ASA、juniper、Router 站点到站点的 VPN

ASA、juniper、Router 站点到站点的 VPN经过测试通过。

Chicago 防火墙配置：
  @+ x# B3 _5 ~$ j: Saved
: Written by enable_15 at 00:44:56.802 UTC Fri Jan 4 2013
!
ASA Version 8.2(5)
!
hostname Chicago
enable password WrXP9uZExEcEnNI3 encrypted
; j% p" o7 z/ Zpasswd rk6YkHwBJrlS0iX4 encrypted
names
2 B; f8 A0 i! }) i  B! l5 L!
interface Ethernet0/0
nameif outside
security-level 0
ip address 116.247.91.98 255.255.255.248
!
interface Ethernet0/1
nameif inside
  h. i0 G+ ?2 U& C) `+ F1 t8 m security-level 100
" C/ P' y. {3 m2 K0 n ip address 10.131.126.51 255.255.255.240
& B1 O  ~0 K3 J- j5 U1 T" R; Z( V!
4 v. ~/ h" c8 J+ a( Hinterface Ethernet0/2
shutdown
7 d; R8 n( R8 R* ~9 v! G0 I1 H no nameif
; j& G! A# }- p no security-level
no ip address
  v' L* n$ i" u) Z!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
7 [- X) V* d  `: b  t0 ^interface Management0/0
1 s$ M- _* u3 A& h  f shutdown
no nameif
no security-level
8 K6 G' D8 Y5 V$ r9 k no ip address
!
; @* u1 [6 ]  S3 A0 Kinterface GigabitEthernet1/0
shutdown
no nameif
& ~6 L  V+ r' [4 Y; I- Z, _# p no security-level
no ip address
+ O6 p, _8 t( I2 ?( `; k" |2 |0 u!
( Q, O! `: c% L! Tinterface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
% Y! D8 s$ W0 m* Z: h% P, ^!
1 T& T4 }% l# G; x4 X  v0 }! Q+ uinterface GigabitEthernet1/2
& r: t  w. Z# a shutdown
1 u# u9 U6 J. z4 g# H( |' U, d* M7 [% D no nameif
no security-level
8 t2 O7 N! N% Z no ip address
6 g4 H- u! v/ W. d. b( N! e!
interface GigabitEthernet1/3
shutdown
& O8 M- R+ G( u( J5 q( }. b& s no nameif
no security-level
no ip address
& z! v% B, b" Y7 E9 ~! I% u; f!
ftp mode passive
( t+ r" w4 Y% k: \4 T6 h3 R2 g7 Yaccess-list inside_nat0_outbound extended permit ip 10.131.0.0 255.255.128.0 10.131.200.0 255.255.255.0
- T4 X0 z: h# X* I+ v) d9 @access-list inside_nat0_outbound extended permit ip 10.131.0.0 255.255.128.0 10.131.201.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 10.131.0.0 255.255.128.0 10.131.200.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 10.131.0.0 255.255.128.0 10.131.201.0 255.255.255.0
4 ?9 z& p9 T3 l; Xpager lines 24
logging enable
1 L' i  h9 S5 g7 D( {+ q2 ylogging asdm informational
mtu outside 1500
mtu inside 1500
no failover
( I( O- q: G& a4 ~1 ficmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 116.247.91.97 1
route inside 10.131.0.0 255.255.128.0 10.131.126.57 1
, j, P/ v; e5 P, k: ~( }timeout xlate 3:00:00
) X9 R8 ~& R2 i$ Ctimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
6 f# D3 z: Y/ w, h5 wtimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
' u. r* A" r2 X! }7 N& F' Itimeout floating-conn 0:00:00
1 P  h1 }" ?3 k7 fdynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.131.0.0 255.255.0.0 inside
1 s1 s& b0 B: Uhttp 0.0.0.0 0.0.0.0 outside
' k! |5 F; p  \no snmp-server location
; F9 [5 a+ h: `8 f! Ono snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
- r4 E- c  \9 k& ~# b8 Icrypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
. s5 U* g# a% H" g! G* U+ hcrypto ipsec security-association lifetime seconds 28800
1 X& W& W- o3 F9 Acrypto ipsec security-association lifetime kilobytes 4608000
; g2 K- x6 `" f/ q3 b5 C) ecrypto map outside_map 1 match address outside_cryptomap_1
) ]( W5 O7 U3 ?( B4 h4 `$ ocrypto map outside_map 1 set peer 120.90.11.218
4 M' X) y; G  U: b3 v* M7 I3 S) ^crypto map outside_map 1 set transform-set 3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 140.206.34.178
crypto map outside_map 2 set transform-set 3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
' ]1 J  F. f. j9 A  L( k& k& i3 ] authentication pre-share
encryption 3des
: w9 o% m7 i" I/ X! Z( p2 ^ hash sha
) \$ C5 H1 \0 m, }' O group 2
" S" ?* X; \7 v2 O6 | lifetime 86400
crypto isakmp nat-traversal 50
telnet 10.131.0.0 255.255.0.0 inside
" f1 M, b! Z( p6 l$ Itelnet timeout 5
( y9 n+ }. r2 t" d9 sssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
7 }. E0 p  k, |$ K$ Fthreat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
$ m3 O1 {5 W  |8 Qwebvpn
+ d9 [5 k: H8 W. jtunnel-group 120.90.11.218 type ipsec-l2l
5 h$ R% H2 D3 I- v- ]- ]tunnel-group 120.90.11.218 ipsec-attributes
: |* ]- N: w" Z  ? pre-shared-key cisco123
' l9 B& z  H& j5 ~7 L3 E: C, Utunnel-group 140.206.34.178 type ipsec-l2l
tunnel-group 140.206.34.178 ipsec-attributes
pre-shared-key cisco123
6 m( H7 ~  _+ O% h- s!
