2009年03月28日
2006年08月10日

如果你经常要用FTP下载东东的话可一定要把这些让人头晕的命令参数记着。哎。如果能熟悉并灵活应用FTP的内部命令的话,那可真是事半功倍。。。
******************************************
FTP的命令行格式为:
ftp -v -d -i -n -g [主机名] ,其中

-v 显示远程服务器的所有响应信息;

-n 限制ftp的自动登录,即不使用;.n etrc文件;

-d 使用调试方式;

-g 取消全局文件名。

FTP使用的内部命令如下(中括号表示可选项):

1.![cmd[args]]:在本地机中执行交互shell,exit回到ftp环境,如:!ls*.zip

2.$ macro-ame[args]: 执行宏定义macro-name。

3.account[password]: 提供登录远程系统成功后访问系统资源所需的补充口令。

4.append local-file[remote-file]:将本地文件追加到远程系统主机,若未指定远程系统文件名,则使用本地文件名。

5.ascii:使用ascii类型传输方式。
6.bell:每个命令执行完毕后计算机响铃一次。

7.bin:使用二进制文件传输方式。
8.bye:退出ftp会话过程。

9.case:在使用mget时,将远程主机文件名中的大写转为小写字母。

10.cd remote-dir:进入远程主机目录。

11.cdup:进入远程主机目录的父目录。

12.chmod mode file-name:将远程主机文件file-name的存取方式设置为mode,如:chmod 777 a.out。

13.close:中断与远程服务器的ftp会话(与open对应)。

14.cr:使用asscii方式传输文件时,将回车换行转换为回行。

15.delete remote-file:删除远程主机文件。

16.debug[debug-value]:设置调试方式, 显示发送至远程主机的每条命令,如:deb up 3,若设为0,表示取消debug。

17.dir[remote-dir][local-file]:显示远程主机目录,并将结果存入本地文件
18.disconnection:同close。

19.form format:将文件传输方式设置为format,缺省为file方式。

20.get remote-file[local-file]: 将远程主机的文件remote-file传至本地硬盘的local-file。

21.glob:设置mdelete,mget,mput的文件名扩展,缺省时不扩展文件名,同命令行的-g参数。

22.hash:每传输1024字节,显示一个hash符号(#)。

23.help[cmd]:显示ftp内部命令cmd的帮助信息,如:help get。
24.idle[seconds]:将远程服务器的休眠计时器设为[seconds]秒。

25.image:设置二进制传输方式(同binary)。

26.lcd[dir]:将本地工作目录切换至dir。

27.ls[remote-dir][local-file]:显示远程目录remote-dir, 并存入本地文件local-file。

28.macdef macro-name:定义一个宏,遇到macdef下的空行时,宏定义结束。
29.mdelete[remote-file]:删除远程主机文件。
30.mdir remote-files local-file:与dir类似,但可指定多个远程文件,如 :mdir *.o.*.zipoutfile 。

31.mget remote-files:传输多个远程文件。

32.mkdir dir-name:在远程主机中建一目录。

33.mls remote-file local-file:同nlist,但可指定多个文件名。
34.mode[modename]:将文件传输方式设置为modename, 缺省为stream方式。
35.modtime file-name:显示远程主机文件的最后修改时间。

36.mput local-file:将多个文件传输至远程主机。

37.newer file-name: 如果远程机中file-name的修改时间比本地硬盘同名文件的时间更近,则重传该文件。
38.nlist[remote-dir][local-file]:显示远程主机目录的文件清单,并存入本地硬盘的local-file。
39.nmap[inpattern outpattern]:设置文件名映射机制, 使得文件传输时,文件中的某些字符相互转换, 如:nmap $1.$2.$3[$1,$2].[$2,$3],则传输文件a1.a2.a3时,文件名变为a1,a2。 该命令特别适用于远程主机为非UNIX机的情况。
40.ntrans[inchars[outchars]]:设置文件名字符的翻译机制,如ntrans1R,则文件名LLL将变为RRR。

41.open host[port]:建立指定ftp服务器连接,可指定连接端口。

42.passive:进入被动传输方式。

43.prompt:设置多个文件传输时的交互提示。

44.proxy ftp-cmd:在次要控制连接中,执行一条ftp命令, 该命令允许连接两个ftp服务器,以在两个服务器间传输文件。第一条ftp命令必须为open,以首先建立两个服务器间的连接。
45.put local-file[remote-file]:将本地文件local-file传送至远程主机。
46.pwd:显示远程主机的当前工作目录。

47.quit:同bye,退出ftp会话。

48.quote arg1,arg2…:将参数逐字发至远程ftp服务器,如:quote syst.
49.recv remote-file[local-file]:同get。

50.reget remote-file[local-file]:类似于get, 但若local-file存在,则从上次传输中断处续传。

51.rhelp[cmd-name]:请求获得远程主机的帮助。

52.rstatus[file-name]:若未指定文件名,则显示远程主机的状态, 否则显示文件状态。

53.rename[from][to]:更改远程主机文件名。

54.reset:清除回答队列。

55.restart marker:从指定的标志marker处,重新开始get或put,如:restart 130。
56.rmdir dir-name:删除远程主机目录。

57.runique:设置文件名只一性存储,若文件存在,则在原文件后加后缀.1, .2等。

58.send local-file[remote-file]:同put。

59.sendport:设置PORT命令的使用。

60.site arg1,arg2…:将参数作为SITE命令逐字发送至远程ftp主机。

61.size file-name:显示远程主机文件大小,如:site idle 7200。

62.status:显示当前ftp状态。

63.struct[struct-name]:将文件传输结构设置为struct-name, 缺省时使用stream结构。

64.sunique:将远程主机文件名存储设置为只一(与runique对应)。

65.system:显示远程主机的操作系统类型。

66.tenex:将文件传输类型设置为TENEX机的所需的类型。

67.tick:设置传输时的字节计数器。

68.trace:设置包跟踪。

69.type[type-name]:设置文件传输类型为type-name,缺省为ascii,如:type binary,设置二进制传输方式。

70.umask[newmask]:将远程服务器的缺省umask设置为newmask,如:umask 3

71.user user-name[password][account]:向远程主机表明自己的身份,需要口令时,必须输入口令,如:user anonymous my@email。
72.verbose:同命令行的-v参数,即设置详尽报告方式,ftp 服务器的所有响 应都将显示给用户,缺省为on.

