思科路由器/交换机
<p>[TOC]</p>
<h3>思科交换机命令行配置</h3>
<h4>1、CISCO IKEV1配置IPSEC VPN</h4>
<p>v1 示例配置---主模式:</p>
<p>Cisco配置命令如下:(Cisco某些版本可能配置命令不一样,但过程一样)</p>
<p>conf t //进入特权模式配置</p>
<p>no crypto isakmp key 0 cisco address 10.162.151.107 //创建预共享密钥以及对端地址(当配置身份ID时这个不配置和keyring有冲突导致连接建立不起来)</p>
<p>crypto isakmp policy 10 //创建isakmp策略(第一阶段策略)</p>
<p>hash md5 //配置hash算法</p>
<p>encry 3des //配置加密算法</p>
<p>group 15 //配置DH群</p>
<p>lifetime 600 //sa的生存时间为10000,超过后SA将重新协商</p>
<p>auth pre-share //配置认证方式(预共享密钥)</p>
<p>exit //退出isakmp策略配置</p>
<p> </p>
<p>crypto keyring ikev1-keyring</p>
<p>no pre-shared-key address 10.162.151.107 key cisco //建立连接让对端和自己共用此秘钥</p>
<p>no pre-shared-key address 10.162.151.115 key cisco //nat后的IP</p>
<p> </p>
<p>crypto isakmp profile ikev1-profile //配置本端对端身份ID类型</p>
<p>keyring ikev1-keyring</p>
<p>match identity user-fqdn xiao.com //支持对端address/group/host/user-fqdn</p>
<p>self-identity user-fqdn hong.com //支持本端address/fqdn/user-fqdn</p>
<p>//match identity address 7.7.7.7 255.255.255.0</p>
<p>//self-identity address 8.8.8.8 255.255.255.0</p>
<p> </p>
<p>access-list 100 permit ip 192.168.100.0 0.0.0.255 190.190.190.0 0.0.0.255 //创建ACL,类似我们的出入站策略,允许本端哪个网段出去到对端哪个网段</p>
<p>crypto ipsec transform-set ipsecvpn esp-aes esp-md5-hmac //创建变换集及策略</p>
<p>mode tunnel //配置传输模式(隧道模式)我们只支持隧道模式</p>
<p>exit //退出变换集</p>
<p>crypto ipsec security-association lifetime seconds 1800 //定义生存周期为1800</p>
<p> </p>
<p>优先级(crypto maptest-map 1 ipsec-isakmp 优先级为1,可不设)</p>
<p>crypto map ipsec 10 ipsec-isakmp //创建IPsec策略(第二阶段)</p>
<p>no set peer 10.162.151.107 //配置对端地址</p>
<p>//no set peer 10.162.151.115 //nat后的ip</p>
<p>set transform-set ipsecvpn ipsecvpn2 ipsecvpn3 ipsecvpn4 ipsecvpn5 /绑定变换集到映射图</p>
<p>set isakmp-profile ikev1-profile //引用</p>
<p>set pfs group15 //配置密钥完美向前保护(请注意跟第一阶段DH群一样,这个没配对接是不会成功的)</p>
<p>match address 100 //配置映射图匹配的ACL策略</p>
<p>exit //退出配置映射图</p>
<p> </p>
<p>interface e0/1 //进入Cisco外网口</p>
<p>crypto map ipsec //将映射图绑定到接口</p>
<p>exit //退出接口配置</p>
<h4>2、 CISCO IKVE2 配置对接:</h4>
<h5>(1)cisco IOU1 V2配置:</h5>
<p>cisco配置接口Ip:</p>
<p>interface Ethernet0/0</p>
<p> ip address 192.168.100.254 255.255.255.0</p>
<p>!</p>
<p>interface Ethernet0/1</p>
<p> ip address 22.22.22.22 255.255.255.0</p>
<p> crypto map ipsec</p>
<p>!</p>
<p>ip route 0.0.0.0 0.0.0.0 10.90.255.254</p>
<p>ip route 0.0.0.0 0.0.0.0 22.22.22.21</p>
<p> </p>
<p>v2 ipsec vpn配置示例:</p>
<p>配置proposal</p>
<p>crypto ikev2 proposal ikev2-proposal</p>
<p>encryption 3des</p>
<p>integrity md5</p>
<p>group 15</p>
<p> </p>
<p>配置policy 可选</p>
<p>crypto ikev2 policy ikev2-policy</p>
<p>proposal ikev2-proposal</p>
<p> </p>
<p>配置keyring</p>
<p>crypto ikev2 keyring ikev2-keyring</p>
<p>peer center-asa</p>
<p>address 10.162.151.107</p>
<p>pre-shared-key cisco</p>
<p> </p>
<p>配置profile</p>
<p>crypto ikev2 profile ikev2-profile</p>
<p>match identity remote address 7.7.7.7 255.255.255.0 对端ID/email/fqdn/address</p>
<p>identity local address 8.8.8.8 本端身份ID/email/fqdn/address</p>
<p>authentication remote pre-share 预共享秘钥认证</p>
<p>authentication local pre-share</p>
<p>keyring local ikev2-keyring</p>
<p> </p>
<p>配置transform-set 可选</p>
<p>crypto ipsec transform-set ipsecvpn esp-aes esp-md5-hmac</p>
<p>mode tunnel</p>
<p>crypto ipsec transform-set ipsecvpn esp-3des esp-sha-hmac</p>
<p>mode tunnel</p>
<p>//crypto ipsec transform-set ipsecvpn2 esp-des esp-sha256-hmac</p>
<p>//mode tunnel</p>
<p>//crypto ipsec transform-set ipsecvpn3 esp-3des esp-sha384-hmac</p>
<p>//mode tunnel</p>
