Switches : Dispositivos de segurança Cisco PIX 500 Series

O PIX/ASA 7.x aumentou o exemplo spoke-to-spoke da configuração de VPN

14 Outubro 2016 - Tradução por Computador
Outras Versões: Versão em PDFpdf | Tradução Manual (8 Junho 2009) | Inglês (22 Agosto 2015) | Feedback


Índice


Introdução

Este documento descreve como configurar sessões de LAN a LAN entre PIX Firewalls. Ele demonstra uma configuração para túneis de LAN a LAN estáticos e dinâmicos com conectividade spoke-to-spoke através do PIX Firewall de hub. A versão de PIX 7.0 melhora o suporte a comunicações VPN spoke-to-spoke enquanto fornece a capacidade para que o tráfego criptografado entre e saia da mesma interface.

O comando same-security-traffic permite que tráfego entre e saia da mesma interface ao usá-lo com a palavra-chave intra-interface que habilita o suporte à VPN ponto a ponto. Consulte a seção "Permitindo Tráfego Intra-Interface" no Guia de Configuração de Linha de Comandos do Cisco Security Appliance para obter mais informações.

Este documento fornece uma configuração de exemplo demonstrando como permitir que o PIX (PIX1) Security Appliance do hub aceite conexões IPsec dinâmicas do PIX2 e estabeleça conexão IPsec estática com o PIX3. O PIX1 ou o PIX3 não estabelecerão conexão IPSec com o PIX2 até que o PIX2 inicie a conexão com o PIX1.

Nota: Na versão de PIX 7.2 e mais atrasado, a palavra-chave da intra-relação permite que todo o tráfego incorpore e retire a mesma relação, e não apenas o tráfego de IPSec.

Pré-requisitos

Requisitos

O Firewall do PIX de hub precisa de executar a versão de código 7.0 ou mais atrasado.

Nota: Refira o guia para Cisco os usuários PIX 6.2 e 6.3 que promovem a Cisco a versão de software de PIX 7.0 para obter mais informações sobre de como promover ao PIX Firewall a versão 7.0.

Componentes Utilizados

As informações neste documento são baseadas nestas versões de software e hardware:

  • PIX - 515 versão 7.0.1 e posterior (PIX1)

    Nota: A configuração do PIX de hub (PIX1) pode igualmente ser usada com a ferramenta de segurança do 5500 Series de Cisco ASA.

  • Versão 6.3.4 do PIX 501 (PIX2)

  • Versão 6.3.4 do PIX-515 (PIX3)

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se a sua rede estiver ativa, certifique-se de que entende o impacto potencial de qualquer comando.

Convenções

Consulte as Convenções de Dicas Técnicas da Cisco para obter mais informações sobre convenções de documentos.

Configurar

Esta seção apresenta-o com a informação que você pode se usar a fim configurar as características este documento descreve.

Nota: Use a Command Lookup Tool (somente clientes registrados) para obter mais informações sobre os comandos usados nesta seção.

Nota: Para uma configuração de VPN do LAN para LAN da ferramenta de segurança 7.x PIX (L2L), você deve especificar o <name> do grupo de túneis como endereço IP do peer do theRemote no tipo comando do <name> do grupo de túneis ipsec-l2l para criar e controlar o base de dados de registros conexão-específicos para o IPsec.

Diagrama de Rede

Este documento utiliza a seguinte configuração de rede:

/image/gif/paws/64692/enhance-vpn-pix70-1.gif

Nota: Os esquemas de endereçamento IP usados nesta configuração não são legalmente roteáveis na Internet. São os endereços da RFC1918 que foram usados em um ambiente de laboratório.leavingcisco.com

Configurações

Este documento utiliza as seguintes configurações:

PIX1
PIX Version 7.0(1) 
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.18.124.170 255.255.255.0 
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 
!

!--- Output Suppressed

enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domain-name cisco.com
boot system flash:/image.bin
ftp mode passive

!--- Use this command in order to permit traffic to enter and exit the 
!--- same interface for IPsec traffic.

same-security-traffic permit intra-interface

!--- Access-list for interesting traffic to be 
!--- encrypted between hub and spoke (PIX3) networks.

access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list for interesting traffic to be 
!--- encrypted between spoke (PIX2) and spoke (PIX3) networks.

access-list 100 extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list for traffic to bypass the network address translation (NAT) process.
 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0 
access-list nonat extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0


!--- Output Suppressed


nat-control
global (outside) 1 interface

!--- Bypass the NAT process for IPsec traffic.

nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0

!--- The default gateway to the Internet.

route outside 0.0.0.0 0.0.0.0 172.18.124.1 1


!--- Output Suppressed



!--- Configuration of IPsec Phase 2.

