关于在PIX中设置VPN的例子[分享]

[size=18e]
> I have been working on a tunnel setup with one of our customers.
> Any help would be vastly appreciated.
>
> Basic setup: 1 tunnel - 1 host map to Cisco 3005 over internet to FW1
to
> 1 host using IPSEC. Any protocol or port.
> We are able to create tunnels, even send data out tunnel both ways but
> nothing is returned.
>
> Advanced setup:
> x.x.x.48/248 local scope through duplicate tunnels over 3005 through
> internet to twined FW-1 Solaris machines to single host on client site
> allowing port 3389 (? Terminal Service ?) only.
>
> We were initially able to create a single tunnel over Pix to single
> FW-1. This lasted for little while then changed external IP scope.
> Hasn't been working since.
>
> Pix config, then 3005 config then 2610 config. FW-1 config is straight
> out of the Cisco web site. Client is very process orientated and we
have
> to work around their network. No big deal if it works.
>
>
> X's used for simplicity.
> Pix Tunnel
> Host1 x.x.x.50 (2kws) to x.x.x.9 (2610) to x.x.x.173 (inside)->
x.x.x.x
> (outside of pix)|||||(outside of FW-1)x.x.x.29 -> x.x.x.58 (Host TS)
>
>
> Or
> Cisco 3005 Tunnel
> Host1 x.x.x.50 (2kws) to x.x.x.9 (2610) to x.x.x.10 (inside 3005)->
> x.x.x.x (outside of 3005)|||||(outside of FW-1)x.x.x.18 -> x.x.x.58
> (Host TS)
>
> Phase 2 completed, Tunnels up, but cannot complete a ping.
> Data (ping) is sent through tunnel but not returned from either end.
>
>
>
> Pix Tunnel Config:
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> no names
> name x.x.x.48 kvpngrp
>
> access-list inside_outbound_nat0_acl permit ip x.x.x.48
255.255.255.248
> host y.y.y.58
> access-list outside_cryptomap_20 permit ip x.x.x.48 255.255.255.248
host
> y.y.y.58
> access-list outside_cryptomap_40 permit ip x.x.x.48 255.255.255.248
host  y.y.y.58
>
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> access-group acl_out in interface outside
>
> route outside 0.0.0.0 0.0.0.0 x.x.x.77 1
> route inside 10.20.0.0 255.255.0.0 192.168.0.95 1
> route inside 10.23.0.0 255.255.0.0 192.168.0.46 2
> route inside 192.168.181.0 255.255.255.0 192.168.0.95 1
>
> sysopt connection permit-ipsec
> sysopt route dnat
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> crypto map outside_map 40 ipsec-isakmp
> crypto map outside_map 40 match address outside_cryptomap_40
> crypto map outside_map 40 set peer x.x.x.29
> crypto map outside_map 40 set transform-set myset
> crypto map outside_map 40 set security-association lifetime seconds
> 86400 kilobytes 4608000
> crypto map outside_map interface outside
>
> isakmp enable outside
> isakmp key ******** address x.x.x.29 netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
>
>
>
> 3005 Tunnel Config:
> Interface  Ethernet 2 (Public) (x.x.x.80)
> Peer  y.y.y.18
>
> Preshared Key
>
> Authentication  ESP/MD5/HMAC-128
> Encryption  3DES-168
> IKE Proposal
> Filter  --None--
> IPSec NAT-T   None
> Bandwidth Policy  ---None---
> Routing  None
>
------------------------------------------------------------------------
> --------
> Local Network:
> Network List  Use IP Address/Wildcard-mask
>
> IP Address  x.x.x.48
> Wildcard Mask  0.0.0.7
>
>
------------------------------------------------------------------------
> --------
> Remote Network:
>
> IP Address  y.y.y.0
> Wildcard Mask  0.0.0.255
>
>
>
> Cisco 2610 config
>
>
> Current configuration : 1170 bytes
> !
> version 12.2
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname x
> !
> logging buffered 4096 debugging
> logging rate-limit console 10 except errors
> enable secret 5
> enable password
> !
> ip subnet-zero
> !
> !
> no ip finger
> ip domain-name
> !
> ip audit notify log
> ip audit po max-events 100
> no ip dhcp-client network-discovery
> !
> !
> !
> interface Ethernet0/0
>  ip address 192.168.0.9 255.255.255.0
>  full-duplex
> !
> interface Ethernet1/0
>  no ip address
>  shutdown
>  half-duplex
> !
> router rip
>  network 192.168.0.0
> !
> ip default-gateway 192.168.0.173
> ip classless
> ip route 0.0.0.0 0.0.0.0 192.168.0.173
> !
> ! route to 3005
> ip route x.x.x.58 255.255.255.255 192.168.0.10
> !
> ! route to pix
> ip route x.x.x.58 255.255.255.255 192.168.0.173 2
> no ip http server
> !
>
>
> end
>
>
[/sizee]