73.?[cmd]:同help.            

2006年05月11日

Cisco 认证网站首页
http://www.cisco.com/en/US/learning/index.html
Cisco 认证最新变动情况
http://www.cisco.com/en/US/learning/learning_certification_program_updates.html
Cisco 认证考生注册及跟踪系统
https://www.certmanager.net/cisco

CISCO 考试 Performace Simulation 模拟考题题型 DEMO
http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/simulation/tutorial.html
全国思科网络技术学院简介 ( 简要介绍、联系方式 )
http://202.112.42.42/academy/college/index2.htm
培训和谁认证的相关知识
http://www.cisco.com/warp/public/10/wwtraining/
公司在线技术讨论会站点
http://webevents.broadcast.com/cisco/ciscolive/home.asp
网络概念和设计基础知识介绍
http://www.cisco.com/unviercd/cc/td/doc/cisintwk/index.htm
http://www.cisco.com/public/products_tech.shtml
VOD 培训
http://www.cisco.com/login/ciscotv/index.shtml
Cisco University—Training
http://www.cisco.com/warp/public/10/ciscou/
E-LEARNING( 注册用户使用 )
http://www.cisco.com/warp/customer/10/wwtraining/elearning/
•  售前 产品 渠道
产品软硬件相关:
Cisco IOS 编号的意义
http://www.net130.com/2004/6-9/232043.html
IOS 特性集向导 (Cisco IOS Feature Navigator)
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
产品信息公告牌
http://www.cisco.com/warp/public/cc/cisco/mkt/gen/bulletin/
产品的各种支持信息
http://www.cisco.com/pcgi-bin/Support/PSP/index.pl?i=hardware#LAN_Switches_Modules
新产品信息
http://www.cisco.com/warp/public/cc/cisco/mkt/gen/newprod.htm
软件技术要点
http://www.cisco.com/public/technotes/tech_sw.html
安全性技术要点
http://www.cisco.com/warp/public/707/index2.shtml
网络配置工具:对产品做配置时用。使用这个工具,可以正确的对产品进行配置。
http://www.cisco.com/order/apollo/configureHome.html
2600/3600 内存计算工具
http://www.cisco.com/cgi-bin/Support/MwmCale/mem-calc.pl
对于模块化的路由器 (3600 以下 ) 模块的查找工具 ( 注册用户使用 )
http://www.cisco.com/pcgi-bin/findermsbsearch.pl
网管应用程序与操作系统的兼容表
http://www.cisco.com/public/sw-center/oscopat.html
软件和硬件兼容表 Hardware-Software Compatibility Matrix( 注册用户使用 )
http://www.cisco.com/cgi-bin/front.x/Support/HWSWamtrix/hwswmatrix.cgi
产品比较站点
http://www.cisco.com/pcgi-bin/front.x/corona/romeo/compaare.pl
查找一个产品
http://www.cisco.com/pcgi-bin/front.x/corona/prodtool/select.pl
产品技术手册,功能、性能、参数及配置方法
http://www.cisco.com/univercd/cc/td/doc/product/index.htm
Cisco End of Life Products
http://www.cisco.com/warp/public/cc/cisco/mkt/gen/prodlit/
software release 站点 ( 注册用户使用 )
http://www.cisco.com/kobayashi/sw-center/release.shtml
软件 BUG 站点 ( 注册用户使用 )
http://www.cisco.com/support/bugtools/
网络产品软件下载:通过这个站点,可以得到所需要的软件版本 ( 注册用户使用 )
http://www.cisco.com/cgi-bin/ibld/all.pl?i=support&c=3
价格 渠道及服务:
产品购买手册
http://www.cisco.com/univercd/cc/td/doc/pcat/index.htm
公开报价下载站点
http://www.ultratechnology.net/fullcolumn.php?s=&columnid=28
http://www.cisco.com/cgi-bin/order/pricing_root.pl( 注册用户使用 )
销售工具中心 (Sales Tools Central Home)
http://www.cisco.com/go/tools
http://www.cisco.com/warp/public/779/smbiz/service/
服务类型的划分及描述
http://www.cisco.com/public/support_solutions.shtml
怎样申请得到 CISCO 的服务
http://www.cisco.com/public/scc/
注册 CCO 帐号
http://www.cisco.com/register/
服务定单合同中心 ( 注册用户使用 )
http://www.cisco.com/cgi-bin/front.x/csadispatch?AppName=ContractAgent
查定单状态 ( 注册用户使用 )
http://www.cisco.com/cgi-bin/order/assistant.cgi
查定单到货时间
http://www.cisco.com/cgi-bin/front.x/leadtimes.cgi
关于解决方案:
针对各种不同规模和类型的网络 / 公司采取的不同的解决方案
http://www.cisco.com/kobayashi/Solutions_root.shtml
大企业解决方案
http://www.cisco.com/warp/public/779/largeent
中型企业解决方案
http://www.cisco.com/warp/public/779/smbiz/
电信解决方案
http://www.cisco.com/warp/pblic/779/servpro/
•  售后、配置及技术资料
Cisco 产品密码破解
http://www.ultratechnology.net/fullcolumn.php?s=&columnid=15
Cisco 公司 RFCs , Standards 站点 ( 注册用户使用 )
http://www.cisco.com/warp/customer/459/index.shtml
技术支持网站 ( 注册用户使用 )
http://www.cisco.com/cgi-bin/Support/PSP/index.pl?i=Hardware
技术支持中心站点 ( 注册用户使用 )
http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Technical Documents 公司技术文档的主页 ( 就是 Documents 光盘的内容 )
http://www.cisco.com/univercd/home/home.htm
Bug 查询工具
http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl
IOS 命令搜索工具 (IOS Command Lookup Tool)
http://www.cisco.com/support/Cmdlookup/ios-search.html
IOS 软件各种版本配置方法和命令
http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm
技术要点
http://www.cisco.com/public/technotes/serv_trips.shtml
http://www.cisco.com/warp/public/779/largeent/learn/technologies.html
硬件技术要点
http://www.cisco.com/public/technotes/tech_platform.shtml
网络设备配置案例:针对一些实际案例对网络设备进行配置
http://www.cisoc.com/warp/public/700/tech_configs.html
http://www.cisco.com/warp/public/793/access_dial/index.html
http://www.cisco.com/public/technotes/tech_features.shtml
常用问题 ( 注册用户使用 )
http://www.cisco.com/openf/openproj.shtml
经常问到的技术问题站点
http://www.cisco.com/warp/public/458/index.shtml
http://www.cisco.com/public/products_tech.shtml
故障解决 帮助
http://te.cisco.com/cgi-bin/webisapi.dll?New,KB=TE
•  综合基础知识及其他杂项
硬件及系统基础:
Cable Technology Technical Tips
http://www.cisco.com/warp/public/109
各种连接器:
http://www.hardwarebook.net/
Cisco 的老版网页
http://www.cisco.com/cco.shtml
WAN 基础知识 ( 包括 FR 、 ATM 、 DDN 等。中文版 )
http://www.flamephoenix.net/network/index.htm
Cisco 各类线缆介绍
http://www.cisco.com/univercd/cc/td/doc/product/atm/l2020/l2020r21/clicard/planning/cabling.htm
Cisco IOS 编号的意义(需 CCO 帐号)
http://www.cisco.com/warp/customer/620/5.shtml#identifiers
使用 AUX 口做远程调试
http://www.cisco.com/warp/public/471/mod-aux-exec.html
Cisco 各型号产品密码恢复方式
http://www.cisco.com/warp/public/474/
Access-Dial Technical Tips
http://www.cisco.com/warp/public/471/index.shtml
Wireless Technical Tips
http://www.cisco.com/warp/public/102
IGRP/EIGRP Technical Tips
http://www.cisco.com/warp/public/103
OSPF Technical Tips
http://www.cisco.com/warp/public/104
IP Technical Tips
http://www.cisco.com/warp/public/105
Kerberos
http://www.cisco.com/warp/public/106
LAN Technologies Technical Tips
http://www.cisco.com/warp/public/473
Hardware Troubleshooting Index Page
http://www.cisco.com/warp/public/108
Troubleshooting Assistant
http://www.cisco.com/kobayashi/support/tac/tsa.html
Cable Technology Technical Tips
http://www.cisco.com/warp/public/109
Technical Assistance Center (TAC)
http://www.cisco.com/go/support
http://www.cisco.com/kobayashi/support/tac/home.shtml
Tools Index
http://www.cisco.com/kobayashi/supp…c/t_index.shtml
Cisco IOS Feature Navigator
http://www.cisco.com/go/fn
http://www.cisco.com/cgi-bin/Support/FeatureNav/FN.pl
Error Message Decoder
http://www.cisco.com/cgi-bin/Suppor…decoder/home.pl
Stack Decoder
http://www.cisco.com/cgi-bin/Suppor…decoderinput.pl
IOS Command Lookup Tool
http://www.cisco.com/support/Cmdlookup/ios-search.html
Security Technical Tips
http://www.cisco.com/warp/public/707/index.shtml
Security Technologies
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/security.htm
BGP Technical Tips
http://www.cisco.com/warp/public/459/18.html
PCMCIA File system Compatibility Matrix and Filesystem Information
http://www.cisco.com/warp/public/63/pcmciamatrix.html
PSIRT Advisories
http://www.cisco.com/warp/public/707/advisory.html

