安全 : Cisco PIX 500 系列安全设备

有VPN 3000集中器的PIX 501/506系列安全设备上VPN硬件客户端配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本文为要设置在PIX 501/506系列安全工具的Cisco VPN硬件客户端功能的客户提供逐步配置示例。此功能介绍与PIX版本6.2和用于创建有VPN 3000集中器、运行Cisco IOS 软件的路由器,或者PIX防火墙的一个IPSec隧道。

PIX 501/506硬件客户端的配置是相同的为头端VPN设备,它是否是VPN 3000集中器、运行Cisco IOS软件的路由器,或者PIX防火墙。在PIX防火墙硬件客户端后的设备不再需要有在他们安装的VPN客户端为了用设备安全地连通在数据转发设备背后。这允许迅速部署并且减小故障排除为了支持VPN远程用户。

VPN硬件客户端在网络扩展模式(NEM)或客户端模式经营。在NEM中,网络管理员能访问在PIX防火墙VPN硬件客户端后的设备遥控和故障排除的。在客户端模式,网络设备在PIX 501/506背后从头端或其他VPN用户不是可访问。此行为是相同的在VPN 3002硬件客户端。

注意: PIX 501和PIX 506/506E是Easy VPN Remote和Easy VPN Server设备。PIX 515/515E、PIX 525和PIX 535作为仅Easy VPN服务器。

参考请配置PIX 501/506 Easy VPN Remote到网络扩展模式的一个IOS路由器与扩展认证关于Cisco IOS路由器作为Easy VPN Server的一个相似的方案的更多信息。

有关 PIX 506 6.x 充当 Easy VPN Server 的类似方案的详细信息,请参阅 PIX 到 PIX 6.x:Easy VPN (NEM) 配置示例

有关 PIX/ASA 7.x 充当 Easy VPN 服务器的类似情况的详细信息,请参阅 ASA 5500 作为服务器和 PIX 506E 作为客户端 (NEM) 情况下 PIX/ASA 7.x Easy VPN 的配置示例

有关将 Cisco 871 路由器用作 Easy VPN Remote 的类似方案的详细信息,请参阅将 ASA 5500 用作服务器,将 Cisco 871 用作 Easy VPN Remote 的 PIX/ASA 7.x Easy VPN 配置示例

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • PIX防火墙版本6.2或6.3

    注意: PIX防火墙版本7.x不支持PIX 501/506。

  • 运行Cisco IOS软件版本12.2.7b的Cisco 2600路由器

  • 运行Cisco IOS软件版本12.2.7b的Cisco 3620路由器

  • Cisco VPN 3000 集中器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的信息,请参阅 Cisco 技术提示规则

背景信息

在本例中, PIX 506配置为了发起一个VPN通道用在NEM的Cisco VPN 3000集中器。NEM允许可见性和通信用那些设备在PIX 506背后。VPN 3000集中器运行路由信息协议(RIP)版本2为了学习和通告路由。反向路由注入(RRI)在VPN 3000集中器启用这样通告使用RIP,在PIX 506 VPN硬件客户端后,到Cisco 2600路由器的远程网络,当流量从Cisco 3620路由器被初始化。

分割隧道在VPN 3000集中器没有启用,因此从Cisco 3620路由器发出的所有流量加密并且发送到VPN 3000集中器,转发根据策略路由工艺路线信息的此流量。策略在仅VPN 3000集中器定义(和能修改根据各自的公司安全需求)和推送给PIX 506 VPN硬件客户端在隧道协商时(就象PC的一VPN客户端)。

PIX 506配置作为动态主机配置协议(DHCP)服务器为了以太网(E1)接口的service dhcp客户端。在Cisco 3620路由器的接口Fa0/1配置作为DHCP客户端。Cisco 2621路由器运行RIP版本2.参考的IPsec以VPN客户端到VPN 3000集中器配置示例为了配置VPN 3000集中器。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 请使用命令查找工具(仅限注册用户)或关于用于此部分的命令的更多信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/22828/pix501506_vpn3k.gif

注意: 此配置中使用的 IP 编址方案在 Internet 上不可合法路由。这些地址是在实验室环境中使用的 RFC 1918 地址。

配置

本文档使用以下配置:

Cisco 3620 路由器
interface FastEthernet0/1
    ip address dhcp  

!--- The DHCP client requests an IP address from the PIX, 
!--- which is configured as a DHCP server.

