
crypto map transam 1 set peer 10.1.1.1
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside


!--- Pre-shared key for the IPsec peer.

isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 


!--- Create the Phase 1 policy.


isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a686f71a023d1cd7078728a38acf529e

: end

[OK]

PIXsecond(config)#

如果為給定介面建立多個加密對映條目，則需要使用每個條目的序列號對其進行排名。序列號越低，優先順序越高。在具有加密對映集的介面上，安全裝置首先根據優先順序較高的對映條目評估流量。

如果不同的對等體處理不同的資料流，或者如果希望將不同的IPsec安全性應用於不同型別的流量（應用於相同或不同的對等體），請為給定介面建立多個加密對映條目。 例如，如果希望一組子網之間的流量通過身份驗證，而另一組子網之間的流量通過身份驗證和加密。在這種情況下，請在兩個獨立的存取清單中定義不同型別的流量，並為每個密碼編譯存取清單建立獨立的密碼編譯對應專案。

清除安全關聯(SA)

在PIX的許可權模式下，使用以下命令：

• clear [crypto] ipsec sa — 刪除活動的IPsec SA。關鍵字crypto 是可選的。

• clear [crypto] isakmp sa — 刪除活動的IKE SA。關鍵字crypto 是可選的。

驗證

使用本節內容，確認您的組態是否正常運作。

輸出直譯器工具(僅供已註冊客戶使用)(OIT)支援某些show命令。使用OIT檢視show命令輸出的分析。

• show crypto isakmp sa — 顯示第1階段安全關聯(SA)。

• show crypto ipsec sa — 顯示第2階段SA。

• ping — 診斷基本網路連線。從一個PIX到另一個PIX的ping檢驗兩個PIX之間的連通性。也可以從PIXsecond後的主機對PIXfirst後的主機執行ping以呼叫IPsec隧道。

• show local-host <IP_address> — 顯示已指定其IP地址的本地主機的轉換和連線插槽。

• show xlate detail — 顯示轉換插槽的內容。這用於驗證主機是否已轉換。

驗證PIXfirst

以下是ping命令的輸出。

PIXfirst(config)#ping 10.2.1.1


!--- PIX pings the outside interface of the peer. !--- This implies that connectivity between peers is available.

10.2.1.1 response received -- 0ms
10.2.1.1 response received -- 0ms
10.2.1.1 response received -- 0ms
PIXfirst(config)#

以下是show crypto isakmp sa命令的輸出。

PIXfirst(config)#show crypto isakmp sa
Total : 1
Embryonic : 0


!--- Phase 1 SA is authenticated and established.



dst           src         state   pending    created 
10.1.1.1     10.2.1.1     QM_IDLE   0           1 

以下是show crypto ipsec sa命令的輸出。

!--- Shows Phase 2 SAs.

PIXfirst(config)#show crypto ipsec sa

interface: outside
Crypto map tag: transam, local addr. 10.1.1.1

!--- Shows addresses of hosts that !--- communicate over this tunnel.


local ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/0/0)
current_peer: 10.2.1.1:500

PERMIT, flags={origin_is_acl,}

!--- Shows if traffic passes over the tunnel or not. !--- Encapsulated packets translate to packets that are sent. !--- Decapsulated packets translate to packets that are received.

#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 21
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.1.1
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 6ef53756


!--- If an inbound Encapsulating Security Payload (ESP) !--- SA and outbound ESP SA exists with a !--- security parameter index (SPI) !--- number, it implies that the Phase 2 SAs !--- are established successfully.


inbound esp sas:

     spi: 0x1cf45b9f(485776287)

         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2, crypto map: transam
         sa timing: remaining key lifetime (k/sec): (4607998/28756)
         IV size: 8 bytes
         replay detection support: Y

inbound ah sas:

inbound pcp sas:


outbound esp sas:

   spi: 0x6ef53756(1861564246)

       transform: esp-des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 1, crypto map: transam
       sa timing: remaining key lifetime (k/sec): (4607998/28756)
       IV size: 8 bytes
       replay detection support: Y

outbound ah sas:

outbound pcp sas:

以下是show local-host命令的輸出。

!--- Shows translation for the host on a remote network.

