PIX Site to Site ××× 多条情况配置 

 
其实只要记住重点,接口只能调用一个map 就可以了
P1# show run
: Saved
:
PIX Version 7.2(2)
!
hostname P1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 11.11.11.11 255.255.255.0
!
interface Ethernet1
 nameif outside
 security-level 0
 ip address 14.14.14.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit icmp any any
access-list nat extended permit ip 11.11.11.0 255.255.255.0 any
access-list nonat extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0
access-list nonat extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list tunnel2 extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0
access-list tunnel3 extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
做×××的流量一定要放在nat 0 中,记住nat 0中也只能放一个ACL
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 14.14.14.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
crypto map mymap 10 match address tunnel2。。。。。。两条×××是放在同一个map中
crypto map mymap 10 set peer 24.24.24.2
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address tunnel3
crypto map mymap 20 set peer 34.34.34.3
crypto map mymap 20 set transform-set myset2
crypto map mymap interface outside。。。。。调用map
crypto isakmp enable outside。。。。。。。一定要开启,否则拒绝isakmp的连接
crypto isakmp policy 10。。。。。。。。。。一个policy可供多个×××使用
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 24.24.24.2 type ipsec-l2l。。。。这是由命令crypto isakmp key cisco address 24.24.24.2生成
tunnel-group 24.24.24.2 ipsec-attributes
 pre-shared-key *
tunnel-group 34.34.34.3 type ipsec-l2l
tunnel-group 34.34.34.3 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:bc2b9318f2cb8a3198a8fa5b77ea6268
: end
P1# 
 
 
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
 
P2(config)# show run
: Saved
:
PIX Version 7.2(2)
!
hostname P2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 22.22.22.21 255.255.255.0
!
interface Ethernet1
 nameif outside
 security-level 0
 ip address 24.24.24.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit icmp any any
access-list nat extended permit ip 22.22.22.0 255.255.255.0 any
access-list nonat extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list nonat extended permit ip 22.22.22.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list tunnel1 extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list tunnel3 extended permit ip 22.22.22.0 255.255.255.0 33.33.33.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 24.24.24.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
crypto map mymap 10 match address tunnel1。。。。。。。。。。。。。只能调用一个map,序列化区别
crypto map mymap 10 set peer 14.14.14.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address tunnel3
crypto map mymap 20 set peer 34.34.34.3
crypto map mymap 20 set transform-set myset2
crypto map mymap interface outside
crypto isakmp enable outside。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。一定要开启
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。配两个policy,但只出现一个
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 14.14.14.1 type ipsec-l2l
tunnel-group 14.14.14.1 ipsec-attributes
 pre-shared-key *。。。。。。。。。。。。。。。。。。。。。crypto isakmp key cisco add 14.14.14.1生成
tunnel-group 34.34.34.3 type ipsec-l2l
tunnel-group 34.34.34.3 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:5dbba7e6d178fff174983fd91d66768a
: end
P2(config)# 
 
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
 
P2(config)# show run
: Saved
:
PIX Version 7.2(2)
!
hostname P2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 22.22.22.21 255.255.255.0
!
interface Ethernet1
 nameif outside
 security-level 0
 ip address 24.24.24.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit icmp any any
access-list nat extended permit ip 22.22.22.0 255.255.255.0 any
access-list nonat extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list nonat extended permit ip 22.22.22.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list tunnel1 extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list tunnel3 extended permit ip 22.22.22.0 255.255.255.0 33.33.33.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 24.24.24.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
crypto map mymap 10 match address tunnel1
crypto map mymap 10 set peer 14.14.14.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address tunnel3
crypto map mymap 20 set peer 34.34.34.3
crypto map mymap 20 set transform-set myset2
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 14.14.14.1 type ipsec-l2l
tunnel-group 14.14.14.1 ipsec-attributes
 pre-shared-key *
tunnel-group 34.34.34.3 type ipsec-l2l
tunnel-group 34.34.34.3 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:5dbba7e6d178fff174983fd91d66768a
: end
P2(config)#