|
!--- 定义去路由器的流量:
access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
!--- 去路由器的流量不做地址转换
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
ip address outside 172.17.63.213 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 172.17.63.210
!--- 去路由器的流量不做地址转换
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.17.63.209 1
!--- IPSec 策略:
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer 172.17.63.230
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
!--- IKE 策略:
isakmp enable outside
isakmp key westernfinal2000 address 172.17.63.230 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
: end
| 