2006年04月19日

从PIX 6.2 开始,NAT 和PAT 能够被应用到来自外部的流量和从低安全级接口到高安全级接口的流量。该功能有时也被称为“双向NAT(bi-directional NAT)”。外部NAT/PAT 和内部NAT/PAT 相同,不过是被应用到PIX 外部或低安全级接口罢了。可以配置动态外部NAT:在低安全级接口上配置地址转换,在高安全级接口上配置全局地址或地址池。也可以使用static 命令指定一对一的映射。外部NAT 配置完成后,当一个数据包抵达PIX 的外部或低安全级接口时,PIX 将试图在连接信息数据库中定位已经存在的xlate(地址转换条目)。如果没有xlate,PIX 将在配置中搜索NAT 策略。找到了NAT 策略后,一个xlate 将被建立并插入连接信息数据库。然后PIX 使用静态映射或全局地址池内的地址重写这个数据包的源地址,将其转发到内部接口。一旦xlate 建立,后续数据包将使用该条目迅速被转发。
下面我们将进行外部NAT 的示例配置。
9.1 网络拓扑图
本例中,我们将实现如下意图:
l 10.100.1.2 外出转换为209.165.202.135
l 209.165.202.129 进入时转换为10.100.1.3
l 10.100.1.0/24 外出时转换为209.165.202.140-209.165.202.141
l 从209.165.202.129 到10.100.1.2 的连接在209.165.202.129 看来是连接到了209.165.202.135,同时10.100.1.2 将实际上来自209.165.202.129 的数据看作来自于10.100.1.3(因为进行了外部NAT 转换)。
我们将用ACL 或conduit 允许访问209.165.202.0/24 内的所有设备。
9.2 外部NAT 配置
以下是PIX 中Outside NAT 部分的配置。
- 10 -
ip address outside 209.165.202.130 255.255.255.224
ip address inside 10.100.1.1 255.255.255.0
global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224
nat (inside) 5 10.100.1.0 255.255.255.0 0 0
static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0
conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
! — 或者用ACL 代替conduit,但是记住static 命令是必须的。
access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
access-group 101 in interface outside

Outside NAT

Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT."

Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping.

After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and inserted into the database. The PIX then rewrites the source address to the mapped or global address and transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent packets can be quickly translated by consulting the entries in the connections database.

Network Diagram – Outside NAT

28-01.gif

In the example, we wanted the following.

  • Device 10.100.1.2 to NAT to 209.165.202.135 when going out

  • Device 209.165.202.129 to NAT to 10.100.1.3 when coming in

  • Other devices on the 10.100.1.x network to NAT to addresses in the 209.165.202.140-209.165.202.141 pool when going out

  • Connectivity from device 209.165.202.129 to device 10.100.1.2 with device 209.165.202.129 seeing the inside device as 209.165.202.135 and device 10.100.1.2 seeing traffic from 209.165.202.129 as coming from 10.100.1.3 (because of the outside NAT)

We are permitting access to all 209.165.202.x devices using ACLs or conduits.

Partial PIX Configuration – Outside NAT

Partial PIX Configuration – Outside NAT

ip address outside 209.165.202.130 255.255.255.224
ip address inside 10.100.1.1 255.255.255.0
global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224
nat (inside) 5 10.100.1.0 255.255.255.0 0 0
static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0
conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0

!--- Or in lieu of conduits, we leave the static statements but have the following.

access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
access-group 101 in interface outside

2006年04月03日

PIX与VPN client的pre-shared key互连[zt]
vpn client是cisco的一款vpn客户端软件,专门用来与cisco的产品(PIX,router,VPN 3000集中器)作vpn连接使用,近日做了一下PIX和VPN client互连的实验,先把pre-shared key的配置写一下

实验环境如下:


VPN client——————————–PIX—————————AAA ACS server
192.168.0.243                   192.168.0.254  10.1.1.244             10.1.1.88
VPN分配IP为10.1.1.246


pixfirewall# sh config
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password EZt/JroCts.3MWq4 encrypted
passwd EZt/JroCts.3MWq4 encrypted
hostname pixfirewall
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
names
access-list test permit icmp host 192.168.0.243 host 192.168.0.254 echo-reply
access-list 80 permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!定义不进行NAT的流量,这些流量会用IPSce来封装,当PIX的内部IP和分配给VPN client的IP在同一网段的时候,一样要加ACL,源和目的
网段一样的ACL,这个要注意。当时我在这里按照student guide的例子来配置ACL,允许PIX的outside口IP到分配给VPN client的IP地址段,
但怎么也没有配置成功,VPN client不能访问PIX的内网服务器,但PIX的内网服务器却可以访问VPN client。后来修改ACL后就成功了。  

pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.254 255.255.255.0
!定义PIX的outside口IP

ip address inside 10.1.1.244 255.255.255.0
!定义PIX的inside口IP

ip audit info action alarm
ip audit attack action alarm
ip local pool dialer 10.1.1.246-10.1.1.247
!定义分配给VPN client的IP地址池

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 10.1.1.88 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
!定义不进行NAT的流量

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.243 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server myserver protocol tacacs+
!定义AAA服务器使用的协议

aaa-server myserver (inside) host 10.1.1.88 1234 timeout 5
!定义AAA服务器的IP地址(装了ACS的服务器)
http server enable
http 10.1.1.88 255.255.255.255 inside <PIX与VPN client的pre-shared key互连[zt]
vpn client是cisco的一款vpn客户端软件,专门用来与cisco的产品(PIX,router,VPN 3000集中器)作vpn连接使用,近日做了一下PIX和VPN client互连的实验,先把pre-shared key的配置写一下

实验环境如下:


VPN client——————————–PIX—————————AAA ACS server
192.168.0.243                   192.168.0.254  10.1.1.244             10.1.1.88
VPN分配IP为10.1.1.246


pixfirewall# sh config
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password EZt/JroCts.3MWq4 encrypted
passwd EZt/JroCts.3MWq4 encrypted
hostname pixfirewall
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
names
access-list test permit icmp host 192.168.0.243 host 192.168.0.254 echo-reply
access-list 80 permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!定义不进行NAT的流量,这些流量会用IPSce来封装,当PIX的内部IP和分配给VPN client的IP在同一网段的时候,一样要加ACL,源和目的
网段一样的ACL,这个要注意。当时我在这里按照student guide的例子来配置ACL,允许PIX的outside口IP到分配给VPN client的IP地址段,
但怎么也没有配置成功,VPN client不能访问PIX的内网服务器,但PIX的内网服务器却可以访问VPN client。后来修改ACL后就成功了。  
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.254 255.255.255.0
!定义PIX的outside口IP

ip address inside 10.1.1.244 255.255.255.0
!定义PIX的inside口IP

ip audit info action alarm
ip audit attack action alarm
ip local pool dialer 10.1.1.246-10.1.1.247
!定义分配给VPN client的IP地址池

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 10.1.1.88 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
!定义不进行NAT的流量

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.243 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server myserver protocol tacacs+
!定义AAA服务器使用的协议

aaa-server myserver (inside) host 10.1.1.88 1234 timeout 5
!定义AAA服务器的IP地址(装了ACS的服务器)
http server enable
http 10.1.1.88 255.255.255.255 inside <
BR>no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
!对于所有IPSec流量不检测允许其通过,如果不加这个命令的话,需要加上ACL到outside口以允许特定的IPSce流量通过,但会控制更加灵活。
no sysopt route dnat
crypto ipsec transform-set aaades esp-des esp-md5-hmac
!定义phase 2的加密和散列算法作为一个transform-set
crypto dynamic-map dynomap 10 set transform-set aaades
!把transform-set绑定到dynamic-map
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
!把dynamic-map绑定到vpnpeer
crypto map vpnpeer client authentication myserver
!定义进行xauth使用的AAA服务器
crypto map vpnpeer interface outside
!把crypto map绑定到outside口
isakmp enable outside
!在outside口绑定isakmp
isakmp client configuration address-pool local dialer outside
!配置分配给VPN client的地址池
isakmp policy 10 authentication pre-share
!定义phase 1使用pre-shared key进行认证
isakmp policy 10 encryption des
!定义phase 1协商用DES加密算法
isakmp policy 10 hash md5
!定义phase 1协商用MD5散列算法
isakmp policy 10 group 2
!定义phase 1进行IKE协商使用DH group 2
isakmp policy 10 lifetime 86400
!定义IKE SA生存期
vpngroup student0 address-pool dialer
!定义VPN client拨入使用的vpngroup所分配的IP地址池
vpngroup student0 idle-time 1800
!定义vpngroup的空闲时间
vpngroup student0 password 1234
!定义vpngroup的pre-shared key
telnet 10.1.1.88 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.88 255.255.255.255 inside
ssh timeout 20
terminal width 80
Cryptochecksum:693b87faa42d062c2848346a3a0acb43
pixfirewall#

