--(可选)如果SA生命期和全局默认不同,那么定义它:
(crypto-map)set security-association lifetime seconds seconds (crypto-map)set security-association lifetime kilobytes kilobytes
--(可选)对每个新的SA使用完整转发安全性 (crypto-map)set pfs [group1 | group2]
--将动态保密图集加入到正规的图集中
(global)crypto map map-name sequence ipsec-isakmp dynamic dyn-map-name [discover]
--(可选)使用IKE模式的客户机配置
(global)crypto map map-name client configuration address [initiate | respond]
--(可选)使用来自AAA服务器的预共享IKE密钥
(global)crypto map map-name isakmp authorization list list-name
6、将保密映射应用到接口上
(1)指定要使用的保密映射
(interface)crypto map map-name
(2)(可选)和其他接口共享保密映射
(global)crypto map map-name local-address interface-id
pix虚拟防火墙配置实例
PIXFW(config)# sh run
: Saved :
PIX Version 7.0(2)
interface Ethernet0
speed 1920
duplex full !
interface Ethernet0.1 vlan 5 !
interface Ethernet0.2 vlan 6 !
interface Ethernet1 !
interface Ethernet2 !
interface Ethernet3
shutdown !
interface Ethernet4
shutdown !
interface Ethernet5
shutdown !
enable password 8Ry2YjIyt7RRXU24 encrypted
hostname PIXFW
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context OA
context OA
allocate-interface Ethernet0.1
allocate-interface Ethernet1
config-url flash:/OA.cfg !
context FMIS
allocate-interface Ethernet0.2
allocate-interface Ethernet2
config-url flash:/FMIS.cfg !
Cryptochecksum:53517dcd4fe74fdcb51a1d24e90b1469
: end
PIXFW(config)# sh interface
Interface Ethernet0 \
Hardware is i82559, BW 1920 Mbps
Full-Duplex(Full-duplex), 1920 Mbps(1920 Mbps)
Available for allocation to a context
MAC address 0015.f9a9.02ea, MTU not set
IP address unassigned
525 packets input, 83359 bytes, 0 no buffer
Received 83 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1935 packets output, 150750 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Interface Ethernet0.1 \
VLAN identifier 5
Available for allocation to a context
Interface Ethernet0.2 \
VLAN identifier 6
Available for allocation to a context
Interface Ethernet1 \
Hardware is i82559, BW 1920 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1920 Mbps)
Available for allocation to a context
MAC address 0015.f9a9.02eb, MTU not set
IP address unassigned
2757 packets input, 225620 bytes, 0 no buffer
Received 1869 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
159 packets output, 12400 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Interface Ethernet2 \
Hardware is i82559, BW 1920 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1920 Mbps)
Available for allocation to a context
MAC address 0005.5d18.3021, MTU not set