Cisco 2621 路由器
Configuration of 2621 router 
2621#write terminal
! 
hostname 2621 
! 
interface FastEthernet0/1 
ip address 10.10.10.2 255.255.255.0 
ip rip send version 2

!--- Send only RIP version 2. 

ip rip receive version 2

!--- Receive only RIP version 2. 

! 
router rip 
version 2

!--- RIP version 2 enabled.
 
network 10.0.0.0 
no auto-summary 
!

PIX 配置

定义访问控制表(ACL)或conduit为了允许流量,因为连接从PIX 506首次是不必要的,而不是VPN 3000集中器或VPN客户端在PIX 506背后。默认情况下,流量允许从里向外。

PIX 506
506#write terminal 
Building configuration... 
: Saved 
: 
PIX Version 6.2(0)243 
nameif ethernet0 outside security0 

!--- On PIX 501/506, this is the default configuration. 

nameif ethernet1 inside security100 
enable password 2KFQnbNIdI.2KYOU encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
hostname 506 
fixup protocol ftp 21 
fixup protocol http 80 
fixup protocol h323 h225 1720 
fixup protocol h323 ras 1718-1719 
fixup protocol ils 389 
fixup protocol rsh 514 
fixup protocol rtsp 554 
fixup protocol smtp 25 
fixup protocol sqlnet 1521 
fixup protocol sip 5060 
fixup protocol skinny 2000 
names 
pager lines 24 
logging console debugging 
logging monitor debugging 
logging buffered debugging 
interface ethernet0 auto
interface ethernet1 auto 

!--- You should manually specify speed/duplex if your attached  
!--- devices do not support auto negotiation.

mtu outside 1500 
mtu inside 1500 
ip address outside 172.21.48.22 255.255.255.224 
ip address inside 172.16.1.1 255.255.255.0 
ip audit info action alarm 
ip audit attack action alarm 
pdm history enable 
arp timeout 14400 
route outside 0.0.0.0 0.0.0.0 172.21.48.25 1 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 
0:30:00 sip_med 
ia 0:02:00 
timeout uauth 0:05:00 absolute 
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location 
no snmp-server contact 
snmp-server community public 
no snmp-server enable traps 
floodguard enable 
no sysopt route dnat 
telnet timeout 5 
ssh timeout 5 

dhcpd address 172.16.1.10-172.16.1.20 inside 

!--- This is the pool for the DHCP server to service local requests. 


dhcpd lease 3600 

!--- This is optional. 


dhcpd ping_timeout 750 

!--- This is optional.
 

dhcpd domain cisco.com 

dhcpd enable inside 

!--- You should enable this on the inside interface. 


vpnclient vpngroup beta password ******** 

!--- Group name and password must match, as defined on
!--- the VPN 3000 Concentrator (or on ACS, if you use
!--- ACS with a VPN 3000 Concentrator). 


vpnclient username cisco password ******** 

!--- User Name/Password must match as defined on
!--- the VPN 3000 Concentrator (or on ACS, if you use
!--- ACS with a VPN 3000 Concentrator). 


vpnclient server 172.21.48.25
 

!--- This is the IP address of the headend
!--- VPN 3000 Concentrator. There can be from 1 to 10 secondary
!--- Cisco Easy  VPN Servers (backup VPN headends) configured.
!--- However, check your platform-specific documentation for 
!--- applicable peer limits on your PIX Firewall platform. 


vpnclient mode network-extension-mode 

!--- Using NEM. 


vpnclient enable 

terminal width 80 
Cryptochecksum:f719695f4d56b84be0c944975caf9f12 
: end 
[OK]

Cisco VPN 3000 集中器配置

与VPN客户端的参考的IPsec VPN 3000集中器配置示例配置的Cisco IOS的思科EzVPN客户端用配置示例的VPN 3000集中器

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • 在Cisco 3620以后的路由配置

    3620#show ip route 
    Gateway of last resort is 172.16.1.1 to network 0.0.0.0 
    
    172.16.0.0/24 is subnetted, 1 subnets 
    C  172.16.1.0 is directly connected, FastEthernet0/1 
    S* 0.0.0.0/0 [254/0] via 172.16.1.1
    
    !--- Point default to PIX as received with DHCP. 
    
