kl800.com省心范文网

PIX配置案例


发布, PIX OS 6.3 发布,新特性摘要

PIX OS 6.3 版本于 2003 年 3 月 25 日发布,带来了如下一些令人激动的新特性:
? ? ? ? ? ?

支持基于 802.1Q 的 VLAN 及相应的虚接口。 支持 OSPF 的动态路由。 支持 HTTPS 的用户认证。 通过增强的 Websense 集成功能。 支持 AES--先进加密标准(需要 3des 授权) 支持 VAC+硬件加密卡,在 PIX 535 上,ipsec 性能提升 4 倍,达到 440Mbps 的吞 吐量。

? ? ? ? ?

NAT/PAT 功能支持 ipsec 的透传。 支持 Diffie_hellman 第 5 组(1536bit)的功能。 在多个接口上支持 DHCP server. 支持验证 DN。 支持验证加密引擎特性(KAT)。 每次启动时都将使用当前的 License 对加密算法进 行验证(这个 DD 好像不好)。

? ? ? ? ? ?

支持基于 MAC 的认证。 支持 DHCP relay PAT 支持 ESP 透传 增强 501 和 506E 的性能 501 上的 vpn peer 数从 5 个增加到 10 个 501 可以使用无限的 License 了,不再限制内部的主机的数量(当然会受性能的限 制),相应的内部的 DHCP Pool 也可以支持到 256 个地址了。

?

支持 VPN server(vpn3000)的负载均衡。也就是说在使用 pix 做为 vpn client 时, 可以配置冗余了。

? ? ? ?

Easy VPN 支持 X.509 的认证了。 支持 PPTP 的 fixup,就是说可以透传 pptp 了。 支持 H323 V3 和 V4 支持 CTIQBE,新增 fixup protocol ctiqbe 2748 命令,使 NAT/PAT 可以透传 TAPI/JTAPI 应用。

?

新增 fixup protocol mgcp 命令,对 MGCP1.0 提供支持。

?

PAT 新增对 skinny 透传的支持,使 ip phone 可以顺利的和 call manager 实现通 信。

? ? ? ? ?

增加到 SIP UDP 的 fixup 增加对 ICMP error 的 fixup 可以编辑 ACL 了,在 show access-list 时会显示 acl 的行号。 在配置 ACL 时可以使用 log 选项了,可以将 acl 的信息发到 log server 中。 在 show 命令中增加了输出选项。最要命的是可以使用 grep 了。muhahahahhaha, 会 unix 的人有福了。

? ? ?

最大的 domain name 从 64 字符改为 63 字符, FQDN 的主机名最大可以到 127 字符。 可以在 flash 中保存 crash 时的 stack trace 信息。 (对用户没什么用的 DD。 sigh). 增强 show tech、debug、arp、capture 命令。

千兆口上不再支持半双工(千兆口有 TBI 和 GMII 两种模式, 只有 GMII 同时支持全双工和 半双工。 因为 i8255x 系列控制器都使用的 TBI 模式, TBI 模式不支持半双工, 而 所以 Cisco 干 脆把千兆口上的半双工的设置取消了。)

PIXOS 存在问题, 要做 PAT, 必须写一个只有一个地址的 global 语句。 不然就只做 NAT, 当 global 地址用完后就会出现有的通,有的不通的现象了。 PIX 设备管理器(PDM)可以为管理员提供一个直观的、基于 Web 的界面,从而使他们 可以方便地配置和监控一台 PIX 506E,而不需要在管理员的计算机上安装任何软件(除 了一个标准的 Web 浏览器以外) 管理员可以利用 PIX 506E 所提供的命令行界面 。 (CLI) , 通过多种方式(包括远程登陆、安全解释程序(SSH) ,以及通过控制端口实现的带外接 入)对 PIX 506E 进行远程配置、监控和诊断。

谁来为信息化的中小企业护航

在网络信息技术高度发展的今天,随着企业内部办公网络和外部互联网应用环境的日趋 复杂,人们对网络安全的重视程度也早已今非昔比。很多企业用户逐渐开始意识到系统 化的网络安全整体方案的重要性。然而对于广大中小企业网络用户而言,搭建和管理一 个完整的网络安全系统显然并非易事,很多企业在此都遇到了不小的困惑,裹足不前。 为了更好地帮助大家了解现代中小企业网络安全系统设计方案,我们特别挑选了思科 (Cisco)“中小企业安全宝典”套件在《微电脑世界》评测实验室中搭建起一个典型的 中小企业网络安全平台,希望从中能带给读者一些有益的启示。 网络应用 谁在威胁您的网络? 伴随着企业信息化、网络化进程的逐步深入,网络通信无疑已经成为我们今天进行内外 信息交流和资源共享不可或缺的主要手段。而面对浩瀚且毫无秩序可言的互联网,要想 真正维持企业网络长期的安全和可用,也许我们有必要先来了解一下,究竟是谁在威胁 用户的企业网络: 1、来自互联网的攻击 互联网作为企业内部网络用户和外界沟通的主要桥梁,在及时为 我们提供大量信息的同时,也将各种非法访问带到我们面前,这显然是网络安全首要解 决的问题。 2、暗藏杀机的信息交流 像电子邮件之类的信息通讯方式在很大程度上提高了用户间信 息交流效率之余,也为无数的垃圾信息、病毒、黑客提供了更为便利的传播途径。同时, HTML 页面中嵌入的恶意代码(ActiveX/Java Applet 攻击)也已对今天的企业网络环境 构成了极大的威胁。 3、对网络资源的不合理使用 不可否认,传统开放、共享的网络资源的确为互联网的迅 速普及做出了巨大的贡献。但随着企业内部网络规模的逐渐扩大,如何充分利用自己有 限的网络资源来为企业创造更多的实用价值,避免大量与工作无关的网络流量(网络游 戏、影音下载、非法内容等…)严重浪费网络资源业已成为网管们最为头疼的问题。 谁能为您保驾护航? 针对以上来自互联网的三大典型威胁,网络安全领域也逐渐形成了两大类网络安全解决 方案(图 1)。一类是整合型方案,即把所有功能集中到单一网络安全设备(防火墙)上, 通过统一的管理界面,实现全方位的简单网络安全管理。尽管这种方案在产品性能和灵 活性方面有所折中,但在规模变化不大的环境中,仍不失为一种经济实用的选择;另一 类则采用分布式信息安全结构,即将以上三种威胁分别交由不同专业设备、软件进行高 效处理,以实现更高效、更完善也更强大的网络安全平台,特别适合网络环境需要灵活 扩展的用户。为了更方便地管理、使用多个产品进行高效协同工作,此类方案大都会提

