网站域名申请程序,中国互联网排名前十的公司,温州设计公司排名,衡阳建网站cisco PIX防火墙的配置及注解完全手册 PIX Version 6.3(1)interface ethernet0 auto 设定端口0 速率为自动interface ethernet1 100full 设定端口1 速率为100兆全双工interface ethernet2 auto 设定端口2 速率为自动nameif ethernet0 outside security0 设 定端口0 名称为 out… cisco PIX防火墙的配置及注解完全手册 PIX Version 6.3(1) interface ethernet0 auto 设定端口0 速率为自动 interface ethernet1 100full 设定端口1 速率为100兆全双工 interface ethernet2 auto 设定端口2 速率为自动 nameif ethernet0 outside security0 设 定端口0 名称为 outside 安全级别为0 nameif ethernet1 inside security100 设定端口1 名称为 inside 安全级别为100 nameif ethernet2 dmz security50 设定端口2 名称为 dmz 安全级别为50 enable password Dv0yXUGPM3Xt7xVs encrypted 特权密码 passwd 2KFQnbNIdI.2KYOU encrypted 登陆密码 hostname hhyy 设定防火墙名称 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙防火墙默认启用了一些常见的端口但对于ORACLE等专有端口需要专门启用。 names access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0 access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0 access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0 access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0 建立访问列表允许特定网段的地址访问某些网段 access-list 120 deny icmp 192.168.2.0 255.255.255.0 any access-list 120 deny icmp 192.168.3.0 255.255.255.0 any access-list 120 deny icmp 192.168.4.0 255.255.255.0 any access-list 120 deny icmp 192.168.5.0 255.255.255.0 any access-list 120 deny icmp 192.168.6.0 255.255.255.0 any access-list 120 deny icmp 192.168.7.0 255.255.255.0 any access-list 120 deny icmp 192.168.8.0 255.255.255.0 any access-list 120 deny icmp 192.168.9.0 255.255.255.0 any access-list 120 deny icmp 192.168.10.0 255.255.255.0 any access-list 120 deny icmp 192.168.11.0 255.255.255.0 any access-list 120 deny icmp 192.168.12.0 255.255.255.0 any access-list 120 deny icmp 192.168.13.0 255.255.255.0 any access-list 120 deny icmp 192.168.14.0 255.255.255.0 any access-list 120 deny icmp 192.168.15.0 255.255.255.0 any access-list 120 deny icmp 192.168.16.0 255.255.255.0 any access-list 120 deny icmp 192.168.17.0 255.255.255.0 any access-list 120 deny icmp 192.168.18.0 255.255.255.0 any access-list 120 deny icmp 192.168.19.0 255.255.255.0 any access-list 120 deny icmp 192.168.20.0 255.255.255.0 any access-list 120 deny icmp 192.168.21.0 255.255.255.0 any access-list 120 deny icmp 192.168.22.0 255.255.255.0 any access-list 120 deny udp any any eq netbios-ns access-list 120 deny udp any any eq netbios-dgm access-list 120 deny udp any any eq 4444 access-list 120 deny udp any any eq 1205 access-list 120 deny udp any any eq 1209 access-list 120 deny tcp any any eq 445 access-list 120 deny tcp any any range 135 netbios-ssn access-list 120 permit ip any any 建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信主要防止冲击波病毒 access-list 110 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0 pager lines 24 logging on logging monitor debugging logging buffered debugging logging trap notifications mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 10.1.1.4 255.255.255.224 设定外端口地址 ip address inside 192.168.1.254 255.255.255.0 设定内端口地址 ip address dmz 192.168.19.1 255.255.255.0 设定DMZ端口地址 ip audit info action alarm ip audit attack action alarm ip local pool hhyy 192.168.170.1-192.168.170.254 建立名称为hhyy的地址池起始地址段为192.168.170.1-192.168.170.254 ip local pool yy 192.168.180.1-192.168.180.254 建立名称为yy 的地址池起始地址段为192.168.180.1-192.168.180.