PIX OS 7.0.1 基于证书的VPN的配置实例,可用。 CA-VPN# sh run : Saved : PIX Version 7.0(1) names ! interface Ethernet0 nameif outside security-level 0 ip address 211.157.255.212 255.255.255.240 ! interface Ethernet1 nameif inside security-level 100 ip address 10.110.4.130 255.255.255.192 ! enable password QMOEflsOYGPASaVf encrypted passwd PVSASRJovmamnVkD encrypted hostname CA-VPN domain-name XXXX ftp mode passive object-group service ca-svr tcp port-object eq telnet port-object eq www port-object range 9443 9443 port-object eq https port-object range 8443 8443 port-object eq ftp port-object eq ftp-data access-list inside_nat0_outbound extended permit ip any 10.110.4.128 255.255.255.192 access-list AccessBoss extended permit tcp any host 10.110.2.157 eq 11000 access-list AccessBoss extended permit tcp any host 10.110.2.157 eq 12000 access-list AccessBoss extended permit icmp any host 10.110.2.157 echo access-list AccessBoss extended permit icmp any host 10.110.2.157 echo-reply access-list AccessBoss extended deny ip any any access-list outside_cryptomap_dyn_40 extended permit ip any 10.110.4.128 255.255.255.192 access-list 101 extended permit tcp any host 211.157.255.220 object-group ca-svr log access-list 101 extended permit icmp any host 211.157.255.220 log pager lines 24 logging enable logging timestamp logging buffer-size 512000 logging buffered informational mtu outside 1500 mtu inside 1500 ip local pool vpnpool 10.110.4.140-10.110.4.180 mask 255.255.255.192 no vpn-addr-assign aaa no vpn-addr-assign dhcp monitor-interface outside monitor-interface inside asdm image flash:/asdm-501.bin asdm history enable arp timeout 14400 nat-control nat (inside) 0 access-list inside_nat0_outbound static (inside,outside) 211.157.255.220 10.110.0.153 netmask 255.255.255.255 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 211.157.255.221 1 route inside 10.110.0.0 255.255.0.0 10.110.4.129 1 timeout xlate 3:00:00 timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 0 http server enable http 10.110.5.162 255.255.255.255 inside http 10.110.5.164 255.255.255.255 inside http 10.110.5.151 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ca trustpoint JITCA enrollment terminal crl configure crypto ca certificate chain JITCA certificate 32cdf1f801553534 30820243 308201ac a0030201 02020832 cdf1f801 55353430 0d06092a 864886f7 0d010105 0500302c 310b3009 06035504 06130243 4e310c30 0a060355 040a1303 4a495431 0f300d06 03550403 13064465 6d6f4341 301e170d 30353131 30393033 35373435 5a170d30 36313130 39303335 3734355a 301b310b 30090603 55040613 02636e31 0c300a06 0355040a 13036a69 7430819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100d193 5456cd77 2ff12486 423d4974 fe4cae7e b4e22c71 83dadac9 81ee094e e891c363 aa2be6bd 19a5f6f4 66a94e73 310be867 1e3237f8 777f97f9 6d7ffebd 1c35da8b 9d2bee9b ca4c89a2 8d14c091 9a305c30 f8f39507 e1261b90 10c9cce1 641b555e 0ac4882c 298fe56b e0d5a80b 87815cb6 73ffc1f8 caf71d05 880d03f5 099d0203 010001a3 7f307d30 1f060355 1d230418 30168014 17d17979 e389bee1 fe8a9ebe c450e300 6925d181 302e0603 551d1f04 27302530 23a021a0 1f861d68 7474703a 2f2f3139 322e3136 382e392e 3134352f 63726c31 2e63726c 300b0603 551d0f04 04030203 f8301d06 03551d0e 04160414 19e11851 09c7587b 57919989 3a5febba 475769ef 300d0609 2a864886 f70d0101 05050003 8181004f 94e032f5 d18742e2 ea843831 ce488952 33c9f982 d080648f 1ebeafba 81e3204a 06de2341 f3e2b34e 929a4005 bab0bd24 6ca1d2bc 496c7c94 1c764a9e b8a8e665 f4fe8439 66f7a483 6c65ccbe 0d0b1bbe b731c985 623bb49a 60dd7a54 5f6ab8ed 0cb5f58d b3b948a6 9325acfc c08d905e 4344a041 39b97ab8 296a729f cc43ff quit certificate ca 62e404cb3a21ac20 30820264 308201cd a0030201 02020862 e404cb3a 21ac2030 0d06092a 864886f7 0d010105 0500302c 310b3009 06035504 06130243 4e310c30 0a060355 040a1303 4a495431 0f300d06 03550403 13064465 6d6f4341 301e170d 30353131 30373037 31353033 5a170d32 35313130 32303731 3530335a 302c310b 30090603 55040613 02434e31 0c300a06 0355040a 13034a49 54310f30 0d060355 04031306 44656d6f 43413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 8181009c 128b5654 31e4e718 059c90e7 bda51568 cd1fd15a 591a4cec 83abb929 73545d8b d63cf3f7 76bda779 a3c20e22 19a77b2f 2bf4b401 e2e9d199 7c8ee445 578dda27 e30f8c89 f7d0f80a b1c277d5 7ada37fe 9d04c787 9ab63a1c a3fd6be0 ecad7e71 0a0e941c 27a08227 9c72cb5d 6a670365 147c073f c1b65e65 4ecffc48 0bf73d02 03010001 a3818e30 818b301f 0603551d 23041830 16801417 d17979e3 89bee1fe 8a9ebec4 50e30069 25d18130 0c060355 1d130405 30030101 ff302e06 03551d1f 04273025 3023a021 a01f861d 68747470 3a2f2f31 39322e31 36382e39 2e313435 2f63726c 312e6372 6c300b06 03551d0f 04040302 01fe301d 0603551d 0e041604 1417d179 79e389be e1fe8a9e bec450e3 006925d1 81300d06 092a8648 86f70d01 01050500 03818100 0cecec62 85671377 5dd438ee 31133399 ce85a463 c2678538 0a64bbc3 32fb4710 4f355fc6 22652da1 195f0c71 954cb95c c75c4a97 87fcea4c 6d18ca4a 654e030f c793096f 2a60cd80 0d375ca4 c2f5eee4 e32acea7 14a8dd82 ba7c0e10 1e30518f c9b1ce1a 8e45762f 875261b2 3ed8e83a 39d57c05 1dffc97e e7c61e3a 8b592ce6 quit isakmp identity auto isakmp enable outside isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp nat-traversal 20 isakmp ipsec-over-tcp port 10000 isakmp disconnect-notify telnet 10.110.5.162 255.255.255.255 inside telnet 10.110.5.164 255.255.255.255 inside telnet 10.110.5.151 255.255.255.255 inside telnet timeout 5 ssh timeout 5 ssh version 1 console timeout 0 tunnel-group hljmcc type ipsec-ra tunnel-group hljmcc general-attributes address-pool vpnpool tunnel-group hljmcc ipsec-attributes trust-point JITCA no tunnel-group-map enable peer-ip ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:2c33d4fc1631fc6faaf1d264c8006f69 : end CA-VPN#