文字Configuring PIX Firewall 1 with VPN Tunneling
　　
　　Step 1 Define a host name:
　　
　　hostname NewYork
　　Step 2 Configure an ISAKMP policy:
　　
　　isakmp enable outside
　　isakmp policy 9 authentication pre-share
　　isakmp policy 9 encrypt des
　　Step 3 Configure a pre-shared key and associate with the peer:
　　
　　crypto isakmp key cisco1234 address 209.165.200.229
　　Step 4 Configure the supported IPSec transforms:
　　
　　crypto ipsec transform-set strong esp-des esp-sha-hmac
　　Step 5 Create an access list:
　　
　　access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
　　
　　Step 6 Exclude traffic between the intranets from NAT:
　　
　　nat 0 access-list 90
　　This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
　　
　　Step 7 Enable NAT for all other traffic:
　　
　　nat (inside) 1 0 0
　　Step 8 Assign a pool of global addresses for NAT and PAT:
　　
　　global (outside) 1 209.165.202.129-209.165.202.159
　　global (outside) 1 209.165.202.160
　　The pool of registered addresses are only used for connections to the public Internet.
　　
　　Step 9 Define a crypto map:
　　
　　crypto map toSanJose 20 ipsec-isakmp
　　crypto map toSanJose 20 match address 90
　　crypto map toSanJose 20 set transform-set strong
　　crypto map toSanJose 20 set peer 209.165.200.229
　　Step 10 Apply the crypto map to the outside interface:
　　
　　crypto map toSanJose interface outside
　　Step 11 Specify that IPSec traffic be implicitly trusted (permitted):
　　
　　sysopt connection permit-ipsec
　　
　　Configuring PIX Firewall 2 for VPN Tunneling
　　Step 1 Define a host name:
　　
　　hostname SanJose
　　Step 2 Define the domain name:
　　
　　domain-name example.com
　　Step 3 Create a net static:
　　
　　static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
　　Step 4 Configure the ISAKMP policy:
　　
　　isakmp enable outside
　　isakmp policy 8 authentication pre-share
　　isakmp policy 8 encryption 3des
　　Step 5 Configure a pre-shared key and associate it with the peer:
　　
　　crypto isakmp key cisco1234 address 209.165.201.8
　　Step 6 Configure IPSec supported transforms:
　　
　　crypto ipsec transform-set strong esp-3des esp-sha-hmac
　　Step 7 Create an access list:
　　
　　access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
　　
　　Step 8 Exclude traffic between the intranets from NAT:
　　
　　nat 0 access-list 80
　　This excludes traffic matching access list 80 from NAT. The nat 0 command is always processed before any other nat commands.
　　
　　Step 9 Enable NAT for all other traffic:
　　
　　nat (inside) 1 0 0
　　Step 10 Assign a pool of global addresses for NAT and PAT:
　　
　　global (outside) 1 209.165.202.160-209.165.202.89
　　global (outside) 1 209.165.202.190
　　The pool of registered addresses are only used for connections to the public Internet.
　　
　　Step 11 Define a crypto map:
　　
　　crypto map newyork 10 ipsec-isakmp
　　crypto map newyork 10 match address 80
　　crypto map newyork 10 set transform-set strong
　　crypto map newyork 10 set peer 209.165.201.8
　　Step 12 Apply the crypto map to an interface:
　　
　　crypto map newyork interface outside
　　Step 13 Specify that IPSec traffic be implicitly trusted (permitted):
　　
　　sysopt connection permit-ipsec
　　本文出自 51CTO.COM技术博客