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!--- IPsec configuration for the dynamic LAN-to-LAN tunnel.

crypto dynamic-map cisco 20 set transform-set myset

!--- IPsec configuration that binds dynamic map to crypto map.

crypto map mymap 20 ipsec-isakmp dynamic cisco


!--- IPsec configuration for the static LAN-to-LAN tunnel.

crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10 
crypto map mymap 10 set transform-set myset


!--- Crypto map applied to the outside interface of the PIX.

crypto map mymap interface outside
isakmp identity address 

!--- Configuration of IPsec Phase 1.

isakmp enable outside

!--- Configuration of ISAKMP policy.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0

!--- Configuration of the tunnel-group policy for remote 
!--- access tunnels (dynamic tunnels).

tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes

!--- Disables group authentication for dynamic remote-access tunnels.

authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes

!--- Defines the pre-shared secret used for 
!--- IKE authentication for the dynamic tunnel.

pre-shared-key *

!--- Configuration of the tunnel-group for the static LAN-to-LAN tunnel.
!--- The name of the tunnel-group MUST be the IP address of the remote peer.
!--- The tunnel fails if the tunnel-group has any other name.

tunnel-group 172.16.77.10 type ipsec-l2l
tunnel-group 172.16.77.10 ipsec-attributes

!--- Defines the pre-shared secret used for 
!--- IKE authentication for the static tunnel.

pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect http 
inspect netbios 
inspect rsh 
inspect rtsp 
inspect skinny 
inspect esmtp 
inspect sqlnet 
inspect sunrpc 
inspect tftp 
inspect sip 
inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:7167c0647778b77f8d1d2400d943b825

Nota: Você precisa de configurar o comando sysopt connection permit-ipsec a fim permitir todas as sessões de cifra autenticadas IPSec de entrada. No PIX 7.0, a versão do código de comandos sysopt não é exibida na configuração de execução. Para verificar se sysopt connection permit-ipsec está habilitado, execute o comando show running-config sysopt.

PIX2
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX2
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list to encrypt traffic between PIX2 and PIX1 networks.

access-list 100 permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 

!--- Access-list to encrypt traffic between PIX2 and PIX3 networks.

access-list 100 permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list to bypass the NAT process.

access-list nonat permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.172 255.255.255.0
ip address inside 10.20.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface

!--- Bypass the NAT process for IPsec traffic.

nat (inside) 0 access-list nonat
nat (inside) 1 10.20.20.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1



!--- Output Suppressed


!--- Permit all inbound IPsec authenticated cipher sessions.

sysopt connection permit-ipsec

!--- Defines IPsec encryption and authentication alogrithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!--- Defines crypto map.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset

!--- Apply crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside

!--- Defines the pre-shared secret used for IKE authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.255 no-xauth 
isakmp identity address

!--- The ISAKMP policy configuration.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fb2e89ab9da0ae93d69e345a4675ff38

PIX3
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX3
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list to encrypt traffic between PIX3 and PIX1 networks.

access-list 100 permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0

!--- Access-list to encrypt traffic between PIX3 and PIX2 networks.

access-list 100 permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0 

!--- Access-list to bypass the NAT process.

access-list nonat permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.77.10 255.255.-255.0
ip address inside 10.30.30.1 255.255.255.0


!--- Output Suppressed

global (outside) 1 interface


!--- Binds ACL nonat to the NAT statement in order to 
!--- avoid NAT on the IPsec packets.

nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.77.1 1



!--- Output Suppressed


!--- Permits all inbound IPsec authenticated cipher sessions.

sysopt connection permit-ipsec

!--- Defines IPsec encryption and authentication algorithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!--- Defines crypto map.
 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset

!--- Applies crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside

!--- Defines the pre-shared secret key used for IKE authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.0 no-xauth 
isakmp identity address

!--- Defines the ISAKMP policy. 

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cb5c245112db607e3a9a85328d1295db

Hairpinning ou Inversão de Sentido

Esta característica é útil para o tráfego VPN que incorpora uma relação mas é então roteado fora dessa mesma relação. Por exemplo, se você tem uma rede VPN do hub and spoke, onde a ferramenta de segurança seja o cubo e as redes VPN remotas sejam spokes, para que um spoke se comunique com um outro spoke, o tráfego deve sair na ferramenta de segurança e então outra vez ao outro spoke.

