Cisco PIX525 配置说明及端口影射方法
完整的pix525配置
完整的pix525配置PIX Version 6.3(3)interface ethernet0 100fullinterface ethernet1 100fullinterface gb-ethernet0 1000autointerface gb-ethernet1 1000autonameif ethernet0 cimo security10nameif ethernet1 intf3 security15nameif gb-ethernet0 outside security0nameif gb-ethernet1 inside security100enable password 52network encryptedpasswd 52network encryptedhostname PIX-Adomain-name \\配置接口名称,安全级别,主机名,使用的域名fixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol splnet 1521fixup protocoltftp 69namesaccess-list inside_outbound_nat0_acl permit ip 202.102.54.0 255.255.255.0 10.0.1.0 255.255. 255.0access-list outside_cryptomap_20 permit ip 202.102.54.0 255.255.255.0 10.0.1.0 255.255.255. 0\\ 配置PIX允许的协议类型,要加密保护的数据流量pager lines 24logging timestamplogging standbylogging trap informationallogging facility 22logging host inside 202.102.54.5mtu cimo 1500mtu intf3 1500mtu outside 1500mtu inside 1500ip address cimo 192.168.0.1 255.255.255.252ip address intf3 127.0.0.1 255.255.255.255ip address outside 202.102.53.6 255.255.255.0ip address inside 202.102.54.1 255.255.255.248ip audit info action alarmip audit attack action alarmfailoverfailover timeout 0:00:00failover poll 15failover replication httpfailover ip address shaying 192.168.0.2failover ip address intf3 127.0.0.2failover ip address outside 202.102.53.69failover ip address inside 202.102.54.3failover link shaying\\设置日志服务器,PIX各接口的IP地址,PIX设备的故障切换功能pdm location 219.238.213.192 255.255.255.192 outsidepdm location 202.102.54.0 255.255.255.0 insidepdm location 202.102.54.28 255.255.255.255 insidepdm location 202.102.54.88 255.255.255.255 insidepdm location 202.102.54.89 255.255.255.255 insidepdm location 202.102.54.90 255.255.255.255 insidepdm location 202.102.54.208 255.255.255.240 insidepdm location 202.102.54.48 255.255.255.240 outsidepdm location 202.102.54.48 255.255.255.240 insidepdm location 202.102.54.128 255.255.255.240 insidepdm location 219.238.213.245 255.255.255.255 outsidepdm location 10.0.0.0 255.255.255.0 outsidepdm location 10.0.1.0 255.255.255.0 outsidepdm location 202.102.54.208 255.255.255.240 outsidepdm location 172.16.201.0 255.255.255.0 insidepdm location 202.102.54.0 255.255.255.0 outsidepdm location 219.239.218.192 255.255.255.192 outsidepdm location 219.238.218.248 255.255.255.255 outsidepdm location 219.238.218.241 255.255.255.255 outsidepdm logging information 100no pdm history enablearp timeout 14400\\配置能通过WEB界面管理PIX设备的工作站。
cisco防火墙配置的基本配置
cisco防火墙配置的基本配置1、nameif设置接口名称,并指定安全级别,安全级别取值范围为1~100,数字越大安全级别越高。
使用命令:PIX525(config)#nameifethernet0outsidesecurity0PIX525(config)#nameifethernet1insidesecurity100PIX525(config)#nameifethernet2dmzsecurity502、interface配置以太口工作状态,常见状态有:auto、100full、shutdown。