供一些专用或通用的互联接口,以便管理员更方便地将它们组合成一个有机的整体安全 方案。

您该怎么做呢? 上述两类网络安全方案中,前者由于是单一产品解决方案,实施起来相对较为简单,同 时也考虑到我们在 2003 年第 2 期《微电脑世界》防火墙专题中已有所介绍,这里就不再 赘述。今天我们将着力带大家一起体验一下分布式信息安全结构。鉴于思科在网络产品 互操作性、系统集成、网络安全防护、模块化部署等技术和经验方面的优势,我们选择 了其“中小企业安全宝典”解决方案进行了本次亲历体验。 思科在构建网络安全整体方案方面也采用了典 网络安全系统的搭建 正如我们前面所讲, 型的分布式结构设计,即由其 PIX 防火墙(简称 PIX)来承担网络攻击、管理等工作,而 将 URL 过滤、病毒扫描等功能通过一系列专用接口,导出给更为专业的合作伙伴提供的 专用设备进行处理,从而充分发挥各厂商的优势,形成更为完善、高效的网络安全平台。 在进行网络数据处理时,一旦发现有需要进行访问限制和病毒防范的策略,系统将会把 需要处理的数据交由 Websense 公司和 TrendMicro 公司的两个专业软件组件进行处理。 这里我们为其搭建了一个实验网络(图 1),其中包括一台安装 Windows 2000 Advance Server 的 PC 服务器、一台安装有 Linux/Windows XP/Windows 2000 的客户端,并将随该 宝典捆绑的 TrendMicro 病毒防范软件包和 Websense URL 过滤软件安装在服务器上。 安装过程非常简单。我们首先通过超级终端用“ip address outside dhcp setroute” 命令,将 PIX 配置到支持 DHCP 功能的模拟外网上,以模拟中小企业现实网络环境中经常 会采用的 PPPoE 等互联网连接方式。这里用户应注意: 您的防火墙产品是否提供了对在 动态分配 IP 地址的接入方式下创建基于 SNAT 的网络地址转换功能的支持,正如我们使 用的这台 PIX 506E 防火墙。然后,我们用下面的命令来配置内网地址,并且给内网部网

段提供一个 DHCP 服务。 ip add inside 10.0.0.254 255.255.255.0 (内网口的 IP 地址和掩码) dhcpd add 10.0.0.1-10.0.0.254 inside (内网 DHCP 分配的 IP 地址范围) dhcpd auto_config outside (自动配置内网 DHCP 服务参数) dhcpd enable inside (开启内网 DHCP 服务器) 对 CLI 模式不太习惯的用户可能会觉得命令行模式过于麻烦, 那么, 我们可以通过“http server enable(开启 HTTP 服务模式)”和“http 10.0.0.1 255.255.255.0 inside(设 置内网管理 IP 地址)”两条指令来打开 PIX 的 HTTP 管理方式。这样用户就可以用浏览 器通过从 PIX 上下载的 PDM(PIX Device Manager)管理器进行管理了(见图 2)。图形 化的 PDM 管理界面有别于市面上其他基于 CGI 的管理方式,它是一个采用 Java 编写,以 Applet 形式运行的程序,能够实现和其他本地应用程序类似的菜单选择、实时曲线绘制 等 CGI 方式无法实现的功能(图 3)。得益于 Java 优异的平台无关性,它能够在各种安 装了 Java 虚拟机的操作系统和浏览器上运行。 这也正是思科在网络管理方面较有特色的 地方。当然,对于思科网络产品的老用户来说,大家可能更习惯在 CLI 的特权模式下用 更简单、直接的命令来查看、配置它。不过在配置调整好后,最好用“write mem”来保 存当前配置,以防在意外掉电后丢失配置。而对于有 TFTP 服务器访问权限的用户,您也 可以通过“write tftp://主机/文件名”保存配置文件到 tftp 服务器上。

在本次实验环境中,我们创建了一条最简单的策略:从内到外的 SNAT,允许用户从内向 外进行访问,同时打开对常见攻击的防御。至此,防火墙部分的基本配置就已经完成, 对于一开始提到的“来自互联网的攻击” 包括大多数的 Flood、端口扫描等问题,也基 本可以迎刃而解了。 接下来我们还需要让 PIX 和安装在服务器上的 Websense 和 TrendMicro 套件协作。在安 装向导的提示下,我们很容易就在 Windows 2000 服务器上安装好了 WebSense 和 TrendMicro。在重新启动系统后,我们启动了 WebSense 的管理器,由于它是一个 B/S 结 构的程序,管理器作为一个有特权的客户端,能够对访问列表进行非常方便和直观的管 理(图 4)。在初次使用时,用户还需要在得到 WebSense 的使用许可后,从其网站上下 载 URL 信息库,其中包含了世界上大部分网址的信息和详尽分类。在 WebSense 能够正常 工作以后,只需要在 PIX 中用“utl-server (inside) vendor websense host 10.0.0.4 timeout 5 protocol TCP version 1”和“filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0”命令, 就可以让这套安全系统在内部网络用户访问互联网页时, 进行 URL 过滤, 并且能够以时间、用户等不同对象来进行策略设置,同时把日志信息通过自带的报表系 统来生成访问报表,对网络资源管理非常有用。有关病毒防范方面,鉴于现在企业网络 防毒方案已经非常成熟,且其工作原理也大同小异,这里也不再赘述。