Use o comando same-security-traffic para permitir que o tráfego entre e saia da mesma interface.

securityappliance(config)#same-security-traffic permit intra-interface

Verificar

Esta seção fornece informações que você pode usar para confirmar se a sua configuração funciona corretamente.

A Output Interpreter Tool (apenas para clientes registrados) (OIT) suporta determinados comandos show. Use a OIT para exibir uma análise da saída do comando show.

Para testar a comunicação entre duas redes privadas, PIX3 e PIX1, inicie um ping a partir de uma das redes privadas.

Nesta configuração:

  • Para o LAN para LAN estático, o sibilo é enviado atrás da rede PIX3 (10.30.30.x) à rede PIX1 (10.10.10.x).

  • Para o túnel de LAN para LAN dinâmico, um sibilo é enviado da rede PIX2 (10.20.20.x) à rede PIX1 (10.10.10.x).

  • show crypto isakmp sa — Exibe todas as associações de segurança atuais (SAs) de IKE em um peer.

  • show crypto ipsec sa — Exibe todas as SAs atuais.

Esta seção mostra configurações de verificação do exemplo para:

PIX1
show crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

!--- Static LAN-to-LAN tunnel establishment.

1 IKE Peer: 172.16.77.10
Type: L2L Role : responder 
Rekey : no State: MM_ACTIVE 

!--- Dynamic LAN-to-LAN tunnel establishment.

2 IKE Peer: 172.18.124.172
Type: user Role: responder 
Rekey : no State: MM_ACTIVE 




PIX1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: cisco, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX2 and PIX1.

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.172
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.18.124.172

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 2C4400C7

inbound esp sas:
spi: 0x6D29993F (1831442751)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28413
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x2C4400C7 (742654151)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28411
IV size: 8 bytes
replay detection support: Y
 

!--- IPsec SA for networks between PIX2 and PIX3.

Crypto map tag: cisco, local addr: 172.18.124.170

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.172
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.18.124.172

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 9D40B1DC

inbound esp sas:
spi: 0xEE6F6479 (4000277625)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x9D40B1DC (2638262748)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX3 and PIX1.

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.16.77.10

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.16.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: BE57D878

inbound esp sas:
spi: 0xAF25D7DB (2938492891)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/27145)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0xBE57D878 (3193428088)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/27144)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: cisco, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX2 and PIX3.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.16.77.10

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.16.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 963766A1

inbound esp sas:
spi: 0x1CD1B5B7 (483505591)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/28780)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x963766A1 (2520213153)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/28780)
IV size: 8 bytes
replay detection support: Y

PIX2
PIX2(config)#show crypto isakmp sa
Total : 1
Embryonic : 0
dst              src          state     pending created
172.18.124.170 172.18.124.172 QM_IDLE     0        2




PIX2(config)#show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 172.18.124.172

!--- IPsec SA created between networks for PIX2 and PIX3.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.18.124.172, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 38cf2399

inbound esp sas:
spi: 0xb37404c2(3010725058)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28765)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x38cf2399(953099161)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28765)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



!--- IPsec SA created between networks PIX1 and PIX2.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.18.124.172, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: fffd0c20

inbound esp sas:
spi: 0x1a2a994b(438999371)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28717)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xfffd0c20(4294773792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28717)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

PIX3
PIX3(config)#show crypto isakmp sa
Total : 1
Embryonic : 0
dst                src       state        pending     created
172.18.124.170 172.16.77.10  QM_IDLE         0             2




PIX3(config)#show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 172.16.77.10

!--- IPsec SA created between networks PIX3 and PIX2.

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 8282748

inbound esp sas:
spi: 0x28c9b70a(684308234)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/28775)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x8282748(136849224)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28775)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



!--- IPsec SA created between networks PIX3 and PIX1.

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f415cec9

inbound esp sas:
spi: 0x12c5caf1(314952433)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28763)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xf415cec9(4095069897)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28763)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

Troubleshooting

Esta seção fornece a informação que você pode se usar a fim pesquisar defeitos sua configuração.

Comandos para Troubleshooting

A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.

Nota: Consulte Informações Importantes sobre Comandos de Debugação antes de usar comandos debug.

Execute comandos pix no modo de configuração:

  • clear crypto isakmp sa — Limpa as SAs de Fase 1

  • clear crypto ipsec sa — Limpa as SAs de Fase 2

Os comandos debug para túneis de VPN:

  • debug crypto isakmp sa — Depura negociações de SA ISAKMP

  • debug crypto ipsec sa — Depura negociações de SA IPSec.


Informações Relacionadas


Document ID: 64692