* t' u! D1 I5 bclass-map inspection_default
/ k$ z4 C6 e4 y) `3 O. w8 a# p& ] match default-inspection-traffic
4 x2 K  I; |/ [( n" ^8 l. L7 |6 k!
!
3 T# d6 x7 h' X2 Tpolicy-map type inspect dns preset_dns_map
' A, B; p! |8 n& s6 ?4 y7 ` parameters
+ S, D/ @; S- h6 ^2 {& Q3 X message-length maximum client auto
" x4 ]! m" q) q message-length maximum 512
policy-map global_policy
& l4 y2 @2 B% N2 L( ? class inspection_default
9 b% t, l8 R+ @1 T. f2 k inspect dns preset_dns_map
- T# F8 {9 r# i0 C inspect ftp
inspect h323 h225
inspect h323 ras
5 {& a" y7 V4 p: k! M. i inspect ip-options
2 I* U  O, U* o' ` inspect netbios
inspect rsh
inspect rtsp
' V$ i, @% b' z& h9 U0 C( p) v) @ inspect skinny
) {( D4 K7 O, z! Q4 B2 n! i inspect esmtp
inspect sqlnet
inspect sunrpc
0 s4 M+ T# p: d" b  Z inspect tftp
; e: Z2 ^8 k8 h inspect sip
inspect xdmcp
6 L% A4 _" R$ y6 V- [!
& e' g$ C& q$ K+ Uservice-policy global_policy global
prompt hostname context
no call-home reporting anonymous
' G/ W5 Q- o6 z* q3 ycall-home
profile CiscoTAC-1
! g5 X1 ]6 j+ M- o( P. u6 q9 A9 f no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
6 S" @) G6 G9 s' h9 u7 ` destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
2 a1 y8 v! y6 \ subscribe-to-alert-group inventory periodic monthly
+ _' m7 {% F: {8 d! c1 h subscribe-to-alert-group configuration periodic monthly
, L$ T9 Y2 C, A  q2 L subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:132539f889b0ae80d42d176608fd9726
: end

New York 防火墙配置：
: Saved
0 d6 v( k! D8 T4 H2 W: Written by enable_15 at 01:56:33.414 UTC Tue Jan 8 2013
/ X% j1 _7 w1 |% v) a8 e!
ASA Version 8.2(5)
!
hostname NewYork
& v5 P5 V/ G2 H4 o; T+ @$ eenable password WrXP9uZExEcEnNI3 encrypted
passwd rk6YkHwBJrlS0iX4 encrypted
" c5 S/ m& }5 p: K( Znames
" B+ N3 u  V3 g! q; T!
interface Ethernet0/0
nameif outside
security-level 0
ip address 120.90.11.218 255.255.255.248
!
interface Ethernet0/1
nameif inside
7 {9 f. a4 I4 H, H0 P1 j/ ~2 D security-level 100
ip address 10.131.200.254 255.255.255.0
! q0 J) T$ ]6 w9 A& v!
) q0 ]- R1 _# Q; z4 ^interface Ethernet0/2
shutdown
6 v+ }! b3 O( C. N( v% P) \9 X no nameif
no security-level
no ip address
* l1 @6 L" Z3 w. i! B!
interface Ethernet0/3
shutdown
no nameif
no security-level
  r& _+ `) ^- ^7 O0 ~% Z1 w; i4 Q; R: P no ip address
!
9 n6 L/ i8 c7 a  f& f. e8 y/ Rinterface Management0/0
shutdown
9 i9 T  P+ z, x8 M8 M4 @ nameif mgmt
security-level 0
9 {7 i& w6 W" K8 C" `1 I5 V: i no ip address
!
interface GigabitEthernet1/0
shutdown
6 y$ W" J$ L' h7 V$ o8 _ no nameif
) h$ U1 D& J% p no security-level
0 M# V) n. g7 v# W  j4 o. V no ip address
!
/ f! ]# _, b* j# m0 c' I& ointerface GigabitEthernet1/1
' _3 i7 H8 v) S shutdown
# S' w- X3 E2 a) o' A& Z' Q7 c% a no nameif
no security-level
8 O( H/ b! U& i% d& f# Z* t: ` no ip address
8 \) j4 p( ?7 T4 j+ A" G!
: s8 |1 ^1 b' A; n$ Yinterface GigabitEthernet1/2
% G9 ~5 L- G  q2 E shutdown
0 v9 [4 _+ A/ B. D* s3 d no nameif
0 `' r8 o& A0 z7 g) y3 N no security-level
no ip address
0 `  {& P# |2 G/ ~0 `8 R!
6 E% z( C) \! ~# M) ]interface GigabitEthernet1/3
- k5 D# i# A1 ~$ p8 w' R3 ^5 C: q shutdown
no nameif
no security-level
4 G" F2 G0 u& n1 _ no ip address
/ v' s. [8 j% D9 y: E+ K!
