Lab Target: Site-to-Site between R4 and R5 Lo0 over PIX

hostname r4

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 45.1.1.5
!
!
crypto ipsec transform-set test esp-aes esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
set peer 45.1.1.5
set transform-set test
match address 100

interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 47.1.1.4 255.255.255.0
half-duplex
crypto map test

ip route 20.1.1.0 255.255.255.0 47.1.1.7
ip route 45.1.1.0 255.255.255.0 47.1.1.7
!

access-list 100 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
!
----------------------------------------------
hostname r5

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 45.1.1.10
!
!
crypto ipsec transform-set test esp-aes esp-md5-hmac
!
crypto map test 1 ipsec-isakmp
set peer 45.1.1.10
set transform-set test
match address 100
!
!
!
!
interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 45.1.1.5 255.255.255.0
half-duplex
crypto map test

access-list 100 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
------------------------------------------
hostname pix
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 45.1.1.7 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 47.1.1.7 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list test extended permit udp host 45.1.1.5 host 45.1.1.10 eq isakmp
access-list test extended permit esp host 45.1.1.5 host 45.1.1.10
access-list test extended permit udp host 45.1.1.5 host 45.1.1.10 eq 4500

static (inside,outside) 45.1.1.10 47.1.1.4 netmask 255.255.255.255
access-group test in interface outside
route outside 20.1.1.0 255.255.255.0 45.1.1.5 1
route inside 10.1.1.0 255.255.255.0 47.1.1.4  1

转载地址：http://www.net130.com/CMS/Pub/Tech/tech_instance/2006_12_11_60445.htm