安全 : Cisco PIX 500 系列安全设备

PIX/ASA 7.x 增强分支到分支 VPN 配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 30 日) | 反馈


目录


简介

本文档说明如何配置 PIX 防火墙之间的 LAN 到 LAN 会话。其中展示了如何使用通过集线器 PIX 防火墙的分支到分支的连接来配置静态和动态的 LAN 到 LAN 隧道。PIX 版本 7.0 改进了对分支到分支 VPN 通信的支持,因为它允许加密数据流进入和离开同一接口。

same-security-traffic 命令与启用分支到分支 VPN 支持的 intra-interface 关键字一起使用时,该命令允许数据流进入和退出同一接口。有关详细信息,请参阅 Cisco 安全设备命令行配置指南中的“允许接口内数据流”部分。

本文档提供了有关如何允许集线器 PIX (PIX1) 安全设备接受来自 PIX2 的动态 IPsec 连接并建立与 PIX3 的静态 IPsec 连接的配置示例。只有在 PIX2 启动与 PIX1 的连接之后,PIX1 或 PIX3 才会建立与 PIX2 的 IPsec 连接。

注意: 在 PIX 版本 7.2 及更高版本中,intra-interface 关键字允许所有数据流(而不仅是 IPsec 数据流)进入和退出同一接口。

先决条件

要求

集线器 PIX 防火墙需要运行代码版本 7.0 或更高版本。

注意: 有关如何升级到 PIX 防火墙版本 7.0 的详细信息,请参阅从 Cisco PIX 6.2 或 6.3 升级到 Cisco PIX 软件版本 7.0 的用户指南

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX - 515 版本 7.0.1 及更高版本 (PIX1)

    注意: 集线器 PIX (PIX1) 配置还可以用于 Cisco ASA 5500 系列安全设备。

  • PIX - 501 版本 6.3.4 (PIX2)

  • PIX - 515 版本 6.3.4 (PIX3)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供了可用于配置本文所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

注意: 对于 PIX 安全设备 7.x LAN 到 LAN (L2L) VPN 配置,您必须在 tunnel-group <name> type ipsec-l2l 命令中将隧道组的 <name> 指定为远程对等体 IP 地址,以创建和管理 IPsec 的连接特定记录的数据库。

网络图

本文档使用以下网络设置:

/image/gif/paws/64692/enhance-vpn-pix70-1.gif

注意: 此配置中使用的 IP 编址方案在 Internet 上不可合法路由。这些地址是在实验室环境中使用的 RFC 1918 地址。leavingcisco.com

配置

本文档使用以下配置:

PIX1
PIX Version 7.0(1) 
no names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.18.124.170 255.255.255.0 
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 
!

!--- Output Suppressed

enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domain-name cisco.com
boot system flash:/image.bin
ftp mode passive

!--- Use this command in order to permit traffic to enter and exit the 
!--- same interface for IPsec traffic.

same-security-traffic permit intra-interface

!--- Access-list for interesting traffic to be 
!--- encrypted between hub and spoke (PIX3) networks.

access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list for interesting traffic to be 
!--- encrypted between spoke (PIX2) and spoke (PIX3) networks.

access-list 100 extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list for traffic to bypass the network address translation (NAT) process.
 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0 
access-list nonat extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0


!--- Output Suppressed


nat-control
global (outside) 1 interface

!--- Bypass the NAT process for IPsec traffic.

nat (inside) 0 access-list nonat
nat (inside) 1 10.10.10.0 255.255.255.0

!--- The default gateway to the Internet.

route outside 0.0.0.0 0.0.0.0 172.18.124.1 1


!--- Output Suppressed



!--- Configuration of IPsec Phase 2.