亲历网络安全系统 由于我们在 2003 年第 2 期《微电脑世界》防火墙专题中已经对思科 PIX 525 性能和功能进行过详细测试,这里也不再重复。不过值得强调的是,由于所有思 科 PIX 平台都使用统一的软件,因此它们的配置也是可以通用的。也就是说,一旦用户 在某台 PIX 上调试好了比较复杂的配置后,在日后网络负荷增大,需要升级到更高性能 的 PIX 硬件产品时,只需要轻松地把配置重新导入到新的 PIX 中就可以完成升级、配置 过程,能够大大节约重新调试安装所消耗的时间。另外,对用惯了思科 IOS 的用户,PIX 的操作显然也是非常容易的, IOS 具有一样的特权模式 和 (enable) 配置模式 、 (Cont T) , 一致的语法风格都为众多熟悉思科网络设备的网络管理人员提供了方便。 本次测试中,我们发现,在打开 WebSense 进行 URL 过滤时,正常情况下内部网络用户的 网页浏览速度并不会受到明显地影响。但如果用户需要进行非常详细的日志记录,同时 网页访问量也非常大的时候,则会需要更为强劲的服务器平台做支持,以避免内部网络 用户浏览网页的速度受到影响。对于在服务器硬件升级方面有一定困难的用户,我们还 有另一个办法,就是把日志定向到安装在别的服务器上的数据库中,把过滤系统一分为 二,以分散服务器所受的压力,避免造成网络瓶颈。此外,像对 VPN 和对多媒体流等的 支持,也将是今后网络安全发展的一个重要应用领域。 CISCO PIX 506(E)防火墙 PIX 506 采用 IA 架构,集成两个 10/100Mbps 自适应网卡,一个 RJ45 的 Console 口,一 个 USB 口。提供 NAT/PAT 模式,支持 VPN,并可选 3DES 和 DES 协议支持。 结束语 经历了本次对思科 “中小企业安全宝典” 的体验测试,相信您对如何系统地构建一个 企业网络安全防护体系也已有了一定的认知。对于中小企业网络用户来说,类似思科这 次提供的“中小企业安全宝典”解决方案的确在很大程度上减轻了搭建、维护整套企业 内部安全网络环境对广大中小型非 IT 企业用户的压力。 用户可以通过成套的购买企业网 络安全解决方案,以最小的成本轻松地获得全方位的安全防护,而且在配置和调试方面

也比自行单独构建、分散管理的方式要方便得多。

Managing a Cisco PIX with PDM Introduction This month we're going to take a quick look at the new Cisco graphical interface for PIX configuration, also useful for access list and IPSec VPN configuration and monitoring. This is a graphical article, with some screen captures to give you a feel for what this application for the PIX looks like. My intent to is make more people aware of PDM and what it can do. Due to space limitations, there's no way this article can fully cover the whole PDM graphical interface. I've got a lot more screen captures than will fit into the available space. In fact, I was hoping to also cover the router configuration utility, SDM, but that'll have to wait for another article. The full sets of screen captures are available in Adobe PDF form online, at the following locations:
? ?

http://www.netcraftsmen.net/welcher/papers/pdm-3.0-cap.pdf http://www.netcraftsmen.net/welcher/papers/sdm-1.1-cap.pdf

I hope these are useful to those who are curious about these tools, but don't have time or equipment to take a quick look. I'd like to have annotated the screen captures, but that's really the role of somebody who is documenting them in detail. It's probably a good thing more images don't fit. After all, we wouldn't want this article to become the high-tech version of "boring slides from my summer vacation". What Is PDM? PIX Device Manager is a graphical user interface (GUI) that manages a single Cisco PIX Firewall. PDM uses certificates and HTTPS (HTTP over SSL) to securely access, configure, and monitor a PIX Firewall from your PC. I sometimes come at things from a large-shop perspective, where the command line (CLI) rules, because of the need to manage many devices. There have been various Cisco GUI tools for easy configuration of various devices. Sometimes these have been a bit limited or clunky, or clearly intended as getting-started tools for folks new to Cisco. I've got to say I was favorably impressed with PDM. No, it doesn't manage more than one PIX. But it sure looks like the configuration tools in PDM give you nice visibility into how it is configured, and the monitoring tools provide a very nice way to keep tabs on what the PIX is doing at any given time. For multi-PIX sites, the CLI or the PIX Management Center in CiscoWorks may still be the way to go. But even there PDM may be useful as a graphical alternative to show commands.

PIX Device Manager (PDM) consists of a signed Java applet bundled with the PIX operating system software. You access PDM via HTTPS from a Java-capable web browser on a PC or other desktop computer. No PC installation is needed. PDM started appearing with PIX OS 6.0 and 6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and version 3.x comes with PIX OS 6.3. You can also separately install PDM if you need to by copying it to flash. Paraphrasing parts of the well-written Overview part of the Installation Guide, PDM has the following components:
? ? ? ? ?

PDM Startup Wizard — Creates a basic configuration to get you started. VPN Wizard — Creates a basic VPN configuration easily setting up remote access VPN or site-to-site VPN. Configuration GUI — Uses forms to configure most aspects of the PIX. Monitoring and Reporting Tools — View real-time and historical data, summaries of network activity, resource utilization, and event logs. Graphical Tools — Creates graphical summary reports showing real-time usage, security events, and network activity, including performance and trend analysis. Data from each graph can be displayed in user-selected increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side analysis. Types of graphs available include:
?

?