<p>show crypto ipsec transform-set</p>
<p>配置感兴趣流</p>
<p>ip access-list extended 100</p>
<p>permit ip 192.168.100.0 0.0.0.255 190.190.190.0 0.0.0.255</p>
<p>配置crypto map</p>
<p>crypto map ipsec 10 ipsec-isakmp //创建IPsec策略(第二阶段)</p>
<p>set peer 10.162.151.107 //配置对端地址</p>
<p>set transform-set ipsecvpn ipsecvpn2 ipsecvpn3 /绑定变换集到映射图</p>
<p>set ikev2-profile ikev2-profile</p>
<p>set pfs group15 //配置密钥完美向前保护(请注意跟第一阶段DH群一样,这个没配对接是不会成功的)</p>
<p>set security-association lifetime 900 //定义生存周期为900</p>
<p>match address 100 //配置映射图匹配的ACL策略</p>
<p>exit</p>
<p> </p>
<p>调用接口</p>
<p>int e0/1</p>
<h5>(2)Cisco IOU2 V2配置:</h5>
<p>cisco在中间路由配置NAT转换:</p>
<p>配置接口Ip</p>
<p>conf t</p>
<p>int e0/0</p>
<p>ip add 11.11.11.2 255.255.255.0</p>
<p>no shutdown</p>
<p>exit</p>
<p>int e0/1</p>
<p>ip address 13.13.13.1 255.255.255.0</p>
<p>no shutdown</p>
<p>exit</p>
<p> </p>
<p>配置静态源NAT策略</p>
<p>ip nat inside source static 11.11.11.1 13.13.13.1</p>
<p>进入接口e0/1</p>
<p>int e0/1</p>
<p>配置接口属性为NAT出接口</p>
<p>ip nat outside</p>
<p>exit</p>
<p>接入接口e0/0</p>
<p>int e0/0</p>
<p>配置接口属性为NAT入接口</p>
<p>ip nat inside</p>
<p>Exit</p>
<p> </p>
<h4>示例1</h4>
<p> interface Ethernet0/0</p>
<p> ip address 22.22.22.21 255.255.255.0</p>
<p> ip nat inside</p>
<p> ip virtual-reassembly in</p>
<p>!</p>
<p>interface Ethernet0/1</p>
<p> no ip address</p>
<p> ip nat outside</p>
<p> ip virtual-reassembly in</p>
<p>!</p>
<p>interface Ethernet0/2</p>
<p> ip address 10.90.17.76 255.255.0.0</p>
<p> ip nat outside</p>
<p> ip virtual-reassembly in</p>
<p>!</p>
<p> </p>
<p>ip nat pool hzl 10.90.9.77 10.90.9.77 netmask 255.255.255.255</p>
<p>ip nat inside source list 14 interface Ethernet0/2 overload</p>
<p>ip nat inside source list 15 interface Ethernet0/2 overload</p>
<p>ip route 10.162.0.0 255.254.0.0 10.90.255.254</p>
<p>ip route 192.168.100.0 255.255.255.0 22.22.22.22</p>
<p>!</p>
<p>access-list 14 permit 22.22.22.0 0.0.0.255</p>
<p>access-list 15 permit 192.168.100.0 0.0.0.255</p>
<p>access-list 16 permit 0.0.0.0</p>
<p>crypto map ipsec</p>
<p>exit</p>
<h3>防火墙界面配置</h3>
<h4>1、基础配置</h4>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=d340ec638dd475cc45811bb2cfd23443&amp;file=file.png" alt="" /></p>
<h4>2、IKE配置</h4>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=74c184543835bd2e2e2e7f5fd189454c&amp;file=file.png" alt="" /></p>
<h4>3、IPSEC配置</h4>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=4e209b38cf9b4b0f73c412dfb6be59f8&amp;file=file.png" alt="" /></p>
<h4>4、DLAN运营状态可以看到VPN对接成功</h4>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=82d9db00f4a294d27c7dcbc03f893559&amp;file=file.png" alt="" /></p>
<h3>思科设备常用命令</h3>
<p>en进入</p>
<p>conft 进入编辑模式(记得面积完sava保存,不然一重启所有配置都没有了)</p>
<p>show ip route //查看路由</p>
<p>show ip int b //查看ip配置</p>
<p>show running-config //查看ipsec vpn 配置</p>
<p>int e0/0 </p>
<p>crypto ikev2 ? //后面加问号会有相对应的方法出来</p>
<p>ip 1.1.1.1/24 1.1.1.2 //配置ip和子网掩码</p>
<p>ip 1.1.1.1 255.255.255.0 1.1.1.2 //</p>
<p>show ip 查看ip配置信息</p>
<p>save 保存</p>
<p>显示ISAKMP协商策略的结果--秘钥交换策略</p>
<p>sh crypto isakmp policy</p>
<p>查看管理连接SA的状态</p>
<p>sh crypto isakmp sa 查看安全关联</p>
<p>sh crypto ipsec transform-set</p>
<p>显示ipsec加密变换集</p>
<p>sh crypto ipsec transform-set</p>
<p>显示数据连接SA的细节信息 查看+detail</p>
<p>sh crypto ipsec sa</p>
<p>显示crypto map的信息--加密映射图</p>
<p>sh crypto map</p>
<p>查看当前秘钥交换方式所使用的秘钥</p>
<p>show crypto isakmp key</p>
<p>查看已建立的对等体</p>
<p>show crypto isakmp peers</p>
<p>VPN状态show crypto session</p>
<p>show ip nat statistics 查看NAT</p>
<p>想要查看其它的直接在后面+ ?可以出来你想要找的配置命令</p>
<h3>维护人:向西宇</h3>