配置实例:如何配置Cisco pix实现VPN访问

　　PIX-Shanghai> en

　　Password: **********

　　PIX-Shanghai# show run

　　: Saved

　　:

　　PIX Version 6.3(1)

　　interface ethernet0 auto

　　interface ethernet1 100full

　　nameif ethernet0 outside security0

　　na meif ethernet1 inside security100

　　enable password S2MnpAQ0MxnL encrypted

　　passwd pAQ0MxOQLJnL encrypted

　　hostname PIX-Shanghai

　　domain-name ciscofan.com

　　fixup protocol ftp21

　　fixup protocol h323 h225 1720

　　fixup protocol h323 ras 1718-1719

　　fixup protocol http 80

　　fixup protocol ils 389

　　fixup protocol rsh 514

　　fixup protocol rtsp 554

　　fixup protocol sip5060

　　fixup protocol sip udp 5060

　　fixup protocol skinny 2000

　　fixup protocol smtp 25

　　fixup protocol sqlnet 1521

　　names

　　name 218.242.194.97 www.ciscofan.com

　　object-group network LAN_Interne_ICE

　　network-object 128.1.0.0 255.255.0.0

　　network-object 10.101.0.0 255.255.0.0

　　network-object 10.102.0.0 255.254.0.0

　　network-object 10.104.0.0 255.248.0.0

　　network-object 10.112.0.0 255.252.0.0

　　network-object 10.116.0.0 255.254.0.0

　　network-object 192.168.10.0 255.255.254.0

　　network-object 192.168.12.0 255.255.252.0

　　network-object 192.168.16.0 255.255.240.0

　　network-object 192.168.32.0 255.255.240.0

　　network-object 192.168.48.0 255.255.254.0

　　network-object 192.168.50.0 255.255.255.0

　　object-group network LAN_Remota

　　network-object 10.200.62.0 255.255.255.0

　　access-list acl_out permit ip any any

　　access-list acl_out permit icmp any any

　　access-list acl_in permit ip any any

　　access-list acl_in permit icmp any any

　　access-list acl_nat0 permit ip object-group LAN_Remota object-group LAN_Interne_

　　ICE

　　access-list cryptomap permit ip object-group LAN_Remota object-group LAN_Interne

　　_ICE

　　pager lines 24

　　logging on

　　logging timestamp

　　logging trap debugging

　　logging host outside 212.17.199.170

　　icmp permit host 212.17.199.170 outside

　　icmp permit host 212.17.199.198 outside

　　icmp permit host 217.56.45.123 outside

　　icmp permit host 217.56.45.122 outside

　　icmp permit host 80.23.50.226 outside

　　icmp permit host 212.17.199.167 outside

　　icmp permit host 217.17.199.198 outside

　　icmp permit host 80.20.218.100 outside

　　icmp permit host 80.20.218.108 outside

　　icmp permit host 211.152.x.x outside

　　mtu outside 1500

　　mtu inside 1500

　　ip address outside 211.152.x.x 255.255.255.240

　　ip address inside 10.200.62.1 255.255.255.0

　　ip audit name ids_attack attack action drop reset

　　ip audit interface outside ids_attack

　　ip audit info action alarm

　　ip audit attack action alarm

　　pdm history enable

　　arp timeout 14400

　　global (outside) 1 211.152.x.x

　　nat (inside) 0 access-list acl_nat0

　　nat (inside) 1 10.200.62.0 255.255.255.0 0 0

　　access-group acl_out in interface outside

　　access-group acl_in in interface inside

　　conduit permit icmp any any

　　route outside 0.0.0.0 0.0.0.0 211.152.x.x 1

　　timeout xlate 3:00:00

　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

　　timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

　　timeout uauth 0:05:00 absolute

　　aaa-server TACACS+ protocol tacacs+

　　aaa-server RADIUS protocol radius

　　aaa-server LOCAL protocol local

　　ntp server 193.204.114.232 source outside

　　http server enable

　　http 212.17.199.170 255.255.255.255 outside

　　http 212.17.199.198 255.255.255.255 outside

　　http 217.56.45.123 255.255.255.255 outside

　　http 217.56.45.122 255.255.255.255 outside

　　snmp-server host outside 212.17.199.170

　　snmp-server host outside 212.17.199.198

　　no snmp-server location

　　no snmp-server contact

　　snmp-server community ciscofanvpn

　　no snmp-server enable traps

　　floodguard enable

　　sysopt connection permit-ipsec

　　crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

　　crypto map outside_map 20 ipsec-isakmp

　　crypto map outside_map 20 match address cryptomap

　　crypto map outside_map 20 set peer 213.215.136.251

　　crypto map outside_map 20 set transform-set ESP-DES-MD5

　　crypto map outside_map 20 set security-association lifetime seconds 120 kilobyte

　　s 4608000

　　crypto map outside_map interface outside

　　isakmp enable outside

　　isakmp policy 20 authentication rsa-sig

　　isakmp policy 20 encryption des

　　isakmp policy 20 hash md5

　　isakmp policy 20 group 2

　　isakmp policy 20 lifetime 120

　　ca identity ca1 www.ciscofan.com:/certsrv/mscep/mscep.dll

　　ca configure ca1 ra 1 20 crloptional

　　telnet timeout 5

　　ssh 212.17.199.170 255.255.255.255 outside

　　ssh 212.17.199.198 255.255.255.255 outside

　　ssh 217.56.45.123 255.255.255.255 outside

　　ssh 217.56.45.122 255.255.255.255 outside

　　ssh 80.23.50.226 255.255.255.255 outside

　　ssh 212.17.199.167 255.255.255.255 outside

　　ssh 80.20.218.100 255.255.255.255 outside

　　ssh 80.20.218.108 255.255.255.255 outside

　　ssh timeout 60

　　console timeout 0

　　terminal width 80

　　Cryptochecksum:e99eb892f5c2b5d02540352ad9d72cce

　　: end

　　PIX-Shanghai#