System graphs: Detailed status information on the PIX Firewall, including blocks used and free, current memory utilization, and CPU utilization. o Connection graphs: Real-time session and performance data about connections, address translations, authentication, authorization, and accounting (AAA) transactions, URL filtering requests, etc. o Intrusion Detection System (IDS): Various graphs to display potentially malicious activity, including IDS-based signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP) requests, and Portmap requests. o Interface graphs: Real-time monitoring of your bandwidth usage by interface, including incoming and outgoing packet rates, counts, and errors, as well as bit, byte, and collision counts. Syslog Viewer — View specific syslog message types by choosing a logging level.
o

I hope that sounds interesting. There is one caveat, the usual one for GUI tools for Cisco devices. Pick your configuration tool and stick to it. PDM does track CLI configuration changes. But if you use PIX Management Center or CiscoSecure Policy Manager, they think they're in charge, and they may well overwrite any configuration

done via PDM. The Cisco web pages for PDM can be found at http://www.cisco.com/en/US/partner/products/sw/netmgtsw/ps2032/index.html. A PDF form of the online help is linked there as the User Guide. Poking around in that document is another way to familiarize yourself with PDM. However, since that document is the online help for PDM, it shows no screen captures, so you may want to read it with a downloaded copy of my full screen captures document open alongside. PDM Orientation Tour I decided to skip the splash screen. It's pretty, but not very informative! Our tour starts with the real part of PDM, the functional user interface. When you first launch PDM, it comes up showing the Home screen. (Note the Home icon is selected). The tools row shows the other main sub-areas of PDM, namely Configuration and Monitoring.

As you can see, the PDM GUI is fairly self-explanatory. Home is a dashboard showing what the PIX is doing, at a high level.

The PDM menus also have some functionality not visible in the GUI. The File menu allows you to load a changed running configuration from the PIX. You can also show the running config in a window, or save to flash or a TFTP server. Rules and Search we'll see a bit more of in a moment. Tools allows CLI entry of commands, also PING. And you can set up service groups (groups of TCP/UDP ports for use in access lists and other rules). The Wizards menu launches the Startup and VPN Wizards. There are screenshots of a couple of the screens from these Wizards later in this article. Let's continue the tour by taking a look at the main Configuration screen, shown in the figure below.

You've probably notices that the Rules and Search menus are no longer grayed out. They're used to build up rules for access lists and so on. The various major categories of things you can configure here are represented by the tabs at the top: Access Rules, Translation (NAT) Rules, VPN, Hosts/Networks, and System Properties (other system configuration). Hosts/Networks is where you name hosts or networks, or groups of them, for use in high-level access list rules. The above capture shows the Access Rules tab in PDM. The radio buttons are in effect a submenu, allowing selection of access list rules, AAA rules, or filter rules.

(Filter rules filter outbound HTTP, FTP, etc.). The next stop in our high-level tour is the Monitoring part of PDM, shown in the next screen capture. At the left you'll see categories of things, some of which have been expanded. You select a category and then the variables you can graph show up in the middle field of the screen. In the screen capture an interface was selected, so the middle part shows the performance and troubleshooting variables that can be graphed. You select the variables of interest, click on "Add >>", name the graph, click "Graph It!", and your graph appears. It updates itself as new data comes in.

Far be it from me to disappoint you. The resulting graph is shown in the next screen capture. The format is reminiscent of the now-discontinued QDM, which was a tool I really liked for working with Quality of Service (QoS). I imagine the Java graphing widgets got re-used by the programmers.

I captured the pull-down, so you can see the various time intervals that can be graphed. The last major component in PDM is the Wizards. The following shows the Wizards menu and a screen early in the VPN Wizard's sequence of screens.

And here's a screen from the Startup Wizard:

PDM In More Depth Now that you've had a chance to get your bearings, let's look at some of the features in PDM in a little more depth. The following capture shows the Rules menu, used for editing access lists and similar rules. You get a similar menu by right-clicking on an entry in the acces list.

When you add or edit a rule, the following form allows you to specify what you want. Notice that you can enter IP addresses and masks (shown), or you can use a hostname or a group of hosts / networks, by selecting the appropriate radio button and then picking from a list. (It's generally simpler to create the named hosts and networks and service groups in advance). Note the Apply button. When you've built up a configuration, you can Apply it to the running configuration. A status dialog box provides feedback as the PIX is configured.

If you realize you can use a service group that you didn't create in advance, you can click on the Manage Service Groups button. It brings up the following form:

The idea is to add ports to the list on the right, and then give them a name. (The list shown is rather random). I like putting "tcp" or "udp" in the name, creating service groups named things like "ecommerce1-tcp" for the ports allowed to access the ecommerce1 server(s). Since IPSec VPN configuration has a reputation, let's take a look at the screen capture for the VPN tab in PDM:

You select what you want to configure on the left, and what's currently configured shows up on the right side. You can then add, delete, or edit the rules. This appears somewhat helpful, in that it at least prompts for what you need, and constrains your choices. If you're starting from scratch, IPSec can be somewhat overwhelming! Having said that, it still helps to know your way around IPSec and the commands for configuring it. The GUI here will do the work for you, and it's helpful to a degree, but I'd certainly hesitate to call it an intuitive user interface! The last Configuration tab is System Properties, shown below. On the left are the

various Categories of things you can configure through this tab. I've selected the Interfaces item. On the right, it shows the status and configuration of the PIX interfaces. If I want to make a change, I click on a row (interface), then Edit, and I can fill in a form to configure the interface.

To wrap things up, here's the File menu, showing some of the managerial functions for doing things with your configuration.

That concludes our quick screen capture survey of PDM. Summary I hope you're as impressed with PDM as I was. SDM is a similar tool for configuring IPSec and security aspects of routers. It's on an earlier release, 1.1. The GUI has many of the same elements as PDM, but the overall look and feel are a bit more web than Java applet. Next month's article may be on SDM. If you're dying to see what it looks like, follow the link at the beginning of this article to the posted screen captures. I'd like to thank Michelle Cormier and the Cisco office in Columbia, Maryland for allowing me to use their equipment for these screen captures. I have the feeling IP Telephony is going to start re-appearing in these articles. I and some of our other folks have been immersed in various IP Telephony projects, so IPT has certainly been on my mind. We've been involved in Call Manager, Unity unified voice mail, Cisco call center deployments, on the Cisco side. I've been involved in the network side of a large-scale (10,000 seat) Nortel IP telephony deployment, focussing on QoS and Security to support the IP telephony. One of our other folks has been helping integrate an Avaya system with a Cisco switched network. We're glad to be in the thick of this activity, and I think we should be able to pass along some of what we've seen and learned.