auto:设置网卡工作在自适应状态。
100full:设置网卡工作在100Mbit/s,全双工状态。
shutdown:设置网卡接口关闭,否则为激活。
命令:PIX525(config)#interfaceethernet0autoPIX525(config)#interfaceethernet1100fullPIX525(config)#interfaceethernet1100fullshutdown3、ipaddress配置网络接口的IP地址4、global指定公网地址范围:定义地址池。
Global命令的配置语法:global(if_name)nat_idip_address-ip_address[netmarkglobal_mask]其中:(if_name):表示外网接口名称,一般为outside。
nat_id:建立的地址池标识(nat要引用)。
ip_address-ip_address:表示一段ip地址范围。
[netmarkglobal_mask]:表示全局ip地址的网络掩码。
5、nat地址转换命令,将内网的私有ip转换为外网公网ip。
6、routeroute命令定义静态路由。
语法:route(if_name)00gateway_ip[metric]7、static配置静态IP地址翻译,使内部地址与外部地址一一对应。
防火墙CISCO-PIX525配置手册
防火墙CISCO-PIX525的配置基础知识现在,我们通过一个相对简单的示例说明如何使用Cisco PIX对企业内部网络进行管理。
网络拓扑图如附图所示。
Cisco PIX安装2个网络接口,一个连接外部网段,另一个连接内部网段,在外部网段上运行的主要是DNS 服务器,在内部网段上运行的有WWW服务器和电子邮件服务器,通过Cisco PIX,我们希望达到的效果是:对内部网络的所有机器进行保护,WWW服务器对外只开放80端口,电子邮件服务器对外只开放25端口。
具体*作步骤如下。
2.获得最新PIX软件---- 从Cisco公司的WWW或FTP站点上,我们可以获得PIX的最新软件,主要包括如下内容。
pix44n.exe――PIX防火墙的软件映像文件。
pfss44n.exe――PIX Firewall Syslog Server服务器软件,能够提供一个Windows NT服务,用来记录PIX的运行日志。
pfm432b.exe――图形化的PIX管理软件。
rawrite.exe――用于生成PIX的启动软盘。
3.配置网络路由---- 在使用防火墙的内部网段上,需要将每台计算机的缺省网关指向防火墙,比如防火墙内部IP地址为10.0.0.250,则内部网段上的每台计算机的缺省网关都要设置为10.0.0.250。
具体设置在“控制面板”*“网络”*“TCP/IP协议”中进行。
4.配置PIX---- 在配置PIX之前,应该对网络进行详细的规划和设计,搜集需要的网络配置信息。
要获得的信息如下。
---- (1)每个PIX网络接口的IP地址。
(2)如果要进行NAT,则要提供一个IP地址池供NAT使用。
NAT是网络地址转换技术,它可以将使用保留地址的内部网段上的机器映射到一个合*的IP地址上以便进行Internet访问(3)外部网段的路由器地址。
---- 进入PIX配置界面的方*是:连接好超级终端,打开电源,在出现启动信息和出现提示符pixfirewall>后输入“enable”,并输入密码,进入特权模式;当提示符变为pixfirewall#>后,输入“configure terminal”,再进入配置界面。
端口映射的原理及设置方法
映射端口:介绍端口映射的作用及其配置采用端口映射(Port Mapping)的方法,可以实现从Internet到局域网内部机器的特定端口服务的访问。
例如,你所使用的机子处于一个连接到Internet的局域网内,你在机子上所开的所有服务(如FTP),默认情况下外界是访问不了的。
这是因为你机子的IP是局域网内部IP,而外界能访问的只有你所连接的服务器的IP,由于整个局域网在Internet上只有一个真正的IP地址,而这个IP 地址是属于局域网中服务器独有的。
所以,外部的Internet登录时只可以找到局域网中的服务器,那你提供的服务当然是不起作用的。
所以解决这个问题的方法就是采用PM了。
端口映射在思科设备的配置:映射端口:路由器端口映射的原理及设置方法介绍端口映射其实就是我们常说的NAT地址转换的一种,其功能就是把在公网的地址转翻译成私有地址,采用路由方式的ADSL宽带路由器拥有一个动态或固定的公网IP,ADSL直接接在HUB或交换机上,所有的电脑共享上网。
这时ADSL的外部地址只有一个,比如61.177.0.7。
而内部的IP是私有地址,比如ADSL设为192.168.0.1,下面的电脑就依次设为192.168.0.2到192.168.0.254。
在宽带路由器上如何实现NAT功能呢?一般路由器可以采用虚拟服务器的设置和开放主机(DMZ Host)。
虚拟服务器一般可以由用户自己按需定义提供服务的不同端口,而开放主机是针对IP地址,取消防火墙功能,将局域网的单一IP地址直接映射到外部IP之上,而不必管端口是多少,这种方式只支持一台内部电脑。
最常用的端口映射是在网络中的服务器使用的是内部私有IP地址,但是很多网友希望能将这类服务器IP地址通过使用端口映射能够在公网上看到这些服务器,这里,我们就需要搞清楚所用服务的端口号,比如,HTTP服务是80,FTP 服务则是20和21两个端口。
这里我们以最常用的80端口为例,设置一个虚拟HTTP服务器,假设内部HTTP 服务器IP地址为10.0.0.10。
PIX防火墙基本配置命令和配置实例
PIX防火墙基本配置命令和配置实例PIX防火墙基本配置命令和配置实例1. PIX 的配置命令(1) 配置防火墙接口的名字,并指定安全级别(nameif)Pix525(config)#nameif ethernet0 outside security0Pix525(config)#nameif ethernet1 inside security100Pix525(config)#nameif dmz security50提示:在缺省配置中,以太网0被命名为外部接口(outside),安全级别是0;以太网1被命名为内部接口(inside),安全级别是100.安全级别取值范围为1~99,数字越大安全级别越高。