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no pdm history enable arp timeout 14400 不支持故障切换 global (outside) 1 10.1.1.13-10.1.1.28 global (outside) 1 10.1.1.7-10.1.1.9 global (outside) 1 10.1.1.10 定义内部网络地址将要翻译成的全局地址或地址范围 nat (inside) 0 access-list 101 使得符合访问列表为101地址不通过翻译对外部网络是可见的 nat (inside) 1 192.168.0.0 255.255.0.0 0 0 内部网络地址翻译成外部地址 nat (dmz) 1 192.168.0.0 255.255.0.0 0 0 DMZ区网络地址翻译成外部地址 static (inside,outside) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0 static (inside,outside) 10.1.1.12 192.168.12.158 netmask 255.255.255.255 0 0 static (inside,outside) 10.1.1.3 192.168.2.4 netmask 255.255.255.255 0 0 设定固定主机与外网固定IP之间的一对一静态转换 static (dmz,outside) 10.1.1.2 192.168.19.2 netmask 255.255.255.255 0 0 设定DMZ区固定主机与外网固定IP之间的一对一静态转换 static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0 设定内网固定主机与DMZ IP之间的一对一静态转换 static (dmz,outside) 10.1.1.29 192.168.19.3 netmask 255.255.255.255 0 0 设定DMZ区固定主机与外网固定IP之间的一对一静态转换 access-group 120 in interface outside access-group 120 in interface inside access-group 120 in interface dmz 将访问列表应用于端口 conduit permit tcp host 10.1.1.2 any conduit permit tcp host 10.1.1.3 any conduit permit tcp host 10.1.1.12 any conduit permit tcp host 10.1.1.29 any 设置管道允许任何地址对全局地址进行TCP协议的访问 conduit permit icmp 192.168.99.0 255.255.255.0 any 设置管道允许任何地址对192.168.99.0 255.255.255.0地址进行PING测试 rip outside passive version 2 rip inside passive version 2 route outside 0.0.0.0 0.0.0.0 10.1.1.1 设定默认路由到电信端 route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 route inside 192.168.3.0 255.255.255.0 192.168.1.1 1 route inside 192.168.4.0 255.255.255.0 192.168.1.1 1 route inside 192.168.5.0 255.255.255.0 192.168.1.1 1 route inside 192.168.6.0 255.255.255.0 192.168.1.1 1 route inside 192.168.7.0 255.255.255.0 192.168.1.1 1 route inside 192.168.8.0 255.255.255.0 192.168.1.1 1 route inside 192.168.9.0 255.255.255.0 192.168.1.1 1 route inside 192.168.10.0 255.255.255.0 192.168.1.1 1 route inside 192.168.11.0 255.255.255.0 192.168.1.1 1 设定路由回指到内部的子网 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS protocol tacacs aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp service resetinbound service resetoutside crypto ipsec transform-set myset esp-des esp-md5-hmac 定义一个名称为myset的交换集 crypto dynamic-map dynmap 10 set transform-set myset 根据myset交换集产生名称为dynmap的动态加密图集可选 crypto map *** 10 ipsec-isakmp dynamic dynmap 将dynmap动态加密图集应用为IPSEC的策略模板可选 crypto map *** 20 ipsec-isakmp 用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流 crypto map *** 20 match address 110 为加密图指定列表110作为可匹配的列表 crypto map *** 20 set peer 10.1.1.41 在加密图条目中指定IPSEC对等体 crypto map *** 20 set transform-set myset 指定myset交换集可以被用于加密条目 crypto map *** client configuration address initiate 指示PIX防火墙试图为每个对等体设置IP地址 crypto map *** client configuration address respond 指示PIX防火墙接受来自任何请求对等体的IP地址请求 crypto map *** interface outsideisakmp enable outside 在外部接口启用IKE协商 isakmp key ******** address 10.1.1.41 netmask 255.255.255.255 指定预共享密钥和远端对等体的地址 isakmp identity address IKE身份设置成接口的IP地址 isakmp client configuration address-pool local yy outside isakmp policy 10 authentication pre-share 指定预共享密钥作为认证手段 isakmp policy 10 encryption des 指定56位DES作为将被用于IKE策略的加密算法 isakmp policy 10 hash md5 指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法 isakmp policy 10 group 2 指定1024比特Diffie-Hellman组将被用于IKE策略 isakmp policy 10 lifetime 86400 每个安全关联的生存周期为86400秒一天 ***group cisco idle-time 1800 ***group pix_*** address-pool yy ***group pix_*** idle-time 1800 ***group pix_*** password ******** ***group 123 address-pool yy ***group 123 idle-time 1800 ***group 123 password ******** ***group 456 address-pool yy ***group 456 idle-time 1800 ***group 456 password ******** telnet 192.168.88.144 255.255.255.255 inside telnet 192.168.88.154 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local hhyy vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username cisco password ********* vpdn enable outside username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2 ***client ***group cisco_*** password ******** ***client username pix password ******** terminal width 80 Cryptochecksum:9524a589b608c79d50f7c302b81bdfa4b 转载于:https://blog.51cto.com/pzs688/245635