If you have comments or suggestions for future articles, please do email me (address below).

pixfirewall# en Type help or '?' for a list of available commands. pixfirewall# show run : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 101 permit tcp any host 220.195.3.197 eq www access-list 101 permit tcp any host 220.195.3.203 eq sqlnet access-list 101 permit ip any any access-list 101 permit tcp any host 220.195.3.197 eq sqlnet access-list 101 permit tcp any host 220.195.3.203 eq 1433 access-list 101 permit tcp any host 220.195.3.203 eq 210 access-list 101 permit tcp any host 220.195.3.203 eq 211 pager lines 24 mtu outside 15000 mtu inside 15000 ip address outside 220.195.3.204 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside

no failover ip address inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 220.195.3.197 192.168.0.1 netmask 255.255.255.255 0 0 static (inside,outside) 220.195.3.203 192.168.0.2 netmask 255.255.255.255 0 0 access-group 101 in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 220.195.3.193 1 route inside 192.168.0.0 255.255.255.0 192.168.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.0.4 255.255.255.255 inside telnet 192.168.0.43 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:f485a85838b7410063734bdbdaef158e : end pixfirewall#

Router>en Router#show interface FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 000c.ce92.fba0 (bia 000c.ce92.fba0) Internet address is 192.168.1.2/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:01:14, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 175000 bits/sec, 18 packets/sec 5 minute output rate 14000 bits/sec, 21 packets/sec 6276437 packets input, 692174899 bytes Received 11 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 4801828 packets output, 398225746 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 248 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet0/1 is up, line protocol is up Hardware is AmdFE, address is 000c.ce92.fba1 (bia 000c.ce92.fba1) Internet address is 192.168.0.254/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:03, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 14000 bits/sec, 22 packets/sec 5 minute output rate 175000 bits/sec, 19 packets/sec

4888967 packets input, 407309510 bytes Received 96991 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 6293056 packets output, 693947008 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 1 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Router#

成功配置 pix525 通过 adsl-pppoe 上 internet 的经验,与各位分享 - 的经验, 成功配置 pix525 通过 adsl-pppoe 上 internet 的经验,与各位分享 希望对大家有点帮助。 环境:pix525 一台,标准配置,软件版本 6.2。下端接了一台 3550-12g。pix e0 口通过 猫接 2M 的 adsl 线路 pix 配置如下: PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix525 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 虽然这里还是 1500,但我用 show 查看 e0,它的 mtu 自动变为 1492 mtu inside 1500 ip address outside pppoe setroute ip address inside 10.249.178.2 255.255.254.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 interface 这两句是做 nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route inside 10.249.0.0 255.255.0.0 10.249.178.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 10.249.178.0 255.255.254.0 inside telnet timeout 5 ssh timeout 5 vpdn group pppoex request dialout pppoe vpdn group pppoex localname ××××××××× ---这里是 isp 给的登陆帐号,不能 随便写哦~~ vpdn group pppoex ppp authentication pap vpdn username ×××××× password ********* terminal width 80 Cryptochecksum:06508dbabd51c6745ef84d1567eb34cf : end 成 PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname a fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 no fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521

names pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 211.90.52.67 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 211.90.52.83 nat (inside) 1 192.168.1.3 255.255.255.255 0 0 static (inside,outside) tcp 211.90.52.83 ftp 192.168.1.3 ftp netmask 255.255.255 .255 0 0 conduit permit icmp any any conduit permit tcp host 211.90.52.83 eq ftp any route outside 0.0.0.0 0.0.0.0 211.90.52.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 211.90.52.64 255.255.255.224 outside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:02eabf628dad17deb68549e2d477fc95 : end a# pix515 配置: pix# show run : Saved : PIX Version 6.3(1) interface ethernet0 auto

interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******************** passwd ***************************** hostname pix domain-name cisco.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 no fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 110 permit tcp any host *.*.*.*(PIX 外口地址) eq ssh access-list 110 permit tcp any any access-list 110 permit ip any any access-list 110 permit tcp any host *.*.*.*(3550 交换机地址,不要可以) eq ssh access-list 110 permit tcp any host *.*.*.* (WEB 服务器地址) eq www access-list 110 deny tcp any any eq 445 access-list 110 deny tcp any any eq netbios-ssn access-list 110 deny tcp any any eq 137 access-list 110 deny tcp any any eq 135 access-list 110 deny tcp any any eq 593 access-list 110 deny tcp any any eq 1434 access-list 110 deny tcp any any eq 2500 access-list 110 deny tcp any any eq 4444 access-list 110 deny tcp any any eq 5800 access-list 110 deny tcp any any eq 5900 access-list 110 deny tcp any any eq 6346 access-list 110 deny tcp any any eq 6667 access-list 110 deny tcp any any eq 9393 access-list 110 deny udp any any eq 135 access-list 110 deny udp any any eq 445 access-list 110 deny udp any any eq 593 access-list 110 deny udp any any eq 1434 access-list 110 deny udp any any eq tftp access-list 110 deny udp any any eq netbios-dgm

access-list 110 deny tcp any any eq 9995 access-list 110 deny tcp any any eq 5554 access-list 110 deny tcp any any eq 9996 access-list 110 permit tcp any host *.*.*.*(3550 交换机地址,远程管理) eq telnet pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside *.*.*.* 255.255.255.240 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.0.2 255.255.255.255 inside pdm location 192.168.0.4 255.255.255.255 inside pdm location 192.168.0.254 255.255.255.255 inside pdm location 192.168.0.0 255.255.0.0 inside pdm history enable arp timeout 14400 global (outside) 1 *.*.*.*-*.*.*.* global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) *.*.*.* 192.168.0.254 netmask 255.255.255.255 0 0 static (inside,outside) *.*.*.* 192.168.0.2 netmask 255.255.255.255 0 0 static (inside,outside) *.*.*.* 192.168.0.4 netmask 255.255.255.255 0 0 access-group 110 in interface outside rip inside default version 1 route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 route inside 192.168.0.0 255.255.0.0 192.168.0.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.0.2 255.255.255.255 inside http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps

floodguard enable telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 username **** password XS.yT7Fg4IcTEuY/ encrypted privilege 2 terminal width 80 Cryptochecksum:7163354648d1ec47775a6f590321b4fc : end pix#