    
  • 关于Cisco 3620的DHCP租用信息

    3620#show dhcp lease
    Temp IP addr: 172.16.1.10 for peer on Interface: FastEthernet0/1 
    Temp sub net mask: 255.255.255.0 
    DHCP Lease server: 172.16.1.1, state: 3 Bound 
    DHCP transaction id: 11CD 
    Lease: 3600 secs, Renewal: 1800 secs, Rebind: 3150 secs 
    Temp default-gateway addr: 172.16.1.1 
    Next timer fires after: 00:14:39 
    Retry count: 0 Client-ID: cisco-0008.215d.7be2-Fa0/1
  • 在Cisco 2621以后的路由配置

    2621#show ip route 
    172.16.0.0/24 is subnetted, 1 subnets 
    R 172.16.1.0 [120/1] via 10.10.10.1, 00:00:06, FastEthernet0/1 
    
    !--- This is the remote network connected to the 
    !--- private interface of the PIX 506 VPN Hardware Client. 
    !--- As RRI is configured on the VPN 3000 Concentrator, it uses 
    !--- RIP in order to advertise this remote network after it sees 
    !--- traffic from the remote end.
    
    172.21.0.0/27 is subnetted, 1 subnets 
    R 172.21.48.0 [120/1] via 10.10.10.1, 00:00:06, FastEthernet0/1 
    R 192.168.201.0/24 [120/1] via 10.10.10.1, 00:00:06, FastEthernet0/1 
    10.0.0.0/24 is subnetted, 1 subnets 
    C 10.10.10.0 is directly connected, FastEthernet0/1

故障排除

本部分提供的信息可用于对配置进行故障排除。

示例输出

在流量被初始化在Cisco 3620及Cisco 2621路由器之间前,此输出示例:显示当前状态。

506#show crypto isakmp sa 
Total : 1 
Embryonic : 0 
    dst            src        state   pending   created 
 172.21.48.25  172.21.48.22  QM_IDLE     0         0 


506#show crypto ipsec sa 
interface: outside 
Crypto map tag: _vpnc_cm, local addr. 172.21.48.22 

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) 
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 

!--- Proxy information exchange is complete as defined on the headend, 
!--- although no interesting traffic has been initiated. In Cisco IOS 
!--- this exchange occurs only when there is interesting traffic. 

current_peer: 172.21.48.25 
PERMIT, flags={origin_is_acl,} 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 
#pkts compressed: 0, #pkts decompressed: 0 
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 
#send errors 0, #recv errors 0 

local crypto endpt.: 172.21.48.22, remote crypto endpt.: 172.21.48.25 
path mtu 1500, ipsec overhead 0, media mtu 1500 
current outbound spi: 0 

!--- Security Parameter Index (SPI) is created thus far. 


inbound esp sas:

!--- No inbound Security Association (SA) is created thus far.



inbound ah sas: 


inbound pcp sas: 


outbound esp sas:

!--- No outbound SA is created thus far.



outbound ah sas: 


outbound pcp sas:

在ping启动在Cisco 3620及Cisco 2621路由器之间后,此输出示例:显示状态。

3620#ping 10.10.10.2 

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: 
..!!! 

!--- The initial ping failed because the SAs were created after the PIX 
!--- detected interesting traffic. 