( p& A+ ?8 J0 k5 ^ftp mode passive
+ u5 N; W; f# X7 ?6 f2 paccess-list inside_nat0_outbound extended permit ip 10.131.200.0 255.255.255.0 10.131.0.0 255.255.128.0
$ k% \) c7 t% A& faccess-list outside_cryptomap_1 extended permit ip 10.131.200.0 255.255.255.0 10.131.0.0 255.255.128.0
' X! ]3 p/ S: g1 r: fpager lines 24
mtu outside 1500
mtu inside 1500
4 z* p. d: x+ jmtu mgmt 1500
no failover
& y0 K) N+ ~! f& F' \5 u# ?9 A/ Xicmp unreachable rate-limit 1 burst-size 1
! I7 S. S: s0 E4 k- |, V* R% k# @no asdm history enable
- N1 ]/ s1 S# J, j! `6 zarp timeout 14400
% W) A+ b8 j4 _0 D! H2 lnat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 120.90.11.217 1
, j; I# B! h& K* R. Dtimeout xlate 3:00:00
. ^7 m0 X: b( b4 \timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
2 _9 [+ _3 p1 U# b6 ptimeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
3 O: ^& e4 D; o4 V' b3 s% ]( ztimeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
: O& h0 O9 C7 _0 K6 m5 W8 u/ Edynamic-access-policy-record DfltAccessPolicy
0 C5 U! ?! r' h2 s! X6 [, yhttp server enable
( i5 `5 M7 y* ihttp 10.131.0.0 255.255.0.0 inside
; n1 A6 z0 c. B2 b7 Chttp 0.0.0.0 0.0.0.0 outside
  H) Q% d) y: N& i- D- c' X/ b, r8 sno snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
% n5 n" D2 T1 U2 Bcrypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
: L) {: g$ z/ wcrypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
/ w' a7 D, G& z5 M; L# fcrypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 116.247.91.98
crypto map outside_map 1 set transform-set 3DES-SHA
( h, f% s) T+ t2 I$ _* P' {/ t5 H8 icrypto map outside_map interface outside
crypto isakmp enable outside
& y$ W% z# o( V; q7 d) E4 Gcrypto isakmp policy 1
0 e% T# [) u% ^+ O. T2 u authentication pre-share
, l! K  V; c; Y6 e4 S! y& \/ K encryption 3des
hash sha
group 2
  U& |; o- {- P+ P. [: A0 q( x lifetime 86400
crypto isakmp nat-traversal 50
( _  M8 y1 f* e8 ]: V" ytelnet 10.131.0.0 255.255.0.0 inside
: W4 @& ^# v% }6 w' `/ h$ `: ?& Ntelnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
) K( n1 G3 U% }( H  B9 }console timeout 0
threat-detection basic-threat
8 M) Q( Y% b: d# `2 j. Athreat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 116.247.91.98 type ipsec-l2l
% ~! X7 G3 i. q  A% Utunnel-group 116.247.91.98 ipsec-attributes
; h# p. ?' Q7 Z! n8 x( v5 ~  h pre-shared-key cisco123
% N+ n) ]4 A1 J" L: h!
! ^1 c6 t6 V( Fclass-map inspection_default
match default-inspection-traffic
!
!
! J9 j; |( C. E2 v2 i) {4 V' \9 Npolicy-map type inspect dns preset_dns_map
) X" E$ V! S) f6 h0 x  b# u, J parameters
% s/ t6 }: A$ o% H$ i; O message-length maximum client auto
message-length maximum 512
policy-map global_policy
# X$ ?7 n1 L) b& C class inspection_default
inspect dns preset_dns_map
; D1 P, j- k: w. y inspect ftp
/ y2 [" p# X1 u2 _8 O3 F inspect h323 h225
  H8 M( l8 t9 Y- p/ i inspect h323 ras
8 [3 p& H4 ?( C' [% U: R  w inspect ip-options
: e9 U' |3 n' A# R; S inspect netbios
2 `* `6 W7 v+ }. F% c inspect rsh
inspect rtsp
6 Q0 L3 c+ V, d' r inspect skinny
inspect esmtp
inspect sqlnet
6 q- N$ e2 g+ ~2 G% \ inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
2 f- E+ Z% i8 O, C# m' ^!
