网络发展的速度太快,上升到一定高度,管理就成了网络管理员最大难题。其中,安全是尤其重要!在公网上跑私网,也就是我们说的虚拟专用网×××,×××技术成为了解决企业在公网传输企业内部网络资源的一种重要方法。
    ×××全称(Virtual Private Network)。×××是在Internet上通过IP机制建立出一条点到点的逻辑专线的技术。要知道申请一条2M从北京到上海的专线一个月可能都需要好几千块。但是现在,通过×××技术就可以在北京和上海各申请一条2M的ADSL,通过×××硬件建立一条比专线更加安全的专线。理论还是不要讲太多,多了不太好理解,通过实践可以很好的帮助大家理解×××技术。
    下面通过一个实例来建立大家对×××的概念。
〖组网需求〗
    北京某保险公司希望与随州分公司各建立一条×××,另外北京和随州还建立远程接入Remote ×××。这样一来,随州分公司的员工就可以像北京总公司的员工一样访问北京总公司的内部网络资源FTP、WEB等服务器;而且,北京总公司和随州分公司的员工如果出差在外,也同样可以通过远程接入×××连入北京总公司和随州分公司的内部网络。
〖网络环境〗
     北京总公司是租用电信10M宽带,随州分公司租用电信3M宽带,北京和随州各有一台Cisco PIX 515E-UR-BUN,唯一区别是北京的PIX是7.2版本,随州是6.3版本。(不同版本配置略有不同、需要细心噢)
     北京总公司有5个内网段,分别是20.0.0.0/30 10.0.10.0/24  10.0.20.0/24  10.0.30.0/24  10.0.40.0/24  10.0.50.0/24
随州分公司有4个内网段,分别是30.0.0.0/30   192.168.1.0 /24  192.168.2.0/24  192.168.3.0/24  192.168.4.0/24
〖网络拓扑〗
                              
〖配置步骤〗
1        实现两台PIX互通。配置IP、默认路由、内网段回执路由、安全策略等。
2        配置核心机。创建VLAN,核心到接入交换机相关端口起Trunk。开启IP ROUTING、默认路由。
3        配置接入交换机。在每台交换机上联4503的端口上起Trunk。在相应的交换机上创建VLAN。
〖配置文档〗
: Saved
:
PIX Version 7.2(1)
!
hostname BEIJING
domain-name default.domain.invalid
enable password E9d0cLEhxqyfOX7O encrypted
names
dns-guard
!
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 20.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list tunnellist standard permit 10.0.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list web extended permit ip any any
access-list ***l2l_list extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list ***l2l_list extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0
pager lines 24
logging enable
logging standby
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ***pool 10.0.60.1 10.0.60.50 mask 255.255.255.0
no failover
asdm p_w_picpath flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 1.1.1.2
nat (inside) 0 access-list nonat
nat (inside) 1 access-list web
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
route inside 10.0.0.0 255.255.0.0 20.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
***-access-hours none
***-simultaneous-logins 3
***-idle-timeout 30
***-session-timeout none
***-filter none
***-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tunnellist
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
username xiaomifeng password xiaomifeng
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set l2l***set esp-des esp-sha-hmac
crypto ipsec transform-set remote***set esp-3des esp-md5-hmac
crypto dynamic-map remote***map 100 set transform-set remote***set
crypto map l2l***map 200 match address ***l2l_list
crypto map l2l***map 200 set peer 2.1.1.1  
crypto map l2l***map 200 set transform-set l2l***set
crypto map l2l***map 100 ipsec-isakmp dynamic remote***map
crypto map l2l***map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 200
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5     
group 2
lifetime 86400
crypto isakmp policy 65534
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group remote*** type ipsec-ra
tunnel-group remote*** general-attributes
address-pool ***pool
tunnel-group remote*** ipsec-attributes
pre-shared-key *
tunnel-group 2.1.1.1 type ipsec-l2l
tunnel-group 2.1.1.1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:6d15859d37ab62e0fb77ced3401c375e
: end
〖案例点评〗
   在这个项目中我们给客户选择了IPSEC ×××。
通常×××有两种应用,一种是点到点的×××,一种是远程接入×××。根据客户具体应用做出正确的选择,然后再来考虑配置。
上面这个配置是北京总部的,随州分公司的就不用贴出来了吧!^_^
有不明白滴,可以打偶电话,加偶qq 327665298