文字Configuring PIX Firewall 1 with VPN Tunneling
Step 1 Define a host name:
hostname NewYork
Step 2 Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt des
Step 3 Configure a pre-shared key and associate with the peer:
crypto isakmp key cisco1234 address 209.165.200.229
Step 4 Configure the supported IPSec transforms:
crypto ipsec transform-set strong esp-des esp-sha-hmac
Step 5 Create an access list:
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
Step 6 Exclude traffic between the intranets from NAT:
nat 0 access-list 90
This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
Step 7 Enable NAT for all other traffic:
nat (inside) 1 0 0
Step 8 Assign a pool of global addresses for NAT and PAT:
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
The pool of registered addresses are only used for connections to the public Internet.
Step 9 Define a crypto map:
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address 90
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer 209.165.200.229
Step 10 Apply the crypto map to the outside interface:
crypto map toSanJose interface outside
Step 11 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
Configuring PIX Firewall 2 for VPN Tunneling
Step 1 Define a host name:
hostname SanJose
Step 2 Define the domain name:
domain-name example.com
Step 3 Create a net static:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
Step 4 Configure the ISAKMP policy:
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
Step 5 Configure a pre-shared key and associate it with the peer:
crypto isakmp key cisco1234 address 209.165.201.8
Step 6 Configure IPSec supported transforms:
crypto ipsec transform-set strong esp-3des esp-sha-hmac
Step 7 Create an access list:
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
Step 8 Exclude traffic between the intranets from NAT:
nat 0 access-list 80
This excludes traffic matching access list 80 from NAT. The nat 0 command is always processed before any other nat commands.
Step 9 Enable NAT for all other traffic:
nat (inside) 1 0 0
Step 10 Assign a pool of global addresses for NAT and PAT:
global (outside) 1 209.165.202.160-209.165.202.89
global (outside) 1 209.165.202.190
The pool of registered addresses are only used for connections to the public Internet.
Step 11 Define a crypto map:
crypto map newyork 10 ipsec-isakmp
crypto map newyork 10 match address 80
crypto map newyork 10 set transform-set strong
crypto map newyork 10 set peer 209.165.201.8
Step 12 Apply the crypto map to an interface:
crypto map newyork interface outside
Step 13 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