VPN client版本为4.0.3,先创建一个连接,使用pre-shared key,group name和password要和PIX中的vpngroup和key一致。

按此在新窗口浏览图片

在vpn client进行IKE协商后会有一个窗口弹出,要输入用户名和密码,这是因为cisco的VPN使用了xauth,要再验证一次ACS服务器中设置的帐号,输入即可。
不过,如果在PIX中没有加这一句
crypto map vpnpeer client authentication myserver
就不会有这个窗口弹出来了.


按此在新窗口浏览图片

VPN是企业实现安全远程互联的有效方法。本文根据一个应用实例,具体描述VPN的配置和实施过程。其主要应用特点包括:基于封装安全负载标准ESP-DES(Encapsulating Securiry Payload – Data Encryption Standard)的IPSec;专有网络通过端口地址转换(PAT)技术访问Internet。

一、 网络基本情况


—- 该单位公司总部在北京,全国有3个分支机构。要求做到在4个地点的数据能够实时查询,便于业务员根据具体情况作出正确决策。早期方案是使用路由器,通过速率为256Kbps的DDN专网连接北京总部。但技术人员通过市场调研,发现该网络运营成本过高。通过进一步的咨询和调整,最终方案是分支机构使用DDN在本地接入Internet,总部使用以太网就近接入Internet。并对互联的路由器进行配置,使用VPN技术,保证内部数据通过Internet安全传输。该企业的网络分布见附图。



二、配置过程及测试步骤


—- 在实施配置前,需要检查硬件和软件是否支持VPN。对于Cisco路由器,要求IOS版本高于12.0.6(5)T,且带IPSec功能。本配置在Cisco路由器上配置通过。


—- 以下是分支网络1的路由器实际配置过程,其他路由器的配置方法与此基本一致,只需修改具体的环境参数(IP地址和接口名称)即可。


—- 以下黑体字为输入部分,< Enter >为键盘对应键,^Z为Ctrl+Z组合键。


—- 1. 配置路由器的基本参数,并测试网络的连通性

—- (1) 进入路由器配置模式

—- 将计算机串口与路由器console口连接,并按照路由器说明书配置“终端仿真”程序。执行下述命令进入配置模式。

—- Router>en

—- Router#config terminal

—- Router(config)#


—- (2)配置路由器的基本安全参数

—- 主要是设置特权口令、远程访问口令和路由器名称,方便远程调试。

—- Router(config)#enable secret xxxxxxx

—- Router(config)#line vty 0 4

—- Router(config-line)#password xxxxxx

—- Router(config-line)#exit

—- Router(config)#hostname huadong

—- huadong(config)#


—- (3)配置路由器的以太网接口,并测试与本地计算机的连通性

—- 注意: 配置前,请将线缆与相关设备连接好。其中ethernet0/0端口接内部网络,serial0/0端口接外部网络。外部网络接口地址由ISP分配,至少一个地址,多者不限。以下假定为一个,使用PAT模式,地址为210.75.32.9,上级路由器为210.75.32.10。内部网络地址如附图所标示。


—- 关键是配置IP地址和启用以太网接口。测试时,使用基本的测试命令ping。


—- huadong(config)#inter eth0/0

—- huadong(config-if)#ip address 172.17.1.1 255.255.255.0

—- huadong(config-if)#no shutdown


—- 以下是测试命令:

—- huadong#ping 172.17.1.1

—- …

—- !!!!!

—- …

—- huadong#ping 172.17.1.100

—- …

—- !!!!!

—- …


—- 在IP地址为172.17.1.100的计算机上:

—- c:>ping 172.17.1.1

—- Pinging 172.17.1.1 with 32 bytes of data:

—- Reply from 172.17.1.1: bytes=32 time=5ms TTL=255

—- ……

—- 结果证明连接及配置正确。


—- (4) 配置路由器的串口,并测试与上级路由器的连通性

—- 与以太网口的配置方法类似,而且需要指定带宽和包的封装形式。同时,注意将Cisco设备特有的CDP协议关掉,保证基本的安全。


—- huadong(config)#inter serial0/0

—- huadong(config-if)#ip address 210.75.32.9 255.255.255.252

—- huadong(config-if)#bandwidth 256

—- huadong(config-if)#encapsulation ppp

—- huadong(config-if)#no cdp enable

—- huadong(config-if)#no shutdown


—- 以下是测试命令:

—- huadong#ping 210.75.32.9

—- ……

—- !!!!!

—- ……

—- huadong#ping 210.75.32.10

—- ……

—- !!!!!

—- ……

—- 结果证明连接及配置正确。


—- 2. 配置路由器NAT网络

—- (1) 配置外出路由并测试

—- 主要是配置缺省路由。

—- huadong(config)#ip route 0.0.0.0 0.0.0.0 210.75.32.9

—- huadong#ping 211.100.15.36

—- ……

—-!!!!!