PIXfirst(config)#show local-host 192.168.100.2

Interface outside: 1 active, 1 maximum active, 0 denied
local host: <192.168.100.2>,
TCP connection count/limit = 0/unlimited
TCP embryonic count = 0
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
Global 192.168.50.2 Local 192.168.100.2
Conn(s):

以下是show xlate detail命令的輸出。

!--- Shows translation for the host on a remote network.

PIXfirst(config)#show xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
NAT from outside:192.168.100.2 to inside:192.168.50.2 flags s
PIXfirst(config)#

驗證PIXsecond

以下是ping命令的輸出。

PIXsecond(config)#ping 10.1.1.1


!--- PIX can ping the outside interface of the peer. !--- This implies that connectivity between peers is available.

10.1.1.1 response received -- 0ms
10.1.1.1 response received -- 0ms
10.1.1.1 response received -- 0ms
PIXsecond(config)#

以下是show crypto isakmp sa命令的輸出。

PIXsecond(config)#show crypto isakmp sa

Total : 1
Embryonic : 0

!--- Phase 1 SA is authenticated and established.


dst          src        state      pending      created 
10.1.1.1    10.2.1.1    QM_IDLE      0             1 

以下是show crypto ipsec sa命令的輸出。

!--- Shows Phase 2 SAs.

PIXsecond(config)#show crypto ipsec sa

interface: outside
Crypto map tag: transam, local addr. 10.2.1.1

!--- Shows addresses of hosts that communicate !--- over this tunnel.


local ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer: 10.1.1.1:500

PERMIT, flags={origin_is_acl,}

!--- Shows if traffic passes over the tunnel or not. !--- Encapsulated packets translate to packets that are sent. !--- Decapsulated packets translate to packets that are received.

#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 21
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.2.1.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 1cf45b9f


!--- If an inbound ESP SA and outbound ESP SA exists with an SPI !--- number, it implies that the Phase 2 SAs are established successfully.

inbound esp sas:

   spi: 0x6ef53756(1861564246)

      transform: esp-des esp-md5-hmac ,
      in use settings ={Tunnel, }
      slot: 0, conn id: 2, crypto map: transam
      sa timing: remaining key lifetime (k/sec): (4607990/28646)
      IV size: 8 bytes
      replay detection support: Y
inbound ah sas:

inbound pcp sas:

outbound esp sas:

    spi: 0x1cf45b9f(485776287)

       transform: esp-des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 1, crypto map: transam
       sa timing: remaining key lifetime (k/sec): (4607993/28645)
       IV size: 8 bytes
       replay detection support: Y


outbound ah sas:

outbound pcp sas:

PIXsecond(config)# 

疑難排解

本節提供的資訊用於對組態進行疑難排解。

疑難排解指令

輸出直譯器工具(僅供已註冊客戶使用)(OIT)支援某些show命令。使用OIT檢視show命令輸出的分析。

附註：使用 debug 指令之前，請先參閱有關 Debug 指令的重要資訊。

• debug crypto ipsec — 顯示有關IPsec事件的資訊。

• debug crypto isakmp — 顯示有關Internet金鑰交換(IKE)事件的消息。

• debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx |both] — 顯示到達指定介面的資料包。當您確定PIXfirst的內部介面上的流量型別時，此命令很有用。此命令還用於驗證是否發生了要進行的轉換。

• logging buffered level — 將系統日誌消息傳送到使用show logging命令檢視的內部緩衝區。使用clear logging命令清除消息緩衝區。新消息會追加到緩衝區的末尾。此命令用於檢視已構建的轉換。在需要時，必須開啟到緩衝區的日誌記錄。關閉日誌記錄到緩衝區，不啟用日誌記錄緩衝區級別和/或不啟用日誌記錄。

• debug icmp trace — 顯示網際網路控制消息協定(ICMP)資料包資訊、源IP地址以及到達、離開和穿越PIX防火牆的資料包的目的地址。這包括向PIX防火牆裝置自己的介面發出ping命令。使用no debug icmp trace關閉debug icmp trace。

