基本接口配置
pix(config)#interface eth0 auto
pix(config)#interface eth1 auto
pix(config)#nameif eth0 outside security0
pix(config)#nameif eth1 inside security100
pix(config)#ip address outside 218.1.1.2 255.255.255.0
pix(config)#ip address inside 10.100.1.1 255.255.255.0
設置默認路由
pix(config)#route outside 0 0 218.1.1.1
規定不需要進行nat的流量以及需要被IPSec保護的流量
pix(config)# access-l ezvpn permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0
設置nat0
pix(config)# nat (inside) 0 access-list ezvpn
設置客戶端的地址池
pix(config)# ip local pool ezvpn-pool 192.168.1.1-192.168.1.254
isakmp參數配置
pix(config)# isakmp enable outside
pix(config)# isakmp identity address
pix(config)# isakmp policy 20 authen pre-share
pix(config)# isakmp policy 20 encry 3des
pix(config)# isakmp policy 20 hash sha
pix(config)# isakmp policy 20 group 2
設置轉換集以及動態映射
pix(config)# crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
pix(config)# crypto dynamic-map vpn-dyn 10 set transform-set ccsp
配置crypto map
pix(config)# crypto map cisco 10 ipsec-isakmp dynamic vpn-dyn
pix(config)# crypto map cisco client conf address initiate
pix(config)# crypto map cisco interface outside
組策略配置
pix(config)# vpngroup mobile address-pool ezvpn-pool
pix(config)# vpngroup mobile dns-server 10.100.1.80
pix(config)# vpngroup mobile default-domain itany.com
pix(config)# vpngroup mobile split-tunnel ezvpn
pix(config)# vpngroup mobile password cisco1234
允許在IPSec隧道中傳輸任何數據
pix(config)# sysopt connection permit-ipsec