$ W4 ^6 R$ r) A/ kservice-policy global_policy global
prompt hostname context
9 Y2 q3 ^* q- h/ ccall-home reporting anonymous prompt 2
call-home
' z# [- X9 ~5 Y, k6 P0 G5 g9 s profile CiscoTAC-1
1 n1 a$ }! k; G' g2 Z# j# C no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
destination address email callhome@cisco.com
8 t0 B- n, N! Y; ]- N! y destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
* U6 i$ ^8 a  S0 f subscribe-to-alert-group telemetry periodic daily
# a1 X  r, U: F. a. e- pCryptochecksum:afe923d8c20d3f2ffa7361be2ff94624
: end
  n" |+ R' p  A( f/ b& l
' l$ k+ @, l- [+ G7 c% a4 {6 S2 qTokyo防火墙配置：
& U& L! _" i$ v! x, e+ gset clock timezone 0
8 L3 a1 z0 ~1 m3 uset vrouter trust-vr sharable
/ M- M# V& T& [  S9 I% O4 Yset vrouter "untrust-vr"
4 f6 J4 b" r" l+ Jexit
* h. S3 w5 P) ]+ O7 ?set vrouter "trust-vr"
unset auto-route-export
6 b4 D0 J. _/ ?0 A+ k) o5 L$ D7 Kexit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
. u2 @; K& p5 U6 q! y' o7 o) Wset auth radius accounting port 1646
1 M8 N& _& S7 ]/ ^9 kset admin name "netscreen"
set admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
set admin auth timeout 10
$ t% q3 Y8 t6 q! xset admin auth server "Local"
3 T* f& i2 E/ a* c) g* jset admin format dos
9 C7 v/ @/ d: l7 r: Eset zone "Trust" vrouter "trust-vr"
* j0 D% V% L- O: ]1 Zset zone "Untrust" vrouter "trust-vr"
' p$ V: V# w- C/ a. g6 eset zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
7 h  v" i! ^) n* m! ]6 X  aset zone "MGT" block
3 ]$ O( D2 ?; u, k; v" y4 mset zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
% R% `$ F+ z& T% @+ Zset zone "Untrust" screen tear-drop
9 n) q" i! D9 l' U! y2 t1 rset zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
2 G$ }2 c$ u7 D3 ~7 w8 N* C7 Fset zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
) @3 H- A7 d% aset zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
8 K! X; s. u) Z( D! \- u& nset zone "V1-Untrust" screen ip-filter-src
. |, C& z6 |. E- v* N( p" U6 ?set zone "V1-Untrust" screen land
/ ~% |! t( m( p9 l2 qset interface "ethernet1" zone "Trust"
9 h0 D9 f- d! F3 C& ]; _+ qset interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
& y6 a( d: i% V' T! A% p8 `set interface "tunnel.1" zone "Untrust"
  j- }! T3 ^& a7 Z/ h& b' `unset interface vlan1 ip
+ V$ a" B5 o8 a3 X) Q7 mset interface ethernet1 ip 10.131.201.254/24
set interface ethernet1 nat
set interface ethernet3 ip 140.206.34.178/30
  o$ ~! C; u& Uset interface ethernet3 route
# u  X: k* t. `% ?set interface tunnel.1 ip unnumbered interface ethernet3
unset interface vlan1 bypass-others-ipsec
( Z' {5 C" H; h5 y/ [% qunset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
+ `2 N1 E! b  oset interface ethernet3 ip manageable
* W7 |7 ]% ~; L7 Uset interface ethernet1 manage mtrace
! }- y; a. B8 g& Pset interface ethernet3 manage ping
, J' ^3 G# R9 o  h1 F$ g' e/ Oset interface ethernet3 manage ssh
set interface ethernet3 manage telnet
8 v& ]) a( A( E, W4 Q" g5 E- r7 wset interface ethernet3 manage snmp
, ~- H, h8 T2 W( A* A0 }2 Dset interface ethernet3 manage ssl
7 `* h" p. \+ n+ Oset interface ethernet3 manage web
set interface vlan1 manage mtrace
, u3 b* ]2 I2 s. Aunset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
9 I( {3 u/ z5 [1 _( s5 l; h* y; xset dns host dns1 210.22.70.3
) Q1 s/ K; C# e. H) m, ~, v' aset dns host dns2 8.8.8.8
set dns host dns3 0.0.0.0
8 D( q, S  w9 c( O4 T+ ~set address "Trust" "Trust_LAN" 10.131.201.0 255.255.255.0
5 D# ~8 Y! E$ _  P9 E; p# _( gset address "Untrust" "Chicago_Office" 10.131.0.0 255.255.128.0
- v2 K7 V$ P# N( a8 B' Rset ike gateway "To_Chicago" address 116.247.91.98 Main outgoing-interface "ethernet3" preshare "Bx6bVuxrNEq2qBsVGyCJ3mFx53nxEKiYVg==" proposal "pre-g2-3des-sha"
' t. T6 U6 o; C9 C0 @3 `- _  Z. Cset ike gateway "To_Chicago" nat-traversal
unset ike gateway "To_Chicago" nat-traversal udp-checksum
set ike gateway "To_Chicago" nat-traversal keepalive-frequency 0
9 P$ B1 t6 w. i0 D5 B1 P4 H% jset ike respond-bad-spi 1
* N6 u& M- P. Tunset ike ikeid-enumeration
0 O$ N4 j4 V% c( X1 Y& yunset ike dos-protection
unset ipsec access-session enable
: d; ]8 S. S  d5 A! A% \set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
. j3 r. |- _$ @: d; }" |) Iset ipsec access-session lower-threshold 0
" c" X) W) r3 |. r4 v6 Iset ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
1 a; n" n% B3 ?+ U+ uunset ipsec access-session use-error-log
set vpn "Tokyo_Chicago" gateway "To_Chicago" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
) M, N+ e& h7 p$ j6 {; H8 uset vpn "Tokyo_Chicago" monitor
' o# V3 A7 l# [$ e) `7 Kset url protocol websense
exit
. w$ m* a' L8 F. T* Bset policy id 2 name "To Chicago" from "Trust" to "Untrust" "Trust_LAN" "Chicago_Office" "ANY" tunnel vpn "Tokyo_Chicago" id 1 pair-policy 4 log
set policy id 2
* H$ P9 m; A3 Z+ t5 A7 Y# p2 n( iexit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
5 B% o: |7 z5 K5 }8 [/ O2 Gexit
2 r. [' }6 _" V$ rset policy id 4 name "To Chicago" from "Untrust" to "Trust" "Chicago_Office" "Trust_LAN" "ANY" tunnel vpn "Tokyo_Chicago" id 1 pair-policy 2 log
set policy id 4
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set ssh enable
6 [7 ?0 F+ s' V" S6 q$ {1 n4 u* xset config lock timeout 5
9 ^5 q. Z- [! |: j' ^set license-key auto-update
set snmp port listen 161
set snmp port trap 162
5 g5 w. v; c' J& N1 Q' u& L7 @! L: cset vrouter "untrust-vr"
* M7 ^1 T  d* y0 Gexit
$ U' g/ Q4 f2 i$ Z" I) {8 Y: dset vrouter "trust-vr"
0 S1 _1 r7 j/ }5 a) V* d& Lunset add-default-route
% W! t' d# Y. |; j( G3 u  Zset route 0.0.0.0/0 interface ethernet3 gateway 140.206.34.177
exit
set vrouter "untrust-vr"
. p0 K& }2 L" ]8 \3 R/ k+ iexit
" [  L  x% Y0 y2 A0 cset vrouter "trust-vr"
exit

把Chicago的ASA换成Router2811也测试通过。

!