若添加新的接口,语句可以这样写:Pix525(config)#nameif pix/intf3 security40 (安全级别任取)(2) 配置以太口参数(interface)Pix525(config)#interface ethernet0 auto(auto选项表明系统自适应网卡类型)Pix525(config)#interface ethernet1 100full(100full选项表示100Mbit/s以太网全双工通信)Pix525(config)#interface ethernet1 100full shutdown(shutdown选项表示关闭这个接口,若启用接口去掉shutdown)(3) 配置内外网卡的IP地址(ip address)Pix525(config)#ip address outside 61.144.51.42 255.255.255.248Pix525(config)#ip address inside 192.168.0.1 255.255.255.0很明显,Pix525防火墙在外网的ip地址是61.144.51.42,内网ip地址是192.168.0.1 (4) 指定外部地址范围(global)Global命令的配置语法:global (if_name) nat_id ip_address - ip_address [netmark global_mask]global命令把内网的IP地址翻译成外网的IP地址或一段地址范围。
Quidway S3528+Cisco PIX525配置
情况描述:S3528P作为核心交换机,划分VLAN隔离广播PIX525作为防火墙及NA T转换在这个网里有一个WWW服务器是公网IP要求:LAN的用户隔离广播风暴,可以上INTERNET 并且可以用域名访问WWW服务器当然WWW服务器也可以让公网用户访问到,WWW服务器是用主机头+IP+端口号访问的拓扑:配置:1.S3528dis cu#sysname HUAWEI_S3528P#radius scheme systemserver-type huaweiprimary authentication 127.0.0.1 1645primary accounting 127.0.0.1 1646user-name-format without-domaindomain systemradius-scheme systemaccess-limit disablestate activeidle-cut disableself-service-url disablemessenger time disabledomain default enable system#local-server nas-ip 127.0.0.1 key huawei #temperature-limit 0 20 80#dhcp server ip-pool cheduinetwork 192.168.70.0 mask 255.255.255.0 gateway-list 192.168.70.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool fuliannetwork 192.168.30.0 mask 255.255.255.0 gateway-list 192.168.30.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool govnetwork 192.168.50.0 mask 255.255.255.0 gateway-list 192.168.50.254dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool jiweinetwork 192.168.20.0 mask 255.255.255.0 gateway-list 192.168.20.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool shiweinetwork 192.168.10.0 mask 255.255.255.0 gateway-list 192.168.10.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool xinfangnetwork 192.168.40.0 mask 255.255.255.0 gateway-list 192.168.40.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool xxzxnetwork 192.168.60.0 mask 255.255.255.0gateway-list 192.168.60.1dns-list 202.99.224.8 202.99.224.68#acl number 2000rule 0 permit source 192.168.0.0 0.0.255.255#acl number 3000 match-order autorule 0 deny udp source-port eq tftp destination-port eq tftprule 1 deny tcp source-port eq 135 destination-port eq 135rule 2 deny udp source-port eq 135 destination-port eq 135rule 3 deny udp source-port eq netbios-ns destination-port eq netbios-ns rule 4 deny udp source-port eq netbios-dgm destination-port eq netbios-dgm