IP : Dispositivos de segurança Cisco PIX 500 Series

VPN entre produtos Sonicwall e exemplo da configuração de ferramenta do Cisco Security

14 Outubro 2016 - Tradução por Computador
Outras Versões: Versão em PDFpdf | Inglês (22 Agosto 2015) | Feedback


Índice


Introdução

Este documento demonstra como configurar um túnel de IPsec com chaves pré-compartilhada para comunicar-se entre duas redes privadas utilizando os modos principal e agressivo. Neste exemplo, as redes de comunicação são a rede privada 192.168.1.x dentro do dispositivo do Cisco Security (PIX/ASA) e a rede privada 172.22.1.x dentro do Firewall de SonicwallTM TZ170.

Pré-requisitos

Requisitos

Certifique-se de atender a estes requisitos antes de tentar esta configuração:

  • Trafique do interior do dispositivo do Cisco Security e o interior Sonicwall TZ170 deve fluir ao Internet (representado aqui pelas redes 10.x.x.x) antes que você comece esta configuração.

  • Os usuários devem ser familiares com a negociação de IPSec. Este processo pode ser dividido em cinco etapas que incluem duas fases de intercâmbio de chave de Internet (IKE).

    1. Um túnel de IPsec é iniciado pelo tráfego interessante. O tráfego está considerado interessante quando viaja entre os ipsec peer.

    2. Na fase 1 IKE, os ipsec peer negociam a política estabelecida da associação de segurança IKE (SA). Quando os correspondentes forem autenticados, um túnel seguro é criado, com uso da associação de segurança da Internet e protocolo de gerenciamento chave (ISAKMP).

    3. Na fase 2 IKE, os ipsec peer usam o túnel seguro e autenticado para negociar IPsec SA transformam. A negociação da política compartilhada determina como o túnel de IPsec é estabelecido.

    4. O túnel de IPsec é criado e os dados são transferidos entre os ipsec peer baseados nos parâmetros IPSec configurados no IPsec transformam grupos.

    5. O túnel de IPsec termina quando o sas de IPSec é suprimido ou quando sua vida expira.

Componentes Utilizados

As informações neste documento são baseadas nestas versões de software e hardware:

  • Versão 6.3(5) de Cisco PIX 515E

  • Versão 7.0(2) do PIX 515 Cisco

  • Sonicwall TZ170, padrão 2.2.0.1 de SonicOS

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se a sua rede estiver ativa, certifique-se de que entende o impacto potencial de qualquer comando.

Produtos Relacionados

Esta configuração também pode ser utilizada com estas versões de hardware e software:

  • A configuração PIX 6.3(5) pode ser usada com todo Produtos restante do Cisco PIX Firewall que executa essa versão de software (PIX 501, 506, e assim por diante)

  • A configuração PIX/ASA 7.0(2) pode somente ser usada nos dispositivos que executam o trem PIX 7.0 do software (exclui os 501, 506, e possivelmente algum 515s mais velho) assim como do Cisco 5500 Series ASA.

Convenções

Consulte as Convenções de Dicas Técnicas da Cisco para obter mais informações sobre convenções de documentos.

Configurar

Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.

Nota: Use a Command Lookup Tool (somente clientes registrados) para obter mais informações sobre os comandos usados nesta seção.

Nota: No modo assertivo do IPsec, é necessário que Sonicwall inicie o túnel de IPsec ao PIX. Você pode ver que isto quando você analisa debuga para esta configuração. Isto é inerente na maneira que o modo assertivo do IPsec se opera.

Diagrama de Rede

Este documento utiliza a seguinte configuração de rede:

/image/gif/paws/66171/vpn-sonicwall-pixfw-1.gif

Configuração Sonicwall

A configuração de Sonicwall TZ170 é executada através de uma relação baseada Web.

Conclua estes passos:

  1. Conecte ao endereço IP de Um ou Mais Servidores Cisco ICM NT do roteador em uma das interfaces internas usando um navegador da Web padrão.

    Isto traz acima o indicador do início de uma sessão.

    vpn-sonicwall-pixfw-2.gif

  2. Entre ao dispositivo de Sonicwall e selecione VPN > ajustes.

    vpn-sonicwall-pixfw-3.gif

  3. Incorpore o endereço IP de Um ou Mais Servidores Cisco ICM NT do par VPN e do segredo compartilhado anteriormente que serão usados. O clique adiciona sob redes de destino.

    /image/gif/paws/66171/vpn-sonicwall-pixfw-4.gif

  4. Entre na rede de destino.

    vpn-sonicwall-pixfw-5.gif

    A janela de Settings é exibida.

    vpn-sonicwall-pixfw-6.gif

  5. Clique a aba das propostas na parte superior da janela de configuração.

  6. Selecione a troca que você planeia usar para esta configuração (modo principal ou modo assertivo) junto com o resto de seus ajustes da fase 1 e da fase 2.