version 12.4
/ Z7 ^' Q) @8 W; O( h( xservice timestamps debug datetime msec
, b9 g' C* z% y1 H$ fservice timestamps log datetime msec
& u* p/ z! w& h/ {no service password-encryption
0 R  f3 G+ B9 T% P; b!
9 ^4 J2 N& @' ]$ z5 C# ^8 M% Bhostname Chicago
!
. t6 H! [  `- C' Sboot-start-marker
3 q7 p/ Y3 k. d+ {" F; y9 bboot system flash c2800nm-adventerprisek9-mz.124-22.T.bin
2 z# H% Y  T- k2 h7 h: j5 i1 a* aboot-end-marker
!
logging message-counter syslog
: c0 e- ?3 p$ q1 ~0 C* `& G! Nenable secret 5 $1$iG6R$6L/igglma1qBU30KG7YOM0
!
2 k0 }8 k, u1 V$ K* h; H' hno aaa new-model
$ l' `  I/ I. F- \. f+ ]8 H8 X!
dot11 syslog
4 [3 N6 B5 E) Mip source-route
& W( b! k. s% e  ]- W( Z, W- q!
+ f; L6 x( y+ h2 i+ }' |* ?!
3 u$ t; L1 C+ j9 Q3 O- a$ c3 J% Pip cef
!
( {+ U( p3 |9 u!
, t( b4 Q" K1 W: t$ ?no ipv6 cef
!
# ]2 P, ]9 v  D. Q$ @8 q1 zmultilink bundle-name authenticated
# p9 I& `; K7 w; ~' e6 i# z: V1 X!
!
' g# [2 C9 J# ^- V!
' E. b& s0 I9 X" g. a# Y!
!
!
!
. ~- C* g2 c% I6 X) K& B!
  V) E; W- T2 ?9 k5 n!
% |1 y' H0 \' z" Z% X' }& L. }!
/ m: c. P$ c9 Z: Q! t6 g* S!
!
!
!
!
!
!
) [( d- q5 k! Z$ K!
0 L. E, c: o8 B6 s0 b/ S% f!
!
!
1 S* X3 e% p* e. v" F; ]!
: O: J6 V& c$ N) Qvoice-card 0
9 o( P& S, _/ X5 S7 K1 t7 Q!
; P- M( o) t6 K9 c" V9 {6 r!
8 n$ |+ t9 [) _4 Q( _!
!
7 _" ^1 B9 Y8 x!
3 G; ?  o6 u9 H" [vtp mode transparent
2 ?0 N- Z  C; Narchive
log config
7 m1 C" g5 r6 c- }! b' F  hidekeys
4 X% B% c7 h' N# x6 O; z9 h! J- A) O!
!
$ I) @- {- X3 Q0 ]& F7 k3 Wcrypto isakmp policy 1
encr 3des
' S$ p( B8 j) k0 t( o5 { authentication pre-share
) P  _; m5 e- e' C' ~4 h+ Q group 2
  c$ Q5 P$ q3 U. Ccrypto isakmp key cisco123 address 120.90.11.218
crypto isakmp key cisco123 address 140.206.34.178
6 k8 T; g3 V( `  t$ u( {!
# J, \. W, V: j" e!
8 P& p; o0 C0 F3 S+ q0 \crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 1 ipsec-isakmp
+ y7 u+ @4 k; Q' P3 o% G; R set peer 120.90.11.218
6 d, B3 `4 t# f! R" P$ F set transform-set 3DES-SHA
match address outside_cryptomap_1
( D/ q" X& T, jcrypto map outside_map 2 ipsec-isakmp
set peer 140.206.34.178
set transform-set 3DES-SHA
: Q# ~, [; C; w9 H match address outside_cryptomap_2
% |, e, y! J8 d0 u!
!
!
; u$ k6 R. d$ l) d. m# F* |!
' ~3 k, s; _! ~1 e!
!
& }) W) `0 K, T) g% ]!
interface FastEthernet0/0
# b7 c; E/ Z) s$ F$ b& h9 S ip address 116.247.91.98 255.255.255.248
7 v0 p5 H% k5 B  ~$ _" b# ` ip nat outside
ip virtual-reassembly
duplex auto
speed auto
. h0 E8 v4 ~% i( K5 B8 v2 A crypto map outside_map
$ r- ]4 y4 g# f- P!
interface FastEthernet0/1
ip address 10.131.126.51 255.255.255.240
- y$ H1 o8 G+ K9 k8 S ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 116.247.91.97
ip route 10.131.0.0 255.255.128.0 10.131.126.57
no ip http server
8 Y  M# k5 T7 c  ~- y! a' U( kno ip http secure-server
!
