配置实例:如何配置Cisco pix实现VPN访问

PIX-Shanghai> enPassword: **********PIX-Shanghai# show run: Saved:PIX Version 6.3(1)interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0na meif ethernet1 inside security100enable password S2MnpAQ0MxnL encryptedpasswd pAQ0MxOQLJnL encryptedhostname PIX-Shanghaidomain-name ciscofan.comfixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521namesname 218.242.194.97 www.ciscofan.comobject-group network LAN_Interne_ICEnetwork-object 128.1.0.0 255.255.0.0network-object 10.101.0.0 255.255.0.0network-object 10.102.0.0 255.254.0.0network-object 10.104.0.0 255.248.0.0network-object 10.112.0.0 255.252.0.0network-object 10.116.0.0 255.254.0.0network-object 192.168.10.0 255.255.254.0network-object 192.168.12.0 255.255.252.0network-object 192.168.16.0 255.255.240.0network-object 192.168.32.0 255.255.240.0network-object 192.168.48.0 255.255.254.0network-object 192.168.50.0 255.255.255.0object-group network LAN_Remotanetwork-object 10.200.62.0 255.255.255.0access-list acl_out permit ip any anyaccess-list acl_out permit icmp any anyaccess-list acl_in permit ip any anyaccess-list acl_in permit icmp any anyaccess-list acl_nat0 permit ip object-group LAN_Remota object-group LAN_Interne_ICEaccess-list cryptomap permit ip object-group LAN_Remota object-group LAN_Interne_ICEpager lines 24logging onlogging timestamplogging trap debugginglogging host outside 212.17.199.170icmp permit host 212.17.199.170 outsideicmp permit host 212.17.199.198 outsideicmp permit host 217.56.45.123 outsideicmp permit host 217.56.45.122 outsideicmp permit host 80.23.50.226 outsideicmp permit host 212.17.199.167 outsideicmp permit host 217.17.199.198 outsideicmp permit host 80.20.218.100 outsideicmp permit host 80.20.218.108 outsideicmp permit host 211.152.x.x outsidemtu outside 1500mtu inside 1500ip address outside 211.152.x.x 255.255.255.240ip address inside 10.200.62.1 255.255.255.0ip audit name ids_attack attack action drop resetip audit interface outside ids_attackip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 211.152.x.xnat (inside) 0 access-list acl_nat0nat (inside) 1 10.200.62.0 255.255.255.0 0 0access-group acl_out in interface outsideaccess-group acl_in in interface insideconduit permit icmp any anyroute outside 0.0.0.0 0.0.0.0 211.152.x.x 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS  protocol tacacs aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localntp server 193.204.114.232 source outsidehttp server enablehttp 212.17.199.170 255.255.255.255 outsidehttp 212.17.199.198 255.255.255.255 outsidehttp 217.56.45.123 255.255.255.255 outsidehttp 217.56.45.122 255.255.255.255 outsidesnmp-server host outside 212.17.199.170snmp-server host outside 212.17.199.198no snmp-server locationno snmp-server contactsnmp-server community ciscofanvpnno snmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto map outside_map 20 ipsec-isakmpcrypto map outside_map 20 match address cryptomapcrypto map outside_map 20 set peer 213.215.136.251crypto map outside_map 20 set transform-set ESP-DES-MD5crypto map outside_map 20 set security-association lifetime seconds 120 kilobytes 4608000crypto map outside_map interface outsideisakmp enable outsideisakmp policy 20 authentication rsa-sigisakmp policy 20 encryption desisakmp policy 20 hash md5isakmp policy 20 group 2isakmp policy 20 lifetime 120ca identity ca1 www.ciscofan.com:/certsrv/mscep/mscep.dllca configure ca1 ra 1 20 crloptionaltelnet timeout 5ssh 212.17.199.170 255.255.255.255 outsidessh 212.17.199.198 255.255.255.255 outsidessh 217.56.45.123 255.255.255.255 outsidessh 217.56.45.122 255.255.255.255 outsidessh 80.23.50.226 255.255.255.255 outsidessh 212.17.199.167 255.255.255.255 outsidessh 80.20.218.100 255.255.255.255 outsidessh 80.20.218.108 255.255.255.255 outsidessh timeout 60console timeout 0terminal width 80Cryptochecksum:e99eb892f5c2b5d02540352ad9d72cce: endPIX-Shanghai#