    Este exemplo de configuração usa a criptografia do AES-256 por ambas as fases com o algoritmo de hash SHA1 para a autenticação e o grupo Diffie-Hellman 2 de 1024 bit para a política de IKE.

    vpn-sonicwall-pixfw-7.gif

  7. Clique na guia Advanced.

    Há as opções adicionais que você pôde desejar configurar dentro desta aba. Estes são os ajustes usados para esta configuração de exemplo.

    /image/gif/paws/66171/vpn-sonicwall-pixfw-8.gif

  8. Clique em OK.

    Uma vez que você termina esta configuração e a configuração no PIX remoto, a janela de configuração deve ser similar a esta janela de configuração do exemplo.

    vpn-sonicwall-pixfw-9.gif

Configuração do modo principal do IPsec

Esta seção utiliza as seguintes configurações:

Versão 6.3(5) de Cisco PIX 515e
pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto


!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500


!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec


!--- PHASE 2 CONFIGURATION:
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Specifies IKE is used to establish the IPsec SAs for the map "maptosw".

crypto map maptosw 67 ipsec-isakmp


!--- Specifies the ACL "pixtosw" to use with this map
. 
crypto map maptosw 67 match address pixtosw


!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1


!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab


!--- Specifies the interface to use with this map.

crypto map maptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- Specifies the preshared key and the addresses to use with that key.
!--- In this case only one address is used with the preshared key cisco123.

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255


!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Versão 7.0(2) do PIX 515 Cisco
pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!


!--- PIX 7 uses an interface configuration mode similar to Cisco IOS�.
!--- This output configures the IP address, interface name, 
!--- and security level for interfaces Ethernet0 and Ethernet1.

interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Specifies the ACL pixtosw to use with this map.

crypto map maptosw 67 match address pixtosw


!--- Specifies the IPsec peer for this map.

crypto map maptosw 67 set peer 10.10.10.1


!--- Specifies the transform set to use.

crypto map maptosw 67 set transform-set austinlab


!--- Specifies the interface to use with this map
.
crypto map maptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- These five commands specify the Phase 1 configuration 
!--- settings specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0


!--- These three lines set the IPsec attributes for the tunnel to the
!--- remote peer. This is where the preshared key is defined for Phase 1 and the
!--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

Configuração do modo assertivo do IPsec

Esta seção utiliza as seguintes configurações:

Versão 6.3(5) de Cisco PIX 515e
pix515e-635#show running-config
: Saved
:
PIX Version 6.3(5)

!--- Sets the hardware speed to auto on both interfaces.

interface ethernet0 auto
interface ethernet1 auto


!--- Specifies the inside and outside interfaces.

nameif ethernet0 outside security0
nameif ethernet1 inside security100         

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515e-635
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500


!--- Sets the inside and outside IP addresses and subnet masks.

ip address outside 10.20.20.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map ciscopix for the transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies the IKE that should be used to establish SAs 
!--- for the dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings above to the outside interface.

crypto map dynmaptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Specifies the interface to use for the IPsec tunnel
.
isakmp enable outside


!--- Specifies the preshared key and the addresses to use with that key.
!--- In this case only one address is used as the preshared key "cisco123".

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255


!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07a3815d59db9965b72c7d8a7aaf7f5f
: end
pix515e-635#

Versão 7.0(2) do PIX 515 Cisco
pix515-702#show running-config
: Saved
:
PIX Version 7.0(2)
names
!


!--- PIX 7 uses an interface configuration mode similar to Cisco IOS.
!--- This output configures the IP address, interface name, and security level for
!--- interfaces Ethernet0 and Ethernet1.

interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.20.20.1 255.255.255.0
!
interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Ethernet5
  shutdown
  no nameif
  no security-level
  no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515-702
domain-name cisco.com
ftp mode passive


!--- Specifies the traffic that can pass through the IPsec tunnel.

access-list pixtosw extended permit ip 192.168.1.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
no asdm history enable
arp timeout 14400


!--- Instructs PIX to perform PAT on the IP address on the outside interface.

global (outside) 1 interface


!--- Specifies addresses to be exempt from NAT (traffic to be tunneled).

nat (inside) 0 access-list pixtosw


!--- Specifies which addresses should use NAT (all except those exempted).

nat (inside) 1 0.0.0.0 0.0.0.0


!--- Specifies the default route on the outside interface.

route outside 0.0.0.0 0.0.0.0 10.20.20.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp


!--- Implicit permit for all packets that come from IPsec tunnels.

sysopt connection permit-ipsec



!--- PHASE 2 CONFIGURATION
!--- Defines the transform set for Phase 2 encryption and authentication.
!--- Austinlab is the name of the transform set that uses aes-256 encryption
!--- as well as the SHA1 hash algorithm for authentication.

crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac


!--- Creates the dynamic map "ciscopix" for the defined transform set.

crypto dynamic-map ciscopix 1 set transform-set austinlab


!--- Specifies that IKE should be used to establish SAs 
!--- for the defined dynamic map.

crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix


!--- Applies the settings to the outside interface.

crypto map dynmaptosw interface outside



!--- PHASE 1 CONFIGURATION

!--- Defines how the PIX identifies itself in 
!--- IKE negotiations (IP address in this case).

isakmp identity address


!--- Specifies the interface to use for the IPsec tunnel.

isakmp enable outside


!--- These five commands specify the Phase 1 configuration settings 
!--- specific to this sample configuration.

isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800

telnet timeout 5
ssh timeout 5
console timeout 0


!--- These three lines set the IPsec attributes for the tunnel to the
!--- remote peer. This is where the preshared key is defined for Phase 1 and the
!--- IPsec tunnel type is set to site-to-site.