!
% Q0 k3 F/ e9 ~) y5 i7 N# m/ @ip nat inside source list inside_nat_outbound interface FastEthernet0/0 overload
!
ip access-list extended inside_nat_outbound
, D! k$ X/ @: R5 z0 y deny   ip 10.131.0.0 0.0.127.255 10.131.200.0 0.0.0.255
deny   ip 10.131.0.0 0.0.127.255 10.131.201.0 0.0.0.255
/ c. @" l$ ?8 V permit ip any any
ip access-list extended outside_cryptomap_1
permit ip 10.131.0.0 0.0.127.255 10.131.200.0 0.0.0.255
ip access-list extended outside_cryptomap_2
permit ip 10.131.0.0 0.0.127.255 10.131.201.0 0.0.0.255
. Y5 o& k% o7 Y, _!
!
!
!
. f0 J% w3 d5 N7 q!
+ f3 s) v, y* ^5 Z  a!
!
8 P$ R! r0 K1 s3 @' u: j; W, q!
& E% k5 Z* C* u/ @2 K" rcontrol-plane
!
* d7 J# E* E* _!
!
% N1 ~6 h- _& a+ ~ccm-manager fax protocol cisco
6 @* b. t9 i  d!
; n- V7 _/ Q9 X; O2 i: l( lmgcp fax t38 ecm
!
!
!
  _& q. e6 @/ Y1 ]/ b. n$ ^  h!
7 E9 H1 O2 Z1 g1 Q" g* P, c!
!
5 n2 K# ]; _( ]/ W8 Nline con 0
line aux 0
) H1 Z3 Z% x5 Y- R- \- F) E" tline vty 0 4
password cisco
login
line vty 5 15
4 C( Q" e* S, L$ I7 H password cisco
login
!
scheduler allocate 20000 1000
end
  ]- z( P$ N8 u1 q0 X

8 Z  ?, i9 I+ q" oNew York 防火墙配置：
1 F( G* p( Q. `0 o) o& r+ i( Y: Saved
: Written by enable_15 at 01:56:33.414 UTC Tue Jan 8 2013
7 `8 }  [9 |8 Q' k) I!
1 s% V9 j2 w, z, @; ~1 FASA Version 8.2(5)
!
8 B) m$ q7 [% W# zhostname NewYork
enable password WrXP9uZExEcEnNI3 encrypted
( ?6 L) n* e. |. D8 gpasswd rk6YkHwBJrlS0iX4 encrypted
; |7 [- ], k% t& Enames
/ @2 [0 H2 n( g9 K: U4 R  `!
interface Ethernet0/0
nameif outside
  y, s3 W+ e6 ~1 Gsecurity-level 0
ip address 120.90.11.218 255.255.255.248
4 J, `0 |% i, A0 C!
interface Ethernet0/1
5 x, _" B& b1 n2 M9 [3 Knameif inside
security-level 100
ip address 10.131.200.254 255.255.255.0
  M1 Q% \) F! D3 V, \7 o( K!
interface Ethernet0/2
shutdown
no nameif
no security-level
! F+ s) o4 H, T6 Nno ip address
!
interface Ethernet0/3
. P1 N1 H- U, z6 C- c# P2 Cshutdown
9 s& g$ [' M/ n, n$ B  \# ]: R0 Gno nameif
no security-level
9 N! V: K# ]1 V: ino ip address
- {0 J4 I: Z7 y/ w!
# Q; E% [" r8 r: K; g# y6 \1 ?interface Management0/0
2 c2 Q7 Y9 K$ d: F* ?2 P% D' lshutdown
nameif mgmt
security-level 0
no ip address
% X( n4 X5 M7 R5 p!
7 P* w0 N0 [. s* z2 pinterface GigabitEthernet1/0
- `. f* ], @( K. t8 H& l' X# M- @7 \shutdown
6 v  t4 U# A' sno nameif
no security-level
3 r( q+ O& A' w* Q9 }3 P8 Wno ip address
" M! e. r0 W5 Y! ]# m; V: p$ l!
0 `1 V' i9 v, h6 @' y5 z) W! a, minterface GigabitEthernet1/1
! f: C) y! P+ U3 `9 d3 d+ K0 Ushutdown
! W: o2 z! n) K( Q2 Z! h) G0 Zno nameif
no security-level
no ip address
!
$ w9 h6 x3 [5 R8 m4 x" g1 l7 `interface GigabitEthernet1/2
% ]& O4 U/ N+ H! J& U- ^0 P0 W9 _( P9 yshutdown
no nameif
no security-level
no ip address
!
3 ]3 F% x9 H' |7 y, iinterface GigabitEthernet1/3
shutdown
% c. P, {5 K: B8 M) ]/ B, zno nameif
no security-level
0 J' s+ h& [9 U' C4 `( @no ip address
" \( V9 e0 Y. C0 d$ A0 N!