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!--- IPsec configuration for the dynamic LAN-to-LAN tunnel.

crypto dynamic-map cisco 20 set transform-set myset

!--- IPsec configuration that binds dynamic map to crypto map.

crypto map mymap 20 ipsec-isakmp dynamic cisco


!--- IPsec configuration for the static LAN-to-LAN tunnel.

crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10 
crypto map mymap 10 set transform-set myset


!--- Crypto map applied to the outside interface of the PIX.

crypto map mymap interface outside
isakmp identity address 

!--- Configuration of IPsec Phase 1.

isakmp enable outside

!--- Configuration of ISAKMP policy.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0

!--- Configuration of the tunnel-group policy for remote 
!--- access tunnels (dynamic tunnels).

tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes

!--- Disables group authentication for dynamic remote-access tunnels.

authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes

!--- Defines the pre-shared secret used for 
!--- IKE authentication for the dynamic tunnel.

pre-shared-key *

!--- Configuration of the tunnel-group for the static LAN-to-LAN tunnel.
!--- The name of the tunnel-group MUST be the IP address of the remote peer.
!--- The tunnel fails if the tunnel-group has any other name.

tunnel-group 172.16.77.10 type ipsec-l2l
tunnel-group 172.16.77.10 ipsec-attributes

!--- Defines the pre-shared secret used for 
!--- IKE authentication for the static tunnel.

pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect http 
inspect netbios 
inspect rsh 
inspect rtsp 
inspect skinny 
inspect esmtp 
inspect sqlnet 
inspect sunrpc 
inspect tftp 
inspect sip 
inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:7167c0647778b77f8d1d2400d943b825

注意: 您需要配置 sysopt connection permit-ipsec 命令以允许所有经过入站 IPsec 验证的加密会话。在 PIX 7.0 版本的代码中,sysopt 命令没有出现在运行的配置中。要验证 sysopt connection permit-ipsec 是否已启用,请执行 show running-config sysopt 命令。

PIX2
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX2
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list to encrypt traffic between PIX2 and PIX1 networks.

access-list 100 permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 

!--- Access-list to encrypt traffic between PIX2 and PIX3 networks.

access-list 100 permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 

!--- Access-list to bypass the NAT process.

access-list nonat permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.172 255.255.255.0
ip address inside 10.20.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface

!--- Bypass the NAT process for IPsec traffic.

nat (inside) 0 access-list nonat
nat (inside) 1 10.20.20.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1



!--- Output Suppressed


!--- Permit all inbound IPsec authenticated cipher sessions.

sysopt connection permit-ipsec

!--- Defines IPsec encryption and authentication alogrithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!--- Defines crypto map.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset

!--- Apply crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside

!--- Defines the pre-shared secret used for IKE authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.255 no-xauth 
isakmp identity address

!--- The ISAKMP policy configuration.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fb2e89ab9da0ae93d69e345a4675ff38

PIX3
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX3
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Access-list to encrypt traffic between PIX3 and PIX1 networks.

access-list 100 permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0

!--- Access-list to encrypt traffic between PIX3 and PIX2 networks.

access-list 100 permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0 

!--- Access-list to bypass the NAT process.

access-list nonat permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.77.10 255.255.-255.0
ip address inside 10.30.30.1 255.255.255.0


!--- Output Suppressed

global (outside) 1 interface


!--- Binds ACL nonat to the NAT statement in order to 
!--- avoid NAT on the IPsec packets.

nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.77.1 1



!--- Output Suppressed


!--- Permits all inbound IPsec authenticated cipher sessions.

sysopt connection permit-ipsec

!--- Defines IPsec encryption and authentication algorithms.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!--- Defines crypto map.
 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transform-set myset

!--- Applies crypto map on the outside interface.

crypto map mymap interface outside
isakmp enable outside

!--- Defines the pre-shared secret key used for IKE authentication.

isakmp key ******** address 172.18.124.170 netmask 255.255.255.0 no-xauth 
isakmp identity address

!--- Defines the ISAKMP policy. 

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cb5c245112db607e3a9a85328d1295db

发夹或 U 字型转向

对于进入某接口然后又从同一接口路由出去的 VPN 流量,此功能非常有用。例如,如果您建立了集中星型 VPN 网络,其中安全设备是中央,而远程 VPN 网络是分支,为使分支之间彼此通信,流量必须进入安全设备,然后再流向其他分支。

请使用 same-security-traffic 命令以允许数据流进入和退出同一接口。

securityappliance(config)#same-security-traffic permit intra-interface

验证

本部分提供了可用于确认您的配置是否正常运行的信息。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

要测试 PIX3 和 PIX1 之间的两个专用网络之间的通信,您可以从这两个专用网络之一启动 ping

在此配置中:

  • 对于静态 LAN 到 LAN,会将 ping 从 PIX3 网络 (10.30.30.x) 之后发送到 PIX1 网络 (10.10.10.x)。

  • 对于动态 LAN 到 LAN 隧道,会将 ping 从 PIX2 网络 (10.20.20.x) 发送到 PIX1 网络 (10.10.10.x)。

  • show crypto isakmp sa - 显示对等体上的所有当前 IKE 安全关联 (SA)。

  • show crypto ipsec sa — 显示所有当前 SA。

本部分显示用于以下配置的示例验证配置:

PIX1
show crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

!--- Static LAN-to-LAN tunnel establishment.