rule 5 deny udp source-port eq netbios-ssn destination-port eq netbios-ssn rule 6 deny tcp source-port eq 139 destination-port eq 139rule 7 deny tcp source-port eq 445 destination-port eq 445rule 8 deny tcp source-port eq 593 destination-port eq 593rule 9 deny tcp source-port eq 4444 destination-port eq 5444rule 11 deny tcp destination-port eq 5554rule 12 deny tcp destination-port eq 9995rule 13 deny tcp destination-port eq 9996rule 14 deny tcp destination-port eq 3127rule 15 deny tcp destination-port eq 1025rule 16 deny tcp destination-port eq 137rule 17 deny tcp destination-port eq 138rule 18 deny tcp destination-port eq 5800rule 19 deny tcp destination-port eq 5900rule 20 deny tcp destination-port eq 8998#vlan 1#vlan 100description to-CNC#vlan 200description to-WAN#vlan 300description to-PIX_NAT#vlan 500description to-shiwei#vlan 600description to-GOV#vlan 700description to-jiwei#vlan 800description to-fulian#vlan 900description to-xinfang#vlan 1000description to-xxzx#vlan 1100description to-chedu#interface Vlan-interface100description to CNCip address 61.138.127.133 255.255.255.128 #interface Vlan-interface200description to WANip address 202.99.241.9 255.255.255.248 #interface Vlan-interface300description to pix_natip address 192.168.0.2 255.255.255.248#interface Vlan-interface500description to shiweiip address 192.168.10.1 255.255.255.0#interface Vlan-interface600description to shiweiip address 192.168.50.254 255.255.255.0 #interface Vlan-interface700description to jiweiip address 192.168.20.1 255.255.255.0#interface Vlan-interface800description to fulianip address 192.168.30.1 255.255.255.0#interface Vlan-interface900description to xinfangip address 192.168.40.1 255.255.255.0#interface Vlan-interface1000description to xxzxip address 192.168.60.1 255.255.255.0#interface Vlan-interface1100description to cheduiip address 192.168.70.1 255.255.255.0#interface Aux0/0#interface Ethernet0/1port access vlan 100packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/2port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/3port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/4port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/5port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/6port access vlan 200packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/7port access vlan 300packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/8port access vlan 1100packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/9port access vlan 500packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/10port access vlan 600packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/11port access vlan 700packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/12port access vlan 800packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/13port access vlan 900packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/14port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/15port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/16port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/17port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/18port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/19port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/20port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/21port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/22packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/23packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/24packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14。
Cisco PIX防火墙的基本配置
Cisco PIX防火墙的基本配置1. 同样是用一条串行电缆从电脑的COM口连到Cisco PIX 525防火墙的console口;2. 开启所连电脑和防火墙的电源,进入Windows系统自带的"终端",通讯参数可按系统默然。
进入防火墙初始化配置,在其中主要设置有:Date(日期)、time(时间)、hostname(主机名称)、inside ip address(内部网卡IP地址)、domain(主域)等,完成后也就建立了一个初始化设置了。
此时的提示符为:pix255>。
3. 输入enable命令,进入Pix 525特权用户模式,默然密码为空。
如果要修改此特权用户模式密码,则可用enable password命令,命令格式为:enable password password [encrypted],这个密码必须大于16位。
Encrypted选项是确定所加密码是否需要加密。
4、定义以太端口:先必须用enable命令进入特权用户模式,然后输入configure terminal(可简称为config t),进入全局配置模式模式。
具体配置pix525>enablePassword:pix525#config tpix525 (config)#interface ethernet0 autopix525 (config)#interface ethernet1 auto在默然情况下ethernet0是属外部网卡outside, ethernet1是属内部网卡inside, inside在初始化配置成功的情况下已经被激活生效了,但是outside必须命令配置激活。
5. clock配置时钟,这也非常重要,这主要是为防火墙的日志记录而资金积累的,如果日志记录时间和日期都不准确,也就无法正确分析记录中的信息。
这须在全局配置模式下进行。
时钟设置命令格式有两种,主要是日期格式不同,分别为:clock set hh:mm:ss month day month year和clock set hh:mm:ss day month year前一种格式为:小时:分钟:秒月日年;而后一种格式为:小时:分钟:秒日月年,主要在日、月份的前后顺序不同。
PIX525高级命令及实例第10单元
作业
作业1 作业1 P62 2.1 2.2 作业2 作业2 1、访问控制列表有哪些类型,基本语法是怎样的? 2、简述各种NAT技术及其适用环境。 、简述各种NAT技术及其适用环境。 作业3 作业3 1、简述你所知道的节省IP地址的方法,并对其优 、简述你所知道的节省IP地址的方法,并对其优 缺点进行分析 2、如果让你为我们目前的校园网选购一款防火墙, 你先哪一款,为什么?( 你先哪一款,为什么?(从性能价格比及适用性方 面阐述) 面阐述)
实例分析
实验报告
四个高级命令
conduit命令配置语法: conduit命令配置语法:conduit permit|deny 命令配置语法 global_ip port[-port] protocol foreign_ip [netmask] port[其中permit|deny为允许|拒绝访问,global_ip指 其中permit|deny为允许|拒绝访问,global_ip指 的是先前由global或static命令定义的全局ip地址, 的是先前由global或static命令定义的全局ip地址, 如果global_ip为 ,就用any代替0;如果global_ip是 如果global_ip为0,就用any代替0;如果global_ip是 一台主机,就用host命令参数。port指的是服务所 一台主机,就用host命令参数。port指的是服务所 作用的端口,例如www使用80,smtp使用25等等, 作用的端口,例如www使用80,smtp使用25等等, 我们可以通过服务名称或端口数字来指定端口。 protocol指的是连接协议,比如:TCP、UDP、 protocol指的是连接协议,比如:TCP、UDP、 ICMP等。foreign_ip表示可访问global_ip的外部ip。 ICMP等。foreign_ip表示可访问global_ip的外部ip。 对于任意主机可以用any表示。如果foreign_ip是一 对于任意主机可以用any表示。如果foreign_ip是一 台主机,就用host命令参数。 台主机,就用host命令参数。
