{"id":141,"date":"2010-12-10T23:39:07","date_gmt":"2010-12-10T15:39:07","guid":{"rendered":"http:\/\/www.microwolf.net\/?p=141"},"modified":"2010-12-10T23:39:07","modified_gmt":"2010-12-10T15:39:07","slug":"pix%e4%b8%8a%e5%ae%9e%e7%8e%b0vpn%ef%bc%88ipsec%ef%bc%89%e7%9a%84%e6%ad%a5%e9%aa%a4","status":"publish","type":"post","link":"http:\/\/www.microwolf.net\/?p=141","title":{"rendered":"PIX\u4e0a\u5b9e\u73b0VPN\uff08IPSec\uff09\u7684\u6b65\u9aa4"},"content":{"rendered":"<table border=\"0\" width=\"100%\">\n<tr>\n<td width=\"100%\">\u5728PIX\u9632\u706b\u5899\u7528\u9884\u5171\u4eab\u5bc6\u94a5\u914d\u7f6eIPSec\u52a0\u5bc6\u4e3b\u8981\u6d89\u53ca\u52304\u4e2a\u5173\u952e\u4efb\u52a1\uff1a<\/p>\n<p>\n      \u4e00\u3001\u4e3aIPSec\u505a\u51c6\u5907\u2014\u2014\u4e3aIPSec\u505a\u51c6\u5907\u6d89\u53ca\u5230\u786e\u5b9a\u8be6\u7ec6\u7684\u52a0\u5bc6\u7b56\u7565\uff0c\u5305\u62ec\u786e\u5b9a\u6211\u4eec\u8981\u4fdd\u62a4\u7684\u4e3b\u673a\u548c\u7f51\u7edc\uff0c\u9009\u62e9\u4e00\u79cd\u8ba4\u8bc1\u65b9\u6cd5\uff0c\u786e\u5b9a\u6709\u5173IPSec\u5bf9\u7b49\u4f53\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u786e\u5b9a\u6211\u4eec\u6240\u9700\u7684IPSec\u7279\u6027\uff0c\u5e76\u786e\u8ba4\u73b0\u6709\u7684\u8bbf\u95ee\u63a7\u5236\u5217\u8868\u5141\u8bb8IPSec\u6570\u636e\u6d41\u901a\u8fc7\uff1b<\/p>\n<p>\n      \u6b65\u9aa41\uff1a\u6839\u636e\u5bf9\u7b49\u4f53\u7684\u6570\u91cf\u548c\u4f4d\u7f6e\u5728IPSec\u5bf9\u7b49\u4f53\u95f4\u786e\u5b9a\u4e00\u4e2aIKE\uff08IKE\u9636\u6bb51\uff0c\u6216\u8005\u4e3b\u6a21\u5f0f\uff09\u7b56\u7565\uff1b<\/p>\n<p>\n      \u6b65\u9aa42\uff1a\u786e\u5b9aIPSec\uff08IKE\u9636\u6bb52\uff0c\u6216\u5feb\u6377\u6a21\u5f0f\uff09\u7b56\u7565\uff0c\u5305\u62ecIPSec\u5bf9\u7b49\u4f53\u7684\u7ec6\u8282\u4fe1\u606f\uff0c\u4f8b\u5982IP\u5730\u5740\u53caIPSec\u53d8\u6362\u96c6\u548c\u6a21\u5f0f\uff1b<\/p>\n<p>\n      \u6b65\u9aa43\uff1a\u7528\u201dwrite terminal\u201d\u3001\u201dshow isakmp\u201d\u3001\u201dshow isakmp policy\u201d\u3001\u201dshow crypto map \u201c\u547d\u4ee4\u53ca\u5176\u4ed6\u201dshow\u201d\u547d\u4ee4\u6765\u68c0\u67e5\u5f53\u524d\u7684\u914d\u7f6e\uff1b<\/p>\n<p>\n      \u6b65\u9aa44\uff1a\u786e\u8ba4\u5728\u6ca1\u6709\u4f7f\u7528\u52a0\u5bc6\u524d\u7f51\u7edc\u80fd\u591f\u6b63\u5e38\u5de5\u4f5c\uff0c\u7528\u201dping\u201d\u547d\u4ee4\u5e76\u5728\u52a0\u5bc6\u524d\u8fd0\u884c\u6d4b\u8bd5\u6570\u636e\u6d41\u6765\u6392\u9664\u57fa\u672c\u7684\u8def\u7531\u6545\u969c\uff1b<\/p>\n<p>\n      \u6b65\u9aa45\uff1a\u786e\u8ba4\u5728\u8fb9\u754c\u8def\u7531\u5668\u548cPIX\u9632\u706b\u5899\u4e2d\u5df2\u6709\u7684\u8bbf\u95ee\u63a7\u5236\u5217\u8868\u5141\u8bb8IPSec\u6570\u636e\u6d41\u901a\u8fc7\uff0c\u6216\u8005\u60f3\u8981\u7684\u6570\u636e\u6d41\u5c06\u53ef\u4ee5\u88ab\u8fc7\u6ee4\u51fa\u6765\u3002<\/p>\n<p>\n      \u4e8c\u3001\u914d\u7f6eIKE\u2014\u2014 \u914d\u7f6eIKE\u6d89\u53ca\u5230\u542f\u7528IKE\uff08\u548cisakmp\u662f\u540c\u4e49\u8bcd\uff09\uff0c\u521b\u5efaIKE\u7b56\u7565\uff0c\u548c\u9a8c\u8bc1\u6211\u4eec\u7684\u914d\u7f6e\uff1b<\/p>\n<p>\n      \u6b65\u9aa41\uff1a\u7528\u201disakmp enable\u201d\u547d\u4ee4\u6765\u542f\u7528\u6216\u5173\u95edIKE\uff1b<\/p>\n<p>\n      \u6b65\u9aa42\uff1a\u7528\u201disakmp policy\u201d\u547d\u4ee4\u521b\u5efaIKE\u7b56\u7565\uff1b<\/p>\n<p>\n      \u6b65\u9aa43\uff1a\u7528\u201disakmp key\u201d\u547d\u4ee4\u548c\u76f8\u5173\u547d\u4ee4\u6765\u914d\u7f6e\u9884\u5171\u4eab\u5bc6\u94a5\uff1b<\/p>\n<p>\n      \u6b65\u9aa44\uff1a\u7528\u201dshow isakmp [policy]\u201d\u547d\u4ee4\u6765\u9a8c\u8bc1IKE\u7684\u914d\u7f6e\u3002<\/p>\n<p>\n      \u4e09\u3001\u914d\u7f6eIPSec\u2014\u2014IPSec\u914d\u7f6e\u5305\u62ec\u521b\u5efa\u52a0\u5bc6\u7528\u8bbf\u95ee\u63a7\u5236\u5217\u8868\uff0c\u5b9a\u4e49\u53d8\u6362\u96c6\uff0c\u521b\u5efa\u52a0\u5bc6\u56fe\u6761\u76ee\uff0c\u5e76\u5c06\u52a0\u5bc6\u96c6\u5e94\u7528\u5230\u63a5\u53e3\u4e0a\u53bb\uff1b<\/p>\n<p>\n      \u6b65\u9aa41\uff1a\u7528access-list\u547d\u4ee4\u6765\u914d\u7f6e\u52a0\u5bc6\u7528\u8bbf\u95ee\u63a7\u5236\u5217\u8868\uff1b<\/p>\n<p>      \u4f8b\u5982\uff1a<\/p>\n<p>      access-list acl-name {permit|deny} protocol src_addr src_mask [operator port [port]] dest_addr dest_mask [operator prot [port]]<\/p>\n<p>\n      \u6b65\u9aa42\uff1a\u7528crypto ipsec transform-set \u547d\u4ee4\u914d\u7f6e\u53d8\u6362\u96c6\uff1b<\/p>\n<p>      \u4f8b\u5982\uff1a<\/p>\n<p>      crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]<\/p>\n<p>\n      \u6b65\u9aa43\uff1a\uff08\u4efb\u9009\uff09\u7528crypto ipsec security-association lifetime\u547d\u4ee4\u6765\u914d\u7f6e\u5168\u5c40\u6027\u7684IPSec \u5b89\u5168\u5173\u8054\u7684\u751f\u5b58\u671f\uff1b<\/p>\n<p>\n      \u6b65\u9aa44\uff1a\u7528crypto map \u547d\u4ee4\u6765\u914d\u7f6e\u52a0\u5bc6\u56fe\uff1b<\/p>\n<p>\n      \u6b65\u9aa45\uff1a\u7528interface \u547d\u4ee4\u548ccrypto map map-name interface\u5e94\u7528\u5230\u63a5\u53e3\u4e0a\uff1b<\/p>\n<p>\n      \u6b65\u9aa46\uff1a\u7528\u5404\u79cd\u53ef\u7528\u7684show\u547d\u4ee4\u6765\u9a8c\u8bc1IPSec\u7684\u914d\u7f6e\u3002<\/p>\n<p>\n      \u56db\u3001\u6d4b\u8bd5\u548c\u9a8c\u8bc1IPSec\u2014\u2014\u8be5\u4efb\u52a1\u6d89\u53ca\u5230\u4f7f\u7528&#8221;show &#8221; \u3001&#8221;debug&#8221;\u548c\u76f8\u5173\u7684\u547d\u4ee4\u6765\u6d4b\u8bd5\u548c\u9a8c\u8bc1IPSec\u52a0\u5bc6\u5de5\u4f5c\u662f\u5426\u6b63\u5e38\uff0c\u5e76\u4e3a\u4e4b\u6392\u9664\u6545\u969c\u3002<\/p>\n<p>\n      \u6837\u4f8b\uff1a<\/p>\n<p>\n      PIX 1\u7684\u914d\u7f6e\uff1a<\/p>\n<p>\n      !configure the IP address for each PIX Firewall interface<\/p>\n<p>      ip address outside 192.168.1.1 255.255.255.0<\/p>\n<p>      ip address inside 10.1.1.3 255.255.255.0<\/p>\n<p>      ip address dmz 192.168.11.1 255.255.255.0<\/p>\n<p>      global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0<\/p>\n<p>      !creates a global pooll on the outside interface,enables NAT.<\/p>\n<p>      !windows NT server<\/p>\n<p>      static (inside,outside) 192.168.1.10 10.1.1.4 netmask 255.255.255.0<\/p>\n<p>      !Crypto access list specifiles between the global and the inside<\/p>\n<p>      !server beind PIX Firewalls is encrypted ,The source<\/p>\n<p>      !and destination IP address are the global IP addresses of the statics.<\/p>\n<p>      Access-list 101 permit ip host 192.168.1.10 host 192.168.2.10<\/p>\n<p>      !The conduit permit ICMP and web access for testing.<\/p>\n<p>      Conduit permit icmp any any<\/p>\n<p>      Conduit permit tcp host 192.168.1.10 eq www any<\/p>\n<p>      route outside 0.0.0.0 0.0.0.0 192.168.1.2 1<\/p>\n<p>      !Enable IPSec to bypass access litst,access ,and confuit restrictions<\/p>\n<p>      syspot connnection permit ipsec<\/p>\n<p>      !Defines a crypto map transform set to user esp-des<\/p>\n<p>      crypto ipsec transform-set pix2 esp-des<\/p>\n<p>      crypto map peer2 10 ipsec-isakmp!<\/p>\n<p>\u3000<\/p>\n<p>\u66f4\u591a\u7684\u4f8b\u5b50\u53ef\u4ee5\u76f4\u63a5\u5728\u601d\u79d1\u7f51\u7ad9\u4e0a\u770b<\/p>\n<p><a href=\"http:\/\/www.cisco.com\/en\/US\/tech\/tk583\/tk372\/tech_configuration_examples_list.html\">http:\/\/www.cisco.com\/en\/US\/tech\/tk583\/tk372\/tech_configuration_examples_list.html<\/a><\/p>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>\u5728PIX\u9632\u706b\u5899\u7528\u9884\u5171\u4eab\u5bc6\u94a5\u914d\u7f6eIPSec\u52a0\u5bc6\u4e3b\u8981\u6d89\u53ca\u52304\u4e2a\u5173\u952e\u4efb\u52a1\uff1a \u4e00\u3001\u4e3aIPSec\u505a\u51c6\u5907\u2014\u2014\u4e3aIPSec\u505a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/141"}],"collection":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=141"}],"version-history":[{"count":1,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":142,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/141\/revisions\/142"}],"wp:attachment":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}