下面是具体配置： PIX Version 6.3(1) // os 我用的 6.3 版本的，这个版本支持 IPSec VPN with NAT interface ethernet0 auto interface ethernet1 auto ameif ethernet0 outside security0 ameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted asswd 2KFQnbNIdI.2KYOU encrypted hostname ISSC-PIX515E-R fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 ames access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.32.0 255.255.255.0  access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.32.0 255.255.255.0  access-list 104 permit icmp any any  ager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.0.0.1 255.255.255.0 ip address inside 192.168.10.252 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool pccw 192.168.32.1-192.168.32.10 ip local pool pccw02 192.168.32.50 dm history enable arp timeout 14400 global (outside) 1 interface at (inside) 0 access-list 102 //对VPN连接的用户不经过NAT，这里的102对应上面的access-list 102 at (inside) 1 192.168.10.0 255.255.255.0 0 0 access-group 104 in interface outside route outside 0.0.0.0 0.0.0.0 202.108.48.181 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+  aaa-server RADIUS protocol radius  aaa-server LOCAL protocol local  aaa-server partnerauth protocol radius  aaa-server partnerauth (inside) host 192.168.10.110 cisco123 timeout 10 //指定Radius服务器IP及key aaa-server parnerauth protocol tacacs+  o snmp-server location o snmp-server contact mp-server community public o snmp-server enable traps floodguard enable ysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac  crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap client authentication partnerauth //设置通过Radius进行用户身份验证 crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 10 //这句就是允许NAT用户穿过PIX,在6.3中才新增的特性,例如解决局域网内NAT VPN拨号问题 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool pccw //以下我建了两个组，如果要为每个组分配一个固定IP的话，只有为每个用户建立一个Group了，哎，提出这样要求的客户简直是折磨人 ：（ vpngroup vpn3000 dns-server 202.96.134.133 vpngroup vpn3000 split-tunnel 102 vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** vpngroup link address-pool pccw02 vpngroup link split-tunnel 102 vpngroup link idle-time 1800 vpngroup link password ******** telnet 192.168.32.0 255.255.255.0 outside telnet 192.168.10.0 255.255.255.0 inside telnet timeout 5 h timeout 5 console timeout 0 terminal width 80 Cryptochecksum:81630e6f8040b488f6c2e6c6ff872804 : end 文章录入：csh    责任编辑：csh