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *

Cryptochecksum:092b6fc5370e2ef0cf07c2bc10f1d44a
: end
pix515-702#

Verificar

Use esta seção para confirmar se a sua configuração funciona corretamente.

A Output Interpreter Tool (apenas para clientes registrados) (OIT) suporta determinados comandos show. Use a OIT para exibir uma análise da saída do comando show.

  • show crypto isakmp sa – Exibe todas as SAs de IKE atuais em um correspondente.

  • mostre IPsec cripto sa — Indica os ajustes usados por SA atuais.

Estas tabelas mostram que as saídas de algum debugam para o cano principal e o modo assertivo em PIX 6.3(5) e em PIX 7.0(2) depois que o túnel é estabelecido inteiramente.

Nota: Esta deve ser bastante informação para obter um túnel de IPsec estabelecido entre estes dois tipos de hardware. Se você tem qualquer comentários, use o formulário de feedback no lado esquerdo deste documento.

Versão 6.3(5) de Cisco PIX 515e - Modo principal
pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.10.10.1       10.20.20.1    QM_IDLE         0           1
pix515e-635#



pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: maptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={origin_is_acl,}
           #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
           #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 1, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: ed0afa33

 inbound esp sas:
           spi: 0xac624692(2892121746)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xed0afa33(3976919603)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: maptosw
           sa timing: remaining key lifetime (k/sec): (4607999/28718)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Modo principal da versão 7.0(2)- do PIX 515 Cisco
pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : initiator
           Rekey : no State : MM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
interface: outside
    Crypto map tag: maptosw, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: 2D006547

 inbound esp sas:
           spi: 0x309F7A33 (815757875)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28739)
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0x2D006547 (755000647)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: maptosw
           sa timing: remaining key lifetime (kB/sec): (4274999/28737)
           IV size: 16 bytes
           replay detection support: Y

pix515-702#

Versão 6.3(5) de Cisco PIX 515e - Modo assertivo
pix515e-635#show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
      10.20.20.1       10.10.10.1    QM_IDLE         0           1

pix515e-635#show crypto ipsec sa


           interface: outside
           Crypto map tag: dynmaptosw, local addr. 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1:500
           PERMIT, flags={}
           #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
           #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
           #send errors 0, #recv errors 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1
           path mtu 1500, ipsec overhead 72, media mtu 1500
           current outbound spi: efb1149d

 inbound esp sas:
           spi: 0x2ad2c13c(718455100)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 2, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28736)
           IV size: 16 bytes
           replay detection support: Y


           inbound ah sas:


           inbound pcp sas:


           outbound esp sas:
           spi: 0xefb1149d(4021359773)
           transform: esp-aes-256 esp-sha-hmac ,
           in use settings ={Tunnel, }
           slot: 0, conn id: 1, crypto map: dynmaptosw
           sa timing: remaining key lifetime (k/sec): (4608000/28727)
           IV size: 16 bytes
           replay detection support: Y


           outbound ah sas:


           outbound pcp sas:

pix515e-635#

Versão 7.0(2) do PIX 515 Cisco - Modo assertivo
pix515-702#show crypto isakmp sa

 Active SA: 1
           Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
           Total IKE SA: 1

1 IKE Peer: 10.10.10.1
           Type : L2L Role : responder
           Rekey : no State : AM_ACTIVE
           pix515-702#

pix515-702#show crypto ipsec sa
           interface: outside
           Crypto map tag: ciscopix, local addr: 10.20.20.1

 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
           remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
           current_peer: 10.10.10.1

 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
           #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
           #send errors: 0, #recv errors: 0

 local crypto endpt.: 10.20.20.1, remote crypto endpt.: 10.10.10.1

 path mtu 1500, ipsec overhead 76, media mtu 1500
           current outbound spi: D7E2F5FD

 inbound esp sas:
           spi: 0xDCBF6AD3 (3703532243)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28703
           IV size: 16 bytes
           replay detection support: Y
           outbound esp sas:
           spi: 0xD7E2F5FD (3621975549)
           transform: esp-aes-256 esp-sha-hmac
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1, crypto-map: ciscopix
           sa timing: remaining key lifetime (sec): 28701
           IV size: 16 bytes
           replay detection support: Y

pix515-702#         

Troubleshooting

Atualmente, não existem informações disponíveis específicas sobre Troubleshooting para esta configuração.


Informações Relacionadas


Document ID: 66171