5 D3 C0 o+ x# Yftp mode passive
access-list inside_nat0_outbound extended permit ip 10.131.200.0 255.255.255.0 10.131.0.0 255.255.128.0
) I( C: b0 A/ h- I' Waccess-list outside_cryptomap_1 extended permit ip 10.131.200.0 255.255.255.0 10.131.0.0 255.255.128.0
$ t7 \) N3 Y. Bpager lines 24
mtu outside 1500
mtu inside 1500
2 T& s0 i6 x7 v# N3 B' T1 dmtu mgmt 1500
no failover
7 Y3 ?& g; U' V) yicmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
% V/ D7 U6 u  Gnat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 120.90.11.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
; \1 q/ R2 u2 F5 k$ ?& itimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
5 L. g* F+ J2 R$ [! P) ntimeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
/ w( M$ ?3 D! C5 B. Zdynamic-access-policy-record DfltAccessPolicy
, g! }" L# ?! [http server enable
http 10.131.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
0 }7 w3 ?; F$ N/ U" S/ ?3 ^$ G) H) Uno snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
4 ]0 t- k2 m& ]: y& Scrypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
5 J. s0 w1 \1 @: T; R( r+ Scrypto map outside_map 1 match address outside_cryptomap_1
2 R/ u8 r6 ~* j  P5 Qcrypto map outside_map 1 set peer 116.247.91.98
3 i8 ]7 n' `" k# Ocrypto map outside_map 1 set transform-set 3DES-SHA
- O6 u# _/ E; x) G9 jcrypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
' [4 y" ?, ]7 j2 {hash sha
group 2
lifetime 86400
( W, a' n/ ^* c5 T7 O/ X1 gcrypto isakmp nat-traversal 50
+ T  G/ l  L, r0 C+ Etelnet 10.131.0.0 255.255.0.0 inside
telnet timeout 5
/ |0 E: p1 z& t9 l. ?) E+ C, Gssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 116.247.91.98 type ipsec-l2l
tunnel-group 116.247.91.98 ipsec-attributes
, B2 }2 V5 `( q- X. [pre-shared-key cisco123
!
class-map inspection_default
+ `: S* A  i- hmatch default-inspection-traffic
" P% \1 C0 w! |% a+ |!
!
! u8 t1 `. l9 M7 _* ?* opolicy-map type inspect dns preset_dns_map
& e7 u8 T7 w+ v; R. e. ?! P$ ]parameters
message-length maximum client auto
9 Q: }: _1 Q  x* u8 _0 gmessage-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
  Y8 M1 W! H! V4 G  W* f2 E  W; zinspect h323 ras
! o$ I2 e, w5 m8 a3 E3 ?inspect ip-options
3 d( W, O9 O% J7 u# v* [. \2 T- J6 [inspect netbios
- J! {& P) J4 b: N* Uinspect rsh
inspect rtsp
0 }3 K, D) Z' b2 ?inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
  x) ^* t+ ~! Z! {inspect tftp
: A6 J2 S5 M9 q. ~inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
8 N2 D) `  |9 U- bcall-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
% S& I+ o' `; W7 ~# ?; eno active
destination address http
- K( ]- k" {# R; s& Gdestination address email
- m: ~: Y  k3 ]  o8 fdestination transport-method http
subscribe-to-alert-group diagnostic
! F8 F  K" c/ R9 asubscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
# W5 K: u+ ]7 r  ^! q7 cCryptochecksum:afe923d8c20d3f2ffa7361be2ff94624
# k+ Y6 _( P7 |) u: end
' J9 ^- J. W0 N# O9 k
Tokyo防火墙配置：
set clock timezone 0
set vrouter trust-vr sharable
! [6 s% S: D* Xset vrouter "untrust-vr"
$ a1 X8 R4 r6 k1 f( J  x; Dexit
  k% a: \3 B. k" j  w. R2 nset vrouter "trust-vr"
; ]9 V5 m2 w3 zunset auto-route-export
exit
* Q8 L% e; ~: B" p: uset auth-server "Local" id 0
& a6 H( q* }8 v' F3 w4 Oset auth-server "Local" server-name "Local"
5 Z  p( Z; g& i# C9 x' mset auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
. w1 T1 v5 \4 a! Q4 E9 x+ b8 q$ Lset admin password "nFWvH6rLAaPKcedPuslBexMtM8P5yn"
( Y6 R  u& l, r/ E: ]set admin auth timeout 10
set admin auth server "Local"
8 {# l. p, `/ l. oset admin format dos
, o" E7 O. V  E$ Fset zone "Trust" vrouter "trust-vr"
5 Q- Q6 ?! n8 N$ oset zone "Untrust" vrouter "trust-vr"
: ~# j7 F- x+ ^" A  F. e0 j% P& Sset zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
, c$ n8 K! b' U3 J6 h0 ]* Uset zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
, w1 A  G+ u& a2 gset zone "Untrust" block
unset zone "Untrust" tcp-rst
4 t8 F  o% E7 f5 t& }* ?, qset zone "MGT" block
6 Y/ `+ k( e6 A7 lset zone "DMZ" tcp-rst
3 b6 y% V  u) _+ g6 H5 ^3 @( Mset zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
* ^  ]  Y' `2 }2 w3 hset zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