以下是debug crypto isakmp和debug crypto ipsec命令的輸出。

PIXfirst(config)#debug crypto isakmp
PIXfirst(config)#debug crypto ipsec
PIXfirst(config)#debug crypto engine
PIXfirst(config)#show debug
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto engine
PIXfirst(config)# 

PIXfirst(config)# 

crypto_isakmp_process_block:src:10.2.1.1, dest:10.1.1.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 137660894

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 
ISAKMP: authenticator is HMAC-MD5


!--- Phase 1 policy accepted.

ISAKMP (0): atts are acceptable. IPSEC(validate_proposal_request): 
proposal part #1,
(key eng. msg.) dest= 10.1.1.1, src= 10.2.1.1, 

!--- Encryption domain (interesting traffic) that invokes the tunnel.

dest_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1), 
src_proxy= 192.168.100.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac , 
lifedur= 0s and 0kb, 
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 137660894
ISAKMP (0): processing ID payload. message ID = 137660894
ISAKMP (0): ID_IPV4_ADDR src 192.168.100.2 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 137660894
ISAKMP (0): ID_IPV4_ADDR dst 192.168.1.2 prot 0 port 0IPSEC(key_engine): 
got a queue event...
IPSEC(spi_response): getting spi 0x15ee92d9(367956697) for SA 
from 10.2.1.1 to 10.1.1.1 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.2.1.1, dest:10.1.1.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAITmap_alloc_entry: allocating entry 2
map_alloc_entry: allocating entry 1

ISAKMP (0): Creating IPSec SAs
inbound SA from 10.2.1.1 to 10.1.1.1 (proxy 192.168.100.2 to 192.168.1.2)
has spi 367956697 and conn_id 2 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.1.1 to 10.2.1.1 (proxy 192.168.1.2 to 192.168.100.2)
has spi 1056204195 and conn_id 1 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 10.1.1.1, src= 10.2.1.1, 
dest_proxy= 192.168.1.2/0.0.0.0/0/0 (type=1), 
src_proxy= 192.168.100.2/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac , 
lifedur= 28800s and 4608000kb, 
spi= 0x15ee92d9(367956697), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 10.1.1.1, dest= 10.2.1.1, 
src_proxy= 192.168.1.2/0.0.0.0/0/0 (type=1), 
dest_proxy= 192.168.100.2/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac , 
lifedur= 28800s and 4608000kb, 
spi= 0x3ef465a3(1056204195), conn_id= 1, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:10.2.1.1/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:10.2.1.1/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR

PIXfirst(config)#

這是debug packet inside src命令的輸出。

!--- Shows that the remote host packet is translated.

PIXfirst(config)#debug packet inside src 192.168.50.2 dst 192.168.1.2
PIXfirst(config)# show debug
debug packet inside src 192.168.50.2 dst 192.168.1.2 both

--------- PACKET ---------


-- IP --


!--- Source IP is translated to 192.168.50.2.

192.168.50.2 ==> 192.168.1.2


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x82 flags = 0x0 frag off=0x0

ttl = 0x80 proto=0x1 chksum = 0x85ea


!--- ICMP echo packet, as expected.

-- ICMP --

type = 0x8 code = 0x0 checksum=0x425c

identifier = 0x200 seq = 0x900

-- DATA --

0000001c: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 | abcdefghijklmnop

0000002c: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 | qrstuvwabcdefghi

0000003c: 01 | .


--------- END OF PACKET ---------


--------- PACKET ---------


-- IP --

192.168.50.2 ==> 192.168.1.2


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x83 flags = 0x0 frag off=0x0

ttl = 0x80 proto=0x1 chksum = 0x85e9


-- ICMP --

type = 0x8 code = 0x0 checksum=0x415c

identifier = 0x200 seq = 0xa00

-- DATA --

0000001c: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 | abcdefghijklmnop

0000002c: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 | qrstuvwabcdefghi

0000003c: 01 | .


