PIX TO PIX 防火墙站到站×××配置

Pix1# config t

(Config)#   inter e0
pixfirewall(config-if)# ip add 192.168.2.1 255.255.255.0
pixfirewall(config-if)# nameif outside
pixfirewall(config-if)# security-level 0
pixfirewall(config-if)# no shut
pixfirewall(config-if)# exit
pixfirewall(config)# inter e1
pixfirewall(config-if)# ip add 192.168.1.1 255.255.255.0
pixfirewall(config-if)# nameif inside
pixfirewall(config-if)# security-level 100
pixfirewall(config-if)# no shut
pixfirewall(config-if)# exit
pixfirewall(config)# exit
pixfirewall(config)# access-list 103 extended permit icmp any any
pixfirewall(config)# access-list 103 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pixfirewall(config)# access-list 101 extended permit ip 192.168.1.0 255.255.250 192.168.3.0 255.255.255.0
pixfirewall(config)# access-list ipnat extended permit ip 192.168.1.0 255.255.255.0 any
pixfirewall(config)# global (outside) 1 interface
pixfirewall(config)# nat (inside) 1 access-list ipnat
pixfirewall(config)# nat (inside) 0 access-list 101
pixfirewall(config)# access-group 103 in interface outside
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.2
pixfirewall(config)# crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
pixfirewall(config)# crypto map cisco 10 match add 101
pixfirewall(config)# crypto map cisco 10 set peer 192.168.2.2
pixfirewall(config)# crypto map cisco 10 set transform-set ccsp
pixfirewall(config)# crypto map cisco interface outside
pixfirewall(config)# crypto isakmp identity address
pixfirewall(config)# crypto isakmp enable outside
pixfirewall(config)# crypto isakmp policy 10
pixfirewall(config-isakmp-policy)# authentication pre-share
pixfirewall(config-isakmp-policy)# encryption 3des
pixfirewall(config-isakmp-policy)# hash sha
pixfirewall(config-isakmp-policy)# group 2
pixfirewall(config-isakmp-policy)# lifetime 86400
pixfirewall(config)# crypto isakmp nat-traversal 10
 
                                                         ^
pixfirewall(config)# tunnel-group 192.168.2.2 type ipsec-l2l
pixfirewall(config)#tunnel-group192.168.2.2 ipsec-attributes
pixfirewall(config-tunnel-ipsec)# pre-share
pixfirewall(config-tunnel-ipsec)# pre-shared-key cisco123
pixfirewall(config-tunnel-ipsec)# exit
pixfirewall(config)# passwd 2KFQnbNIdI.2KYOU encrypted
 
pix2
pixfirewall# config t
pixfirewall(config)# inter e0
pixfirewall(config-if)# ip add 192.168.2.2 255.255.255.0
pixfirewall(config-if)# nameif outside
pixfirewall(config-if)# security-level 0 
pixfirewall(config-if)# no shut
pixfirewall(config-if)# exit
pixfirewall(config)# inter e1
pixfirewall(config-if)# ip add 192.168.3.1 255.255.255.0
pixfirewall(config-if)# security-level 100
pixfirewall(config-if)# nameif inside
pixfirewall(config-if)# no shut
pixfirewall(config-if)# exit
pixfirewall(config)# passwd 2KFQnbNIdI.2KYOU encrypted
pixfirewall(config)# access-list 103 extended permit icmp any any
pixfirewall(config)# access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0
pixfirewall(config)# access-list 101 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pixfirewall(config)# access-list ipnat extended permit ip 192.168.3.0 255.255.255.0 any
pixfirewall(config)# global (outside) 1 interface
pixfirewall(config)# nat (inside) 0 access-list 101
pixfirewall(config)# nat (inside) 1 access-list ipnat
pixfirewall(config)# access-group 103 in interface outside
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.1
pixfirewall(config)# crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
pixfirewall(config)# crypto map cisco 10 match add 101
pixfirewall(config)# crypto map cisco 10 set peer 192.168.2.1
pixfirewall(config)# crypto map cisco 10 set transform-set ccsp
pixfirewall(config)# crypto map cisco interface outside
pixfirewall(config)# crypto isakmp identity address
pixfirewall(config)# crypto isakmp enable outside
pixfirewall(config)# crypto isakmp policy 10
pixfirewall(config-isakmp-policy)# authentication pre-share
pixfirewall(config-isakmp-policy)# encryption 3des
pixfirewall(config-isakmp-policy)# hash sha
pixfirewall(config-isakmp-policy)# group 2
pixfirewall(config-isakmp-policy)# lifetime 86400
pixfirewall(config)# crypto isakmp nat-traversal 10
pixfirewall(config)# tunnel-group 192.168.2.1 type ipsec-l2l
pixfirewall(config)#tunnel-group 192.168.2.1 ipsec-attributes
pixfirewall(config-tunnel-ipsec)# pre-shared-key cisco123