Success rate is 60 percent (3/5), round-trip min/avg/max = 4/4/4 ms 
3620# 

506#show crypto isakmp sa 
Total: 1 
Embryonic: 0 
    dst             src       state  pending  created 
172.21.48.25   172.21.48.22  QM_IDLE    0       1 

506#show crypto ipsec sa 
interface: outside 
Crypto map tag: _vpnc_cm, local addr. 172.21.48.22 

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) 
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 
current_peer: 172.21.48.25 
PERMIT, flags={origin_is_acl,} 
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3 

!--- This shows the number of packets encrypted.

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3 
#pkts compressed: 0, #pkts decompressed: 0 
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 
#send errors 1, #recv errors 0 

local crypto endpt.: 172.21.48.22, remote crypto endpt.: 172.21.48.25 
path mtu 1500, ipsec overhead 56, media mtu 1500 
current outbound spi: 5c5b2a9 

!--- SPI is created now. 


inbound esp sas: 

!--- One inbound SA is created after interesting traffic is detected.

spi: 0x3db858ad(1035491501) 
transform: esp-3des esp-md5-hmac , 
in use settings ={Tunnel, } 
slot: 0, conn id: 2, crypto map: _vpnc_cm 
sa timing: remaining key lifetime (k/sec): (4607999/28499) 
IV size: 8 bytes 
replay detection support: Y 

inbound ah sas: 

!--- Authentication Header (AH) was not an option on the headend. 

 

inbound pcp sas: 

!--- Payload Compression Protocol (PCP) was not an option on the headend.  

 

outbound esp sas:

!--- One outbound SA is created after interesting traffic is detected. 

spi: 0x5c5b2a9(96842409) 
transform: esp-3des esp-md5-hmac , 
in use settings ={Tunnel, } 
slot: 0, conn id: 1, crypto map: _vpnc_cm 
sa timing: remaining key lifetime (k/sec): (4607999/28499) 
IV size: 8 bytes 
replay detection support: Y 


outbound ah sas: 

!--- AH was not an option on the headend. 



outbound pcp sas: 

!--- PCP was not an option on the headend.

关于Cisco VPN 3000集中器的记录信息

54 04/02/2002 15:14:45.560 SEV=4 IKE/52 RPT=19 172.21.48.22 
Group [beta] User [cisco] 
User (cisco) authenticated. 
!--- Group/User authentication is successful.


55 04/02/2002 15:14:46.630 SEV=4 AUTH/22 RPT=2 
User cisco connected 

56 04/02/2002 15:14:46.630 SEV=4 IKE/119 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
PHASE 1 COMPLETED 

!--- Phase I is successful. 


57 04/02/2002 15:14:46.630 SEV=5 IKE/35 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
Received remote IP Proxy Subnet data in ID Payload: 

!--- Proxy info exchange.
 
Address 172.16.1.0, Mask 255.255.255.0, Protocol 0, Port 0 

60 04/02/2002 15:14:46.630 SEV=5 IKE/34 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
Received local IP Proxy Subnet data in ID Payload: 

!--- Proxy info exchange.
 
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 

63 04/02/2002 15:14:46.630 SEV=5 IKE/66 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
IKE Remote Peer configured for SA: ESP-3DES-MD5: 

!--- Transform set being used.
 

64 04/02/2002 15:14:46.640 SEV=4 IKE/49 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
Security negotiation complete for User (cisco) 
Responder, Inbound SPI = 0x05c5b2a9, Outbound SPI = 0x3db858ad 

!--- Both inbound and outbound SPIs are created. These numbers will be the 
!--- same, but swapped, on the other end.


67 04/02/2002 15:14:46.640 SEV=4 IKE/120 RPT=2 172.21.48.22 
Group [beta] User [cisco] 
PHASE 2 COMPLETED (msgid=017e9e02) 

!--- Phase II is successful.

清楚VPN塞申斯和删除VPN客户端命令

清楚VPN会话

vpnclient不连接vpnclient断开disconnect命令当前VPN会话,然而不防止新的VPN通道的开始。

注意: 没有vpnclient enable命令关闭所有已建立VPN通道并且防止新的VPN通道的开始,直到您输入vpnclient enable命令

删除VPN客户端命令

清楚vpnclient命令清除在闪存和安全策略存储的便捷的VPN远端配置。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 22828