3550 配置: 3550 交换机上流量控制的实现(配置成功) 感谢论坛上兄弟们的帮助,现将 3550 上实现 VLAN 划分和流量控制的配置文件贴出: 同时遇到新问题,就是 VLAN 之间不能相互访问是什么原因,希望大家指教,谢谢 3550 上接一 PIX,VLAN 1 中接有各种服务器(有公网映射 IP) ,故各 VLAN 必须能访 问服务器。

cr20g#show run Building configuration... Current configuration : 5488 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname cr20g ! enable secret 5 $1$Xtuj$E.l2l.ev7mOCVtwPeEXz1. enable password 7 08771A1D5A4152404B0805172924 ! username jary password 7 070C285F4D0648564E43595B5D7E797179 ip subnet-zero ip routing ! mls qos

! class-map match-all part6 match access-group 116 class-map match-all part5 match access-group 115 class-map match-all part4 match access-group 114 class-map match-all part3 match access-group 113 class-map match-all part2 match access-group 112 ! ! policy-map download class part2 police 1000000 8000 exceed-action drop class part3 police 1800000 8000 exceed-action drop class part4 police 496000 8000 exceed-action drop class part5 police 496000 8000 exceed-action drop class part6 police 800000 8000 exceed-action drop ! ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! interface FastEthernet0/1 switchport mode access ! interface FastEthernet0/2 switchport mode access ! interface FastEthernet0/3 switchport mode access ! interface FastEthernet0/4 switchport mode access ! interface FastEthernet0/5

switchport mode access ! interface FastEthernet0/6 switchport mode access ! interface FastEthernet0/7 switchport mode access ! interface FastEthernet0/8 switchport mode access ! interface FastEthernet0/9 switchport mode access ! interface FastEthernet0/10 switchport mode access ! interface FastEthernet0/11 switchport access vlan 2 switchport mode access service-policy input download ! interface FastEthernet0/12 switchport access vlan 2 switchport mode access service-policy input download ! interface FastEthernet0/13 switchport access vlan 2 switchport mode access service-policy input download ! interface FastEthernet0/14 switchport access vlan 3 switchport mode access service-policy input download ! interface FastEthernet0/15 switchport access vlan 4 switchport mode access service-policy input download ! interface FastEthernet0/16 switchport access vlan 5

switchport mode access service-policy input download ! interface FastEthernet0/17 switchport access vlan 6 switchport mode access service-policy input download ! interface FastEthernet0/18 switchport access vlan 6 switchport mode access service-policy input download ! interface FastEthernet0/19 switchport mode access ! interface FastEthernet0/20 switchport mode access ! interface FastEthernet0/21 switchport mode access ! interface FastEthernet0/22 switchport mode access ! interface FastEthernet0/23 switchport mode access ! interface FastEthernet0/24 switchport mode access ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport mode dynamic desirable ! interface Vlan1 ip address 192.168.0.254 255.255.255.0 ! interface Vlan2 ip address 192.168.2.1 255.255.255.0 ! interface Vlan3

ip address 192.168.3.1 255.255.255.0 ! interface Vlan4 ip address 192.168.4.1 255.255.255.0 ! interface Vlan5 ip address 192.168.5.1 255.255.255.0 ! interface Vlan6 ip address 192.168.6.1 255.255.255.0 ! ip default-gateway 192.168.0.1 ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ip http server ! ! access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 112 permit ip 192.168.2.0 0.0.0.255 any access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 113 permit ip 192.168.3.0 0.0.0.255 any access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 114 permit ip 192.168.4.0 0.0.0.255 any access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 115 permit ip 192.168.5.0 0.0.0.255 any access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 116 permit ip 192.168.6.0 0.0.0.255 any ! line con 0 password 7 14141B180F0B7B787D7961627B47554352 logging synchronous login line vty 0 4 password 7 104D000A061843585555787C7D7C616073 login line vty 5 15 password 7 104D000A061843585555787C7D7C616073 login ! end cr20g# 网络的设置为这样的: 网络接入 ADSL 2M 电信自动分配 192.168.1.0/24 192.168.0.0/24 ISP-------------- - C1721--------------------PIX -------------------SWITCH ISP----------------C1721:电信自动分配 C1721--------------------PIX 515 :192.168.1.0/24 PIX 515 -------------------SWITCH :192.168.0.0/24 C1721 的 F0--》PIX 的 outside PIX 的 inside--》switch---》PC PC 的网关是 192.168.0.50(PIX 的 INSIDE 端口) 现在的问题是:PC 能 PING 的通 192.168.1.1(C1721 的 F0),192.168.0.50(PIX 的 inside) 但是 PING 不通 202.96.209.56 202.96.209.133 的(上海热线的 DNS) C1721 和 PIX 能 PING 的通 202.96.209.56 202.96.209.133 我有点想不明白:1。第一我能 PING 的通 192.168.1.1(C1721 的 F0)是不是说明 PIX 的 NAT 515