—- ……

—- 结果证明本路由器可以通过ISP访问Internet。


—- (2) 配置PAT,使内部网络计算机可以访问外部网络,但不能访问总部和分支机构

—- 主要是基于安全目的,不希望内部网络被外部网络所了解,而使用地址转换(NAT)技术。同时,为了节约费用,只租用一个IP地址(路由器使用)。所以,需要使用PAT技术。使用NAT技术的关键是指定内外端口和访问控制列表。

—- 在访问控制列表中,需要将对其他内部网络的访问请求包废弃,保证对其他内部网络的访问是通过IPSec来实现的。


—- huadong(config)#inter eth0/0

—- huadong(config-if)#ip nat inside

—- huadong(config-if)#inter serial0/0

—- huadong(config-if)#ip nat outside

—- huadong(config-if)#exit

—- 以上命令的作用是指定内外端口。


—- huadong(config)#route-map abc permit 10

—- huadong(config-route-map)#match ip address 150

—- huadong(config-route-map)#exit

—- 以上命令的作用是指定对外访问的规则名。


—- huadong(config)#access-list 150 deny 172.17.1.0 0.0.0.255 172.16.0.0 0.0.255.255

—- huadong(config)#access-list 150 deny 172.17.1.0 0.0.0.255 172.17.2.0 0.0.0.255

—- huadong(config)#access-list 150 deny 172.17.1.0 0.0.0.255 172.17.3.0 0.0.0.255

—- huadong(config)#access-list 150 permit ip 172.17.1.0 0.0.0.255 any

—- 以上命令的作用是指定对外访问的规则内容。例如,禁止利用NAT对其他内部网络直接访问(当然,专用地址本来也不能在Internet上使用),和允许内部计算机利用NAT技术访问Internet(与IPSec无关)。


—- huadong(config)#ip nat inside source route-map abc interface serial0/0 overload

—- 上述命令的作用是声明使用串口的注册IP地址,在数据包遵守对外访问的规则的情况下,使用PAT技术。


—- 以下是测试命令,通过该命令,可以判断配置是否有根本的错误。例如,在命令的输出中,说明了内部接口和外部接口。并注意检查输出与实际要求是否相符。

—- huadong#show ip nat stat

—- Total active translations: 0 (0 static, 0 dynamic; 0 extended)

—- Outside interfaces:

—- Serial0/0

—- Inside interfaces:

—- Ethernet0/0

—- ……


—- 在IP地址为172.17.1.100的计算机上,执行必要的测试工作,以验证内部计算机可以通过PAT访问Internet。

—- c:>ping 210.75.32.10

—- ……

—- Reply from 210.75.32.10: bytes=32 time=1ms TTL=255

—- ……

—- c:>ping http://www.ninemax.com

—- ……

—- Reply from 211.100.15.36: bytes=32 time=769ms TTL=248

—- ……


—- 此时,在路由器上,可以通过命令观察PAT的实际运行情况,再次验证PAT配置正确。

—- huadong#show ip nat tran

—- Pro Inside global Inside local Outside local Outside global

—- icmp 210.75.32.9:1975 172.17.1.100:1975 210.75.32.10:1975 210.75.12.10:1975

—- ……


—- 以上测试过程说明,NAT配置正确。内部计算机可以通过安全的途径访问Internet。当然,如果业务要求,不允许所有的内部员工/计算机,或只允许部分内部计算机访问Internet,那么,只需要适当修改上述配置命令,即可实现。


—- 3. 配置ESP-DES IPSec并测试

—- 以下配置是配置VPN的关键。首先,VPN隧道只能限于内部地址使用。如果有更多的内部网络,可在此添加相应的命令。

—- huadong(config)#access-list 105 permit ip 172.17.1.0 0.0.0.255 172.16.0.0 0.0.255.255

—- huadong(config)#access-list 106 permit ip 172.17.1.0 0.0.0.255 172.17.2.0 0.0.0.255

—- huadong(config)#access-list 107 permit ip 172.17.1.0 0.0.0.255 172.17.3.0 0.0.0.255


—- 指定VPN在建立连接时协商IKE使用的策略。方案中使用sha加密算法,也可以使用md5算法。

在IKE协商过程中使用预定义的码字。

—- huadong(config)#crypto isakmp policy 10

—- huadong(config-isakmp)#hash sha

—- huadong(config-isakmp)#authentication pre-share

—- huadong(config-isakmp)#exit


—- 针对每个VPN路由器,指定预定义的码字。可以一样,也可以不一样。但为了简明起见,建议使用一致的码字。

—- huadong(config)#crypto isakmp key abc2001 address 211.157.243.130

—- huadong(config)#crypto isakmp key abc2001 address 202.96.209.165

—- huadong(config)#crypto isakmp key abc2001 address 192.18.97.241


—- 为每个VPN(到不同的路由器,建立不同的隧道)制定具体的策略,并对属于本策略的数据包实施保护。本方案包括3个VPN隧道。需要制定3个相应的入口策略(下面只给出1个)。

—- huadong(config)#crypto map abc 20 ipsec-isakmp

—- huadong(config-crypto-map)#set peer 211.157.243.130

—- huadong(config-crypto-map)#set transform-set abc-des

—- huadong(config-crypto-map)#match address 105

—- huadong(config-crypto-map)#exit


—- 使用路由器的外部接口作为所有VPN入口策略的发起方。与对方的路由器建立IPSec。

—- huadong(config)#crypto map abc local-address serial0


—- IPSec使用ESP-DES算法(56位加密),并带SHA验证算法。

—- huadong(config)#crypto ipsec transform-set abc-des esp-des esp-sha-hmac


—- 指明串口使用上述已经定义的策略。

—- huadong(config)#inter serial0/0

—- huadong(config-if)#crypto map abc


—- 在IP地址为172.17.1.100的计算机上验证:

—- c:>ping 172.16.1.100

—- ……

—- Reply from 172.16.1.100: bytes=32 time=17ms TTL=255

—- ……

—- huadong#show crypto engine conn acti

—- ID Interface IP-Address State Algorithm Encrypt Decrypt

—- 1 < none > < none > set HMAC_SHA+DES_56_CB 0 0

—- 2000 Serial0/0 210.75.32.9 set HMAC_SHA+DES_56_CB 0 452

—- 2001 Serial0/0 210.75.32.9 set HMAC_SHA+DES_56_CB 694 0

—- 同时,这种连接使用了IPSec,而没有使用NAT技术。


三、测试


—- 将所有路由器按照上述过程,根据具体的环境参数,做必要修改后,完成VPN的配置。网络部分任务完成,可以顺利开展业务应用了。


—- 如果需要,路由器本身提供更详细的调试命令:

—- debug crypto engine connections active

—- debug crypto isakmp sa

—- debug crypto ipsec sa


—- 在调试时,需要注意,在对应路由器上也执行相应的调试命令。然后,在一台客户机(172.17.1.100)上执行如下命令:

—- c:>ping 172.16.1.100 -n 1


—- 最后,对比2个路由器的输出,观察出现问题的提示——这是隧道不能建立的主要原因。针对此提示,做必要的修改工作,便可圆满完成VPN的配置计划。


—- 在实际中,该方案完全满足用户需求,并充分验证了VPN技术的可用性和实用性。至今运行正常,用户非常满意。

利用Internet 出口线路建立VPN通道实现总、分公司之间的互联,是目前许多公司热衷的方案。以往要建立这样的VPN,需要至少一端使用静态的IP地址。当前很多公司都通过ADSL方式上网,如果要求电信提供静态地址,费用将会大大增加(如深圳512K固定IP的ADSL月租是RMB5000)。现在Cisco IOS 12.3(4)T中新增了根据DNS名称来建立VPN peer 的命令,借助希网(3322.org)、88ip等动态域名解释系统的配合,可以在VPN两端都使用动态地址的ADSL线路,节省大笔费用。

     关键命令:

set peer {host-name [dynamic] | ip-address}

    说明:

    host-name 指定IPSec peer的DNS主机名称,如:myhost.example.com。

    dynamic (可选参数) 指定 IPSec peer 的主机名在需要建立IPSec通道的时候才通过DNS服务器解释为IP地址。

    ip-address 直接给出IPSec peer的IP地址(传统的配置方式)。

     实际环境中局域网内应在一台机器上运行动态域名解释客户端程序,以将主机名nbo.3322.org注册到服务器,注册地址是路由器的外网端口地址。

 

配置:
    VPN-1(省略了部分无关配置):

    version 12.3
    !
    hostname vpn-1
    !
    aaa new-model
    !
    aaa authentication login authen group radius local
    aaa authorization network author local
    aaa session-id common
    ip subnet-zero
    !
    ip cef
    ip name-server 202.96.134.133
    !
    crypto isakmp policy 10
     authentication pre-share
     group 2
    crypto isakmp key cisco address 0.0.0.0 0.0.0.0
    !
    crypto ipsec transform-set s2s esp-des esp-sha-hmac
    !
    crypto dynamic-map dymap 1
     set transform-set s2s
     match address 110
    !
    crypto map mymap 1 ipsec-isakmp dynamic dymap
    !
    interface FastEthernet0/0
     description VPN
     ip address 202.11.22.11 255.255.255.248
     ip nat outside
     crypto map mymap
    !
    interface FastEthernet0/1
     description INSIDE_GATEWAY
     ip address 172.16.10.110 255.255.0.0
     ip nat inside
    !
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    no ip http server
    !
    access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255
    access-list 120 deny   ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    route-map nonat permit 10
     match ip address 120
    !
    end
   
    VPN-2(省略了部分无关配置):
   
    version 12.3
    !
    hostname vpn-2
    !
    username mize password 0 http://mize.netbuddy.org
    no aaa new-model
    ip subnet-zero
    !
    ip cef
    ip name-server 202.96.134.133
    !
    crypto isakmp policy 1
     authentication pre-share
     group 2
    crypto isakmp key cisco hostname nbo.3322.org
    !
    crypto ipsec transform-set s2s esp-des esp-sha-hmac
    !
    crypto map mymap 10 ipsec-isakmp
     set peer nbo.3322.org dynamic
     set transform-set s2s
     match address 110
    !
    interface FastEthernet0/0
     ip address 202.11.22.43 255.255.255.248
     ip nat outside
     crypto map mymap
    !
    interface FastEthernet0/1
     ip address 172.30.1.1 255.255.255.0
     ip nat inside
    !
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    !
    access-list 110 permit ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 120 deny   ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 120 permit ip 172.30.1.0 0.0.0.255 any
    route-map nonat permit 10
     match ip address 120   
    !
    end

    相关调试命令:
    show cry isa sa
    show cry ipsec sa





Cisco 2611 Router

vpn2611#show run
Building configuration…

Current configuration : 2265 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2611
!

!— Enable aaa for user authentication
!— and group authorization.

aaa new-model
!
!

!— To enable X-Auth for user authentication,
!— enable the aaa authentication commands.

aaa authentication login userauthen local


!— To enable group authorization, enable
!— the aaa authorization commands.

aaa authorization network groupauthor local
aaa session-id common
!


!— For local authentication of the IPSec user,
!— create the user with password.

username cisco password 0 cisco
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!


!— Create an Internet Security Association and
!— Key Management Protocol (ISAKMP)
!— policy for Phase 1 negotiations for the VPN 3.x clients.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!


!— Create an ISAKMP policy for Phase 1
!— negotiations for the LAN-to-LAN tunnels.

crypto isakmp policy 10
hash md5
authentication pre-share


!— Specify the PreShared key for the LAN-to-LAN tunnel.
!— Make sure that you use
!— no-xauth parameter with your ISAKMP key.

crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!


!— Create a group that will be used to
!— specify the WINS, DNS servers’ address
!— to the client, along with the pre-shared
!— key for authentication.

crypto isakmp client configuration group 3000client
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!
!


!— Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!


!— Create a dynamic map and apply
!— the transform set that was created above.

crypto dynamic-map dynmap 10
set transform-set myset
!
!