--------- END OF PACKET ---------


--------- PACKET ---------


-- IP --

192.168.50.2 ==> 192.168.1.2


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x84 flags = 0x0 frag off=0x0

ttl = 0x80 proto=0x1 chksum = 0x85e8


-- ICMP --

type = 0x8 code = 0x0 checksum=0x405c

identifier = 0x200 seq = 0xb00

-- DATA --

0000001c: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 | abcdefghijklmnop

0000002c: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 | qrstuvwabcdefghi

0000003c: 01 | .


--------- END OF PACKET ---------


--------- PACKET ---------


-- IP --

192.168.50.2 ==> 192.168.1.2


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x85 flags = 0x0 frag off=0x0

ttl = 0x80 proto=0x1 chksum = 0x85e7


-- ICMP --

type = 0x8 code = 0x0 checksum=0x3f5c

identifier = 0x200 seq = 0xc00

-- DATA --

0000001c: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 | abcdefghijklmnop

0000002c: 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 | qrstuvwabcdefghi

0000003c: 01 | .


--------- END OF PACKET ---------

PIXfirst(config)#

這是logging buffer命令的輸出。

!--- Logs show translation is built.

PIXfirst(config)#logging buffer 7
PIXfirst(config)#logging on
PIXfirst(config)#show logging

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 53 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled

111009: User 'enable_15' executed cmd: show logging
602301: sa created, (sa) sa_dest= 10.1.1.1, sa_prot= 50, 
sa_spi= 0xb1274c19(2972142617), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
602301: sa created, (sa) sa_dest= 10.2.1.1, sa_prot= 50, 
sa_spi= 0x892de1df(2301485535), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1

!--- Translation is built.

609001: Built local-host outside:192.168.100.2
305009: Built static translation from outside:192.168.100.2 to inside:192.168.50.2
PIXfirst(config)# 

以下是debug icmp trace命令的輸出。

!--- Shows ICMP echo and echo-reply with translations !--- that take place.


PIXfirst(config)#debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks


PIXfirst(config)# 5: ICMP echo-request from outside:192.168.100.2 to 192.168.1.2 
ID=1024 seq=1280 length=40
6: ICMP echo-request: translating outside:192.168.100.2 to inside:192.168.50.2
7: ICMP echo-reply from inside:192.168.1.2 to 192.168.50.2 ID=1024 seq=1280 length=40
8: ICMP echo-reply: untranslating inside:192.168.50.2 to outside:192.168.100.2
9: ICMP echo-request from outside:192.168.100.2 to 192.168.1.2 ID=1024 seq=1536 length=40
10: ICMP echo-request: translating outside:192.168.100.2 to inside:192.168.50.2
11: ICMP echo-reply from inside:192.168.1.2 to 192.168.50.2 ID=1024 seq=1536 length=40
12: ICMP echo-reply: untranslating inside:192.168.50.2 to outside:192.168.100.2
13: ICMP echo-request from outside:192.168.100.2 to 192.168.1.2 ID=1024 seq=1792 length=40
14: ICMP echo-request: translating outside:192.168.100.2 to inside:192.168.50.2
15: ICMP echo-reply from inside:192.168.1.2 to 192.168.50.2 ID=1024 seq=1792 length=40
16: ICMP echo-reply: untranslating inside:192.168.50.2 to outside:192.168.100.2
17: ICMP echo-request from outside:192.168.100.2 to 192.168.1.2 ID=1024 seq=2048 length=40
18: ICMP echo-request: translating outside:192.168.100.2 to inside:192.168.50.2
19: ICMP echo-reply from inside:192.168.1.2 to 192.168.50.2 ID=1024 seq=2048 length=40
20: ICMP echo-reply: untranslating inside:192.168.50.2 to outside:192.168.100.2


PIXfirst(config)# 

相關資訊

• PIX 500系列安全裝置支援頁
• PIX命令參考
• 要求建議 (RFC)
• IPsec協商/IKE通訊協定支援頁面
• 技術支援與文件 - Cisco Systems