cisco PIX防火墙做端口映射
cisco PIX防火墙做端口映射在配置PIX防火墙之前,先来介绍一下防火墙的物理特性。
防火墙通常具有至少3个接口,但许多早期的防火墙只具有2个接口;当使用具有3个接口的防火墙时,就至少产生了3个网络,描述如下:内部区域(内网):内部区域通常就是指企业内部网络或者是企业内部网络的一部分。
它是互连网络的信任区域,即受到了防火墙的保护。
外部区域(外网):外部区域通常指Internet或者非企业内部网络。
它是互连网络中不被信任的区域,当外部区域想要访问内部区域的主机和服务,通过防火墙,就可以实现有限制的访问。
停火区(DMZ):停火区是一个隔离的网络,或几个网络。
位于停火区中的主机或服务器被称为堡垒主机。
一般在停火区内可以放置Web服务器,Mail服务器等。
停火区对于外部用户通常是可以访问的,这种方式让外部用户可以访问企业的公开信息,但却不允许他们访问企业内部网络。
注意:2个接口的防火墙是没有停火区的。
由于PIX535在企业级别不具有普遍性,因此下面主要说明PIX525在企业网络中的应用。
PIX防火墙提供4种管理访问模式:非特权模式。
PIX防火墙开机自检后,就是处于这种模式。
系统显示为pixfirewall>特权模式。
输入enable进入特权模式,可以改变当前配置。
显示为pixfirewall# 配置模式。
输入configure terminal进入此模式,绝大部分的系统配置都在这里进行。
显示为pixfirewall(config)#监视模式。
PIX防火墙在开机或重启过程中,按住Escape键或发送一个"Break"字符,进入监视模式。
这里可以更新*作系统映象和口令恢复。
显示为monitor>配置PIX防火墙有6个基本命令:nameif,interface,ip address,nat,global,route.这些命令在配置PIX时是必须的。
以下是配置的基本步骤:1. 配置防火墙接口的名字,并指定安全级别(nameif)。
PIX525高级命令及实例第10单元PPT课件
第10
2020/10/13
1
本次任务
1、四个高级命令 2、实例分析 3、作业及实例报告
2020/10/13
2
四个高级命令
配置静态IP地址翻译(static):如果从外网发起 一个会话,会话的目的地址是一个内网的ip地址, static就把内部地址翻译成一个指定的全局地址, 允许这个会话建立。
Pix525(config)#static (inside, outside) 61.144.51.62 192.168.0.3
Pix525(config)#conduit permit tcp host 61.144.51.62 eq
这两句是将static和conduit语句结合而生效的, 192.168.0.3在内网是一台web服务器,现在希望外 网的用户能够通过pix防火墙得到web服务。所以 先做static静态映射把内部IP192.168.0.3转换为全局 IP61.144.51.62,然后利用conduit命令允许任何外 部主机对全局地址61.144.51.62进行http访问。
对于向内部接口的连接,static和conduit命令将 一起使用,来指定会话的建立。说得通俗一点管 道命令(conduit)就相当于以往CISCO设备的访 问控制列表(ACL)。
2020/10/13
5
四个高级命令
conduit命令配置语法:conduit permit|deny global_ip port[-port] protocol foreign_ip [netmask]
2020/10/13
8
四个高级命令
小提示:对于上面的情况不使用conduit 语句设置容许访问规则是不可以的,因为 默认情况下PIX不容许数据包主动从低安全 级别的端口流向高安全级别的端口。
基于PIX525的NAT配置
PIX525有三个以太接口,分别接入内网,外网和中间区域。
设置:(pix515只有两个口而且固定的优先级)ePix525#conf tPix525(config)#nameif ethernet0 inside security100Pix525(config)#nameif ethernet1 dmz security50Pix525(config)#nameif ethernet2 outside security0设置接口工作方式:Pix525(config)#interface ethernet0 autoPix525(config)#interface ethernet1 autoPix525(config)#interface ethernet2 auto设置接口IP地址:Pix525(config)#ip address outside 133.0.0.1 255.255.255.252 Pix525(config)#ip address inside 10.66.1.200 255.255.0.0Pix525(config)#ip address dmz 10.65.1.200 255.255.0.0定义地址池1:Pix525(config)#global (outside) 1 133.1.0.1-133.1.0.14 netmask 255.255.255.240(240对应二进制11110000)设置内部主机在inside口对外访问的动态NAT:Pix525(config)#nat (inside) 1 0 01 0 0表示任意内部主机经地址池1进行转换。
inside 口默认permit a ny。
设置对外访问的一条默认路由:Pix525(config)#route outside 0 0 133.0.0.20 0表示任意主机,133.0.0.2表示下一跳。
设置静态NAT,外部对企业IP133.1.0.1的访问变换到dmz区的10.65.1. 101:Pix525(config)#static (dmz,outside) 133.1.0.1 10.65.1.101Pix525(config)#static (dmz,outside) 133.1.0.2 10.65.1.102括号内接口高安全级在前,后边的IP地址是外网在前。