!— Create the actual crypto map, and
!— apply the aaa lists that were created
!— earlier. Also create a new instance for your
!— LAN-to-LAN tunnel. Specify the peer IP address,
!— transform set and an Access Control List (ACL) for this
!— instance.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set myset

R>match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!


!— Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.255.0
no keepalive
half-duplex
!
!

!— Create a pool of addresses to be
!— assigned to the VPN Clients.

ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!


!— Create an ACL for the traffic
!— to be encrypted. In this example,
!— the traffic from 10.10.10.0/24 to 10.10.20.0/24
!— would be encrypted.

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
snmp-server community foobar RO
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end



Configuring the 3640 Router
Cisco 3640 Router

vpn3640#show run
Building configuration…

Current configuration : 1287 bytes
!
! Last configuration change at 13:47:37 UTC Wed Mar 6 2002
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3640
!
!
ip subnet-zero
ip cef
!

!— Create an ISAKMP policy for Phase 1
!— negotiations for the LAN-to-LAN tunnels.

crypto isakmp policy 10
hash md5
authentication pre-share


!— Specify the PreShared key for the LAN-to-LAN
!— tunnel. You do not have to add
!— X-Auth parameter, as this
!— router is not doing Cisco Unity Client IPSEC
!— authentication.

crypto isakmp key cisco123 address 172.18.124.159
!
!


!— Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!


!— Create the actual crypto map. Specify
!— the peer IP address, transform
!— set and an ACL for this instance.

crypto map mymap 10 ipsec-isakmp
set peer 172.18.124.159
set transform-set myset
match address 100
!
call RSVP-sync
!
!
!


!— Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.199 255.255.255.0
half-duplex
crypto map mymap
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!


!— Create an ACL for the traffic to
!— be encrypted. In this example,
!— the traffic from 10.10.20.0/24 to10.10.10.0/24
!— would be encrypted.

access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community foobar RO
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
end





PIX Central

Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-central
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!— This is traffic to PIX 2.

access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

!— This is traffic to PIX 3.

access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

!— Do not do Network Address Translation (NAT) on traffic to other PIXes.

access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.153 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

!— Do not do NAT on traffic to other PIXes.

nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac

!— This is traffic to PIX 2.

crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 172.18.124.154
crypto map newmap 20 set transform-set myset

!— This is traffic to PIX 3.

crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 172.18.124.157
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.154 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 172.18.124.157 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end


PIX 2

Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix2
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!— This is traffic to PIX Central.

access-list 110 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

!— Do not do NAT on traffic to PIX Central.

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.154 255.255.255.0
ip address inside 10.2.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400

!— Do not do NAT on traffic to PIX Central.

nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac

!— This is traffic to PIX Central.

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 172.18.124.153
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.153 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80<BR>Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end



PIX 3 Configuration

Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix3
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!— This is traffic to PIX Central.

access-list 110 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

!— Do not do NAT on traffic to PIX Central.

access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.157 255.255.255.0
ip address inside 10.3.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400

!— Do not do NAT on traffic to PIX Central.

nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac

!— This is traffic to PIX Central.

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 172.18.124.153
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.153 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:aa3bbd8c6275d214b153e1e0bc0173e4
: end






Hub Router

2503#show running-config
Building configuration…
Current configuration : 1466 bytes
!
version 12.2

service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 2503
!


!
ip subnet-zero
!

!

!— Configuration for IKE policies.

crypto isakmp policy 10

!— Enables the IKE policy configuration (config-isakmp)
!— command mode, where you can specify the parameters that
!— are used during an IKE negotiation.

hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.2.1
crypto isakmp key cisco123 address 200.1.3.1

!— Specifies the preshared key "cisco123" which should
!— be identical at both peers. This is a global
!— configuration mode command.


!

!— Configuration for IPSec policies.

crypto ipsec transform-set myset esp-des esp-md5-hmac

!— Enables the crypto transform configuration mode,
!— where you can specify the transform sets that are used
!— during an IPSec negotiation.

!
crypto map mymap 10 ipsec-isakmp

!— Indicates that IKE is used to establish
!— the IPSec security association for protecting the
!— traffic specified by this crypto map entry.

set peer 200.1.2.1

!— Sets the IP address of the remote end.

set transform-set myset

!— Configures IPSec to use the transform-set
!— "myset" defined earlier in this configuration.

match address 110

!— Specifyies the traffic to be encrypted.

crypto map mymap 20 ipsec-isakmp
set peer 200.1.3.1
set transform-set myset
match address 120
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.1.1 255.255.255.0
no ip route-cache

!— You must enable process switching for IPSec
!— to encrypt outgoing packets. This command disables fast switching.

no ip mroute-cache
crypto map mymap

!— Configures the interface to use the
!— crypto map "mymap" for IPSec.

!


!— Output suppressed.

ip classless
ip route 172.16.1.0 255.255.255.0 Ethernet0
ip route 192.168.1.0 255.255.255.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
ip http server

!
access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!— This crypto ACL-permit identifies the
!— matching traffic flows to be protected via encryption.




Spoke 1 Router

2509a#show running-config
Building configuration…
Current configuration : 1203 bytes
!
version 12.2

service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 2509a
!
enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0

!
ip subnet-zero
no ip domain-lookup
!

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 110
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.2.1 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map mymap
!

.
.

!— Output suppressed.

.
.
ip classless
ip route 10.1.1.0 255.255.255.0 Ethernet0
ip route 192.168.1.0 255.255.255.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
no ip http server

!
access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!

end
2509a#



Spoke 2 Router

VPN2509#show running-config
Building configuration…
Current configuration : 1117 bytes
!
version 12.2

service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
!
hostname VPN2509
!

!
ip subnet-zero
no ip domain-lookup
!

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 120
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.3.1 255.255.255.0

!— No ip route-cache.

no ip mroute-cache
crypto map mymap
!

.
.

!— Output suppressed.

.
.
ip classless
ip route 10.1.1.0 255.255.255.0 Ethernet0
ip route 172.16.0.0 255.255.0.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
no ip http server

!
access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!

end
VPN2509#