没有错,运行正常的? 2。为什么我在 PIX 的 CONSOLE 上能 PING 的通 192.168.1.1 202.96.209.5 202.96.209.133?但是从 PC 确不能 PING 通 202.96.209.5 了? 3. 我得思路是既然能 PING 通 192.168.1.1 则表示我的 NAT 是对的 不能 PING 通 202.96.209.133 则是 ROUTE OUT 的设置不对? 4,以下是我的配置帮我看看!!! !! 以下是 C1721 配置: r#sh run Building configuration... Current configuration : 1840 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname r ! no logging console enable secret 5 $1$3HsS$mlJdFRQMrHjNpq2KdG6le/ ! ip subnet-zero ! ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool maruka network 192.168.1.0 255.255.255.0 dns-server 202.96.209.5 202.96.209.133 default-router 192.168.1.1 lease 2 ! vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! ! ! ! ! interface ATM0

no ip address no atm ilmi-keepalive dsl operating-mode auto no fair-queue ! interface ATM0.1 point-to-point pvc 8/81 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip tcp adjust-mss 1450 speed auto no cdp enable ! interface Dialer1 ip address negotiated ip access-group 101 out ip mtu 1452 ip nat outside encapsulation ppp dialer pool 1 no cdp enable ppp authentication pap callin ppp pap sent-username ad50303194 password 7 154A3A2A531A2A7C1E ! ip nat inside source list 100 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! ip route 192.168.0.0 255.255.255.0 192.168.1.2 192.168.1.2 为 PIX 的 OUTSIDE ! access-list 2 deny any access-list 100 permit tcp 192.168.1.0 0.0.0.255 any access-list 100 permit udp 192.168.1.0 0.0.0.255 any access-list 100 permit icmp 192.168.1.0 0.0.0.255 any access-list 101 deny tcp any any eq 135 access-list 101 deny tcp any any eq 139 access-list 101 deny tcp any any eq 138 access-list 101 deny tcp any any eq 137

access-list 101 deny tcp any any eq 445 access-list 101 deny tcp any any eq 4444 access-list 101 deny tcp any any eq 136 access-list 101 deny udp any any eq 136 access-list 101 deny udp any any eq 135 access-list 101 deny udp any any eq netbios-ss access-list 101 deny udp any any eq netbios-ns access-list 101 deny udp any any eq 445 access-list 101 deny udp any any eq 4444 access-list 101 permit ip any any no cdp run ! ! line con 0 line aux 0 line vty 0 4 access-class 2 out login ! end 以下是 PIX 的配置: pixfirewall# sh run : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 out security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060

fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 mtu out 1500 mtu inside 1500 ip address out 192.168.1.2 255.255.255.0 ip address inside 192.168.0.50 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (out) 1 192.168.1.3-192.168.1.20 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any conduit permit ip any any route out 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.0.51-192.168.0.250 inside dhcpd dns 202.96.209.5 202.96.209.133 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:2de866bb9c97d7f180040d500f916610 : end pixfirewall#

防火墙上如何做端口映射? 防火墙上如何做端口映射? 网络环境:PIX525,只有一个公网 IP 地址 61.xxx.xxx31,内网用 172.16.0.0/16, 为了让大家都能上网,已经在 PIX 上做了 PAT,现在要对外发布 WWW、FTP 等等。端 口映射如何做呢? 比如 172.16.0.1 为 WWW 服务器,端口 80 172.16.0.2 为 FTP 服务器,端口为 21 172.16.0.3 为 OA 服务器,要对外开放端口 1352 目前配置如下: PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 61.xxx.xxx31 255.0.0.0 ip address inside 172.16.0.201 255.255.0.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.16.0.1 255.255.255.255 0 0 nat (inside) 1 172.16.0.2 255.255.255.255 0 0

nat (inside) 1 172.16.0.11 255.255.255.255 0 0 nat (inside) 1 172.16.0.21 255.255.255.255 0 0 nat (inside) 1 172.16.1.1 255.255.255.255 0 0 nat (inside) 1 172.16.1.2 255.255.255.255 0 0 nat (inside) 1 172.16.1.3 255.255.255.255 0 0 nat (inside) 1 172.16.1.4 255.255.255.255 0 0 nat (inside) 1 172.16.1.5 255.255.255.255 0 0 nat (inside) 1 172.16.1.6 255.255.255.255 0 0 nat (inside) 1 172.16.1.7 255.255.255.255 0 0 nat (inside) 1 172.16.1.101 255.255.255.255 0 0 nat (inside) 1 172.16.1.102 255.255.255.255 0 0 nat (inside) 1 172.16.1.103 255.255.255.255 0 0 nat (inside) 1 172.16.1.104 255.255.255.255 0 0 nat (inside) 1 172.16.1.105 255.255.255.255 0 0 nat (inside) 1 172.16.1.106 255.255.255.255 0 0 nat (inside) 1 172.16.2.44 255.255.255.255 0 0 nat (inside) 1 172.16.2.45 255.255.255.255 0 0 nat (inside) 1 172.16.2.76 255.255.255.255 0 0 nat (inside) 1 172.16.4.16 255.255.255.255 0 0 nat (inside) 1 172.16.7.17 255.255.255.255 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 61.xxx.xxx1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 172.16.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:a87a7af9461d861b68dfbeef171a94ea : end

1、static (inside,outside) tcp 61.xxx.xxx.31 www 172.16.0.1 www netmask 255.255.255.255 0 0(映射 80 端口到 WWW 服务器) 2、static (inside,outside) tcp 61.xxx.xxx.31 ftp172.16.0.2 ftp netmask 255.255.255.255 0 0(映射 21 端口到 FTP 服务器) 3、static (inside,outside) tcp 61.xxx.xxx31 1352 172.16.0.3 1352 netmask 255.255.255.255 0 0(映射 1352 端口到 OA 服务器) 还要再加 conduit 命令吗?如果要加的话应该怎么写?我是第一次接触防火墙,还望高 手们指点清楚。我这么加对不对? conduit permit tcp host 61.xxx.xxx.31 eq www any conduit permit tcp host 61.xxx.xxx31 eq ftp any conduit permit tcp host 61.xxx.xxx31 eq 1352 any 个 PIX 的 pptp vpdn 配置使用 win2000 ias 做认证 服务器 : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list l2tp permit udp host 192.168.1.1 any eq 1701 pager lines 24 interface ethernet0 100full interface ethernet1 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.1 255.255.255.248 ip address inside 10.3.1.254 255.255.255.0