PIX525防火墙操作手册
Cisco PIX525操作手册2006年10月第一章、Cisco PIX硬件安装1.1. 打开封箱,将Cisco PIX 525取出,观察外观是否有损坏,前后面如图:1.2.添加网卡,打开机箱,插入网卡,如下图:1.3.机箱上机架,在机箱两边用螺丝将固定条固定(机箱内有固定条和螺丝),然后固定在机架上。
1.4. 连接网线、Console配置线和电源,如图:1.5. 通过超级终端开始配置Cisco PIX 525,启动Cisco PIX 525 直到屏幕显示如下信息-----------------------------------------------------------------------|| |||| |||||| ||||..:||||||:..:||||||:..c i s c o S y s t e m sPrivate Internet eXchange-----------------------------------------------------------------------Cisco Secure PIX FirewallCisco Secure PIX Firewall Version 6.2(1)Licensed Features:Failover: EnabledVPN-DES: EnabledVPN-3DES: DisabledMaximum Interfaces: 6If an encryption circuit board is present, the following export statement appears:****************************** Warning *******************************An encryption device has been discovered.This product is not authorized for use by persons located outside theUnited States and Canada that do not have export license authorityfrom Cisco Systems, Inc. and/or the U.S. Government.This product may not be exported outside the U.S. and Canada either byphysical or electronic means without the prior written approval ofCisco Systems, Inc. and/or the U.S. Government.Persons outside the U.S. and Canada may not reexport, resell, ortransfer this product by either physical or electronic means withoutprior written approval of Cisco Systems, Inc. and/or U.S. Government.******************************* Warning ******************************* If you have an activation key that supports encryption, the following statement appears:****************************** Warning ******************************* Compliance with U.S. Export Laws and Regulations - Encryption.This product performs encryption and is regulated for exportby the U.S. Government.This product is not authorized for use by persons locatedoutside the United States and Canada that do not have priorapproval from Cisco Systems, Inc. or the U.S. Government.This product may not be exported outside the U.S. and Canadaeither by physical or electronic means without PRIOR approvalof Cisco Systems, Inc. or the U.S. Government.Persons outside the U.S. and Canada may not re-export, resellor transfer this product by either physical or electronic meanswithout prior approval of Cisco Systems, Inc. or the U.S.Government.******************************* Warning ******************************* PIX Firewall then displays the following messages:The 'logging trap' command now sets only the syslog server logging level.Use the 'logging history' command to set the SNMP logging level.Cryptochecksum(unchanged): 29bd47de e4c13958 db57ee04 282ae9deCopyright (c) 1998-2002 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706第二章、CiscoPIX配置2.1 . CISCO PIX常规操作启动CiscoPIX后,连接上控制台终端连接到PIX上。