* K1 x0 [$ y3 K; {2 Uset zone "Untrust" screen ip-filter-src
5 \+ Q8 d) |, N5 W& tset zone "Untrust" screen land
( J7 y' m, E" {. Y, C7 C9 Dset zone "V1-Untrust" screen tear-drop
: N$ m" K: T# A2 I8 k" W, N' H- Uset zone "V1-Untrust" screen syn-flood
  M5 A% S/ i$ v. h8 Hset zone "V1-Untrust" screen ping-death
4 w( I% `6 C! w( w) v: Tset zone "V1-Untrust" screen ip-filter-src
( [: Z( C5 B2 B" y! r0 c3 Oset zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
  ]# m- m! n+ Fset interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
! S* u/ Y9 w1 H' _/ `set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
6 ^* |, v% w% @1 [" P; sset interface ethernet1 ip 10.131.201.254/24
set interface ethernet1 nat
set interface ethernet3 ip 140.206.34.178/30
set interface ethernet3 route
  j6 C6 s3 D+ b. x& |3 [set interface tunnel.1 ip unnumbered interface ethernet3
9 c( G: V5 G% x% H: h/ wunset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
1 f9 P6 _* i& \: ^* pset interface ethernet1 ip manageable
. }0 J9 c/ @& f0 U$ Vset interface ethernet3 ip manageable
set interface ethernet1 manage mtrace
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
1 @1 A- y" k6 e  q0 q$ i6 rset interface ethernet3 manage telnet
set interface ethernet3 manage snmp
" L  k& A  Q, b! y2 |) H; U& rset interface ethernet3 manage ssl
' k+ p* n- Q; s7 vset interface ethernet3 manage web
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
% w6 J% v2 _4 M9 y: Eset flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
5 {# I  p  H7 I8 lset dns host dns1 210.22.70.3
set dns host dns2 8.8.8.8
3 x( z; y8 P7 H7 _; V/ O6 Mset dns host dns3 0.0.0.0
  S9 d7 ?' W* L- cset address "Trust" "Trust_LAN" 10.131.201.0 255.255.255.0
- g* `% A( `3 Z8 Tset address "Untrust" "Chicago_Office" 10.131.0.0 255.255.128.0
set ike gateway "To_Chicago" address 116.247.91.98 Main outgoing-interface "ethernet3" preshare "Bx6bVuxrNEq2qBsVGyCJ3mFx53nxEKiYVg==" proposal "pre-g2-3des-sha"
- Y* i( d9 K3 F* n6 A, bset ike gateway "To_Chicago" nat-traversal
8 i' y/ D- n7 i- i; ~+ Munset ike gateway "To_Chicago" nat-traversal udp-checksum
2 A$ K" J6 o/ i4 tset ike gateway "To_Chicago" nat-traversal keepalive-frequency 0
/ _% }2 I$ u0 C) G/ k/ H, qset ike respond-bad-spi 1
, c- t' ^% ~/ J/ {+ ounset ike ikeid-enumeration
$ N4 R5 O' V; a3 t  s! y- Z8 w" Xunset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
' H7 A! q* d& t/ iset ipsec access-session lower-threshold 0
# Q* ~% K7 e, t/ a3 }2 Mset ipsec access-session dead-p2-sa-timeout 0
& M* @) E( O: punset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
: ~3 w* J0 _9 Y  nset vpn "Tokyo_Chicago" gateway "To_Chicago" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "Tokyo_Chicago" monitor
set url protocol websense
exit
set policy id 2 name "To Chicago" from "Trust" to "Untrust" "Trust_LAN" "Chicago_Office" "ANY" tunnel vpn "Tokyo_Chicago" id 1 pair-policy 4 log
set policy id 2
exit
( z* j4 ^# m1 U+ Nset policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
& y2 }8 I1 G  i& [set policy id 1
9 @# W& p) v4 |2 V% pexit
set policy id 4 name "To Chicago" from "Untrust" to "Trust" "Chicago_Office" "Trust_LAN" "ANY" tunnel vpn "Tokyo_Chicago" id 1 pair-policy 2 log
, B8 Z7 j, q2 }7 [. m% U! oset policy id 4
/ {9 b5 {; Y1 }. n) [exit
set nsmgmt bulkcli reboot-timeout 60
. |* p' J1 s- ?2 Gset nsmgmt bulkcli reboot-wait 0
, s8 f! ?& m4 X) h$ J$ y: v+ lset ssh version v2
set ssh enable
set config lock timeout 5
set license-key auto-update
set snmp port listen 161
0 Q0 r4 k9 ~# C9 p: w7 @" Cset snmp port trap 162
set vrouter "untrust-vr"
exit
9 F; T/ L) p& X0 K0 O# T$ nset vrouter "trust-vr"
unset add-default-route
3 d# R; F7 \; z$ Q  gset route 0.0.0.0/0 interface ethernet3 gateway 140.206.34.177
2 L) d: g: ~% V$ k0 ^3 ?0 {! T! mexit
2 C( [( ~/ [- S. B; E# t4 H2 g" Uset vrouter "untrust-vr"
& x5 G( q- x( u, u" s0 r+ J( lexit
" F# ^+ P$ o, }set vrouter "trust-vr"
exit

這么好的東西，難道真的沒有人需要。

其实配置是其次， 特别是这么完整的配置不用全贴出来。
关键是理解IPSec VPN的关键点，phase1， phase2，transform set，ACL的作用，NAT等等。
; }: B1 j. N% X2 c, ^
1 r6 A( B. P! ~) ^还有就是异品牌间的调试，故障处理。往往还有专有名词上的差异要注意。

请问一下Cisco ASA与Juniper SSG支持DMVPN吗？

請問一下有誰成功配過其中路由器端是動態IP地址的嗎？

net130什麽情況啊？發一個貼幾天都沒有人回啊？以前都非常快的啊！

这是非常好的经验贴!

不耻下问

找到好贴不容易，我顶你了，谢了