ip audit info action alarm ip audit attack action alarm ip local pool l2tp 192.168.2.1-192.168.2.10 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 nat (inside) 0 access-list nonat timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.3.1.1 cisco timeout 50 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 10.3.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local l2tp vpdn group 1 client authentication aaa RADIUS vpdn group 1 pptp echo 60 vpdn enable outside terminal width 80 Cryptochecksum:63e364fa4f5458b54c5cfcc313471309 : end PIX525 内外地址影射 static 的问题 我在 PIX 上用两个外部地址映射了两个内部地址,但很奇怪,外面可以看到自己的 IP 改变了, 也就是映射应该成功了, 但是在局域网内 PING 不通真实 IP, 在外面可以 PING 通,而且服务器上所有的服务都无法使用,如 WEB,FTP 等等,上网都一切正常。配置

如下,

PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Kk3wHcwY0XcmLjWl encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix525 domain-name yhdc.com.cn fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 no fixup protocol sip 5060 no fixup protocol skinny 2000 fixup protocol rtsp 8554 fixup protocol rtsp 554 names access-list acl_out permit ip any any access-list acl_in permit ip any any pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 219.145.88.64 255.255.255.248 ip address inside 192.168.0.2 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 219.145.88.69-219.145.88.70 netmask 255.255.255.248 global (outside) 1 219.145.88.67 netmask 255.255.0.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 219.145.88.66 192.168.0.123 netmask 255.255.255.255 0 0 static (inside,outside) 219.145.88.68 192.168.0.188 netmask 255.255.255.255 0 0 access-group acl_out in interface outside access-group acl_in in interface inside

conduit permit icmp any any conduit permit tcp host 219.145.88.68 any conduit permit udp host 219.145.88.68 any conduit permit tcp host 219.145.88.68 eq www any conduit permit tcp host 219.145.88.68 eq smtp any conduit permit tcp host 219.145.88.68 eq pop3 any route outside 0.0.0.0 0.0.0.0 219.145.88.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps no floodguard enable no sysopt route dnat telnet 192.168.0.200 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:2f4ef188c8267cfee5b58c9c6fe67be7 了 conduit 还是不行 conduit permit tcp host 219.145.88.68 any conduit permit udp host 219.145.88.68 any conduit permit tcp host 219.145.88.68 eq www any conduit permit tcp host 219.145.88.68 eq smtp any conduit permit tcp host 219.145.88.68 eq pop3 any

alias (inside) web-ip(inside) web_ip(outside) 255.255.255.255 PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 10.201.200.0 255.255.255.0 10.201.201.0 255.255.255.0 access-list 101 permit ip 10.201.201.0 255.255.255.0 10.201.200.0 255.255.255.0 access-list 101 permit icmp any any <--- More ---> access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list aaa permit icmp any any access-list aaa permit tcp any any access-list aaa permit udp any any access-list bbb permit icmp any any access-list bbb permit tcp any any access-list bbb permit udp any any pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 192.168.3.2 255.255.255.0 ip address inside 192.168.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 access-list 101 static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0 static (inside,outside) 10.201.200.0 10.201.200.0 netmask 255.255.255.0 0 0 static (inside,outside) 10.201.201.0 10.201.201.0 netmask 255.255.255.0 0 0

access-group aaa in interface outside <--- More ---> access-group bbb in interface inside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 192.168.3.1 1 route inside 10.201.201.0 255.255.255.0 192.168.20.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:9e7d5a52e6a5b5b3849f7f398f8eb387

: end


赞助商链接

PIX VPN配置实例

PIX VPN配置实例PIX VPN配置实例隐藏>> PIX VPN 配置实例上一篇 / 下一篇 2008-01-16 12:53:52 / 个人分类:网络安全 查看( 287 ) / 评论( 0 ) / 评分...

Pix515 防火墙配置策略实例分析

Pix515 防火墙配置策略实例分析 需求:想通过 pix 做 snat 使内网用户上网,再做 dnat 使访问本公网 IP 的 http 服务、 服务转换为 192.168.4.2 的 http ...

Cisco PIX515防火墙的典型多接口配置实例

Cisco PIX515防火墙的典型多接口配置实例_计算机硬件及网络_IT/计算机_专业资料。某公司使用 PIX 515 连接到 internet, ISP 分配给该公司一段地址: 218.1.1.1~...

硬件防火墙配置实例大全

硬件防火墙配置实例大全_IT/计算机_专业资料。硬件防火墙配置实例思科pix 防火墙配置实例大全 在配置 PIX 防火墙之前,先来介绍一下防火墙的物理特性。防火墙通常具有至少...

思科防火墙简单配置实例

思科防火墙简单配置实例_IT/计算机_专业资料。如何设置一个新的PIX防火墙。你将设置口令、IP地址、网络地址解析和基本的防火墙规则。思科...

Cisco PIX 网络访问认证相关配置实例

Cisco PIX 网络访问认证相关配置实例 PIX 可以使用 AAA 对进站连接和出站连接进行控制。下图就是某单位使用 PIX 对用户访问 Internet 进行控制的例子,当图中 172....

第7周实例7端口隔离的配置(H3C网络设备)

H3C网络设备 实例7端口隔离的配置H3C网络设备 实例7端口隔离的配置隐藏>> 端口隔离...普通尺寸(450*500pix) 较大尺寸(630*500pix) 预览复制 收藏此文档 免费 ...

三层交换机DHCP配置实例

三层交换机 DHCP 配置实例 如何在设备上开启 DHCP 服务,让不同 VLAN 下的电脑...普通尺寸(450*500pix) 较大尺寸(630*500pix) 预览复制 收藏此文档 免费 下载...