Easy VPN with PIX

基本接口配置

pix(config)#interfaceeth0 auto

pix(config)#interfaceeth1 auto

pix(config)#nameifeth0 outside security0

pix(config)#nameifeth1 inside security100

pix(config)#ipaddress outside 218.1.1.2 255.255.255.0

pix(config)#ipaddress inside 10.100.1.1 255.255.255.0

设置默认路由

pix(config)#routeoutside 0 0 218.1.1.1

规定不需要进行nat的流量以及需要被IPSec保护的流量

pix(config)# access-l ezvpn permit ip10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0

设置nat0

pix(config)# nat(inside) 0 access-list ezvpn

设置客户端的地址池

pix(config)# iplocal pool ezvpn-pool 192.168.1.1-192.168.1.254

isakmp参数配置

pix(config)# isakmpenable outside

pix(config)# isakmpidentity address

pix(config)# isakmppolicy 20 authen pre-share

pix(config)# isakmppolicy 20 encry 3des

pix(config)# isakmppolicy 20 hash sha

pix(config)# isakmppolicy 20 group 2

设置转换集以及动态映射

pix(config)# cryptoipsec transform-set ccsp esp-3des esp-sha-hmac

pix(config)# cryptodynamic-map vpn-dyn 10 set transform-set ccsp

配置crypto map

pix(config)# cryptomap cisco 10 ipsec-isakmp dynamic vpn-dyn

pix(config)# cryptomap cisco client conf address initiate

pix(config)# cryptomap cisco interface outside

组策略配置

pix(config)#vpngroup mobile address-pool ezvpn-pool

pix(config)#vpngroup mobile dns-server 10.100.1.80

pix(config)# vpngroupmobile default-domain itany.com

pix(config)#vpngroup mobile split-tunnel ezvpn

pix(config)#vpngroup mobile password cisco1234

允许在IPSec隧道中传输任何数据

pix(config)# sysoptconnection permit-ipsec