1 IKE Peer: 172.16.77.10
Type: L2L Role : responder 
Rekey : no State: MM_ACTIVE 

!--- Dynamic LAN-to-LAN tunnel establishment.

2 IKE Peer: 172.18.124.172
Type: user Role: responder 
Rekey : no State: MM_ACTIVE 




PIX1(config)#show crypto ipsec sa
interface: outside
Crypto map tag: cisco, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX2 and PIX1.

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.172
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.18.124.172

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 2C4400C7

inbound esp sas:
spi: 0x6D29993F (1831442751)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28413
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x2C4400C7 (742654151)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28411
IV size: 8 bytes
replay detection support: Y
 

!--- IPsec SA for networks between PIX2 and PIX3.

Crypto map tag: cisco, local addr: 172.18.124.170

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.172
dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.18.124.172

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 9D40B1DC

inbound esp sas:
spi: 0xEE6F6479 (4000277625)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x9D40B1DC (2638262748)
transform: esp-3des esp-sha-hmac 
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 7, crypto-map: cisco
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX3 and PIX1.

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.16.77.10

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.16.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: BE57D878

inbound esp sas:
spi: 0xAF25D7DB (2938492891)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/27145)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0xBE57D878 (3193428088)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/27144)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: cisco, local addr: 172.18.124.170

!--- IPsec SA for networks between PIX2 and PIX3.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.16.77.10

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.18.124.170, remote crypto endpt.: 172.16.77.10

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 963766A1

inbound esp sas:
spi: 0x1CD1B5B7 (483505591)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/28780)
IV size: 8 bytes
replay detection support: Y
 

outbound esp sas:
spi: 0x963766A1 (2520213153)
transform: esp-3des esp-sha-hmac 
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4274999/28780)
IV size: 8 bytes
replay detection support: Y

PIX2
PIX2(config)#show crypto isakmp sa
Total : 1
Embryonic : 0
dst              src          state     pending created
172.18.124.170 172.18.124.172 QM_IDLE     0        2




PIX2(config)#show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 172.18.124.172

!--- IPsec SA created between networks for PIX2 and PIX3.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.18.124.172, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 38cf2399

inbound esp sas:
spi: 0xb37404c2(3010725058)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28765)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x38cf2399(953099161)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28765)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



!--- IPsec SA created between networks PIX1 and PIX2.

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.18.124.172, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: fffd0c20

inbound esp sas:
spi: 0x1a2a994b(438999371)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28717)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xfffd0c20(4294773792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28717)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

PIX3
PIX3(config)#show crypto isakmp sa
Total : 1
Embryonic : 0
dst                src       state        pending     created
172.18.124.170 172.16.77.10  QM_IDLE         0             2




PIX3(config)#show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 172.16.77.10

!--- IPsec SA created between networks PIX3 and PIX2.

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 8282748

inbound esp sas:
spi: 0x28c9b70a(684308234)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/28775)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x8282748(136849224)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28775)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



!--- IPsec SA created between networks PIX3 and PIX1.

local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 172.18.124.170:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.77.10, remote crypto endpt.: 172.18.124.170
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f415cec9

inbound esp sas:
spi: 0x12c5caf1(314952433)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28763)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xf415cec9(4095069897)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28763)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

故障排除

本部分提供了可用于对配置进行故障排除的信息。

故障排除命令

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

注意: 发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

在配置模式下执行 PIX 命令:

  • clear crypto isakmp sa — 清除第 1 阶段 SA

  • clear crypto ipsec sa — 清除第 2 阶段 SA

用于 VPN 隧道的 debug 命令:

  • debug crypto isakmp sa - 调试 ISAKMP SA 协商。

  • debug crypto ipsec sa - 调试 IPSec SA 协商。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 64692