PIX525-IPSEC-VPN实际工程配置
PIX525-IPSEC-VPN实际工程配置(摘)PIX配置专题PIX零起点配置PIX零起点配置我们需要掌握以下基本命令(以V7.0以上为例):1、接口配置:Interface,Nameif,Security-level2、地址转换:Nat,Global3、内网远程登陆:Telnet,PasswdPIX零起点配置-1接口配置:pix525(config)# interface ethernet 0pix525(config-if)# ip address 10.1.1.254 255.255.255.0pix525(config-if)# nameif outside//为接口命名,该名称可在后面应用接口的时候使用pix525(config-if)# security-level 0//指定接口安全等级,0为最低,表示接入的是外部网络,如果给接口命名时使用Outside,则接口安全等级自动设置为0,命名为Inside,则等级为100,为内部网络。
设置DMZ时一般使用40以下内容需要回复才能看到pix525(config)# interface ethernet 1pix525(config-if)# ip address 192.168.10.254 255.255.255.0pix525(config-if)# nameif insidepix525(config-if)# security-level 100PIX零起点配置-2地址转换:pix525(config)# global (outside) 1 interface//将内部主机的地址映射到外部的接口pix525(config)# nat (inside) 1 192.168.10.0 255.255.255.0//指定内部允许进行NAT转换的主机地址,指定的列表“1”要与Outside对应有的PIX IOS默认时内部主机Ping的回显请求包是不允许通过Outside接口,为了让内网的机器能够PING出去还要加上:pix525(config)# access-list for_icmp permit icmp any anypix525(config)# access-group for_icmp in interface outside//将ACL应用在Outside接口的in方向PIX零起点配置-3内网远程登陆:pix525(config)# telnet 0.0.0.0 0.0.0.0 inside//这里的地址可以指定为某个主机pix525(config)# passwd [passwd]//设置登陆密码pix525(config)# enable password [passwd]配置到这里,我们可以利用Cisco PIX防火墙的功能顺利地实现内部用户的正常上网(NAT),也可以在内网利用远程登陆的功能访问接入防火墙。
实验8-Cisco防火墙pix525配置实例
实验8 Cisco防火墙pix525配置实例一、引言硬件防火墙的应用,现在是越来越多,产品也很丰富。
一般国产的防火墙多带有中文的说明和一些相应的配置实例,但国外的产品几乎都没有中文的说明书。
二、物理连接Pix525的外观:是一种标准的机架式设备,高度为2U,电源开关和接线在背后。
正面有一些指示灯,如电源、工作是否正常的表示等;背面板有一些接口和扩展口,我们这次要用到的接口有三个:两个以太(RJ-45网卡)和一个配置口,其英文分别是:ETHERNET0、ETHERNET1和CONSOLE.先将防火墙固定在机架上,接好电源;用随机带来的一根蓝色的线缆将防火墙与笔记本连接起来。
注意:该线缆是扁平的,一端是RJ-45接口,要接在防火墙的console端口;另一端是串口,要接到笔记本的串口上。
三、初始化配置程序启动笔记本,防火墙通电。
1.新建一个超级终端运行windows里的超级终端程序。
其步骤如下:单击开始→所有程序→附件→通讯→超级终端,就会出现对话框:此时需要输入一个所建超级终端的名称,可输PIX515 ↙;出现下一对话框:需要选择串口的端口,我们选择com1↙;出现下一对话框:需要选择传输速率,我们选择9600↙.2.基本配置此时,出现超级终端对话框,按↙对应提示填写:Password(口令):自定。
↙Year(年):[2004] ↙Moth(月):[Feb] ↙Day(天):[20] ↙Time(时间):[10:21:30] ↙Inside IP address(内部IP地址) :192.168.10.0↙Inside network mask(内部掩码):255.255.255.0↙Host name(主机名称):FIX525↙Domain name(主域):↙随后出现以上设置的总结,提示是否保存。
选择YES,存入到flash四、具体配置在配置之前,需要了解一些具体的需求。
在本实例中,该单位是通过防火墙接入到Internet,防火墙要有路由的功能;net1接外网,net0接内网。
Cisco PIX525防火墙的开通设置
用s t a t i c 命令将需要被外 网访 问的内部主机 的I P 映射为一 个静态全局I P 地址。
f s t a t i c [ ( i n t e r n a li
—
n a me , e xt e r n al i f
—
—
~
n a m e ) ]
g l o bn t e r f a c e 命令 : a c c e s s — g r o u p I D i n i n t e r f a c e l o wi
_
l o w
_
i n t e r f a c e : 具有较低优先级的外部接 口
6 设置内部对外网的访问
使用g l o b a l 和n a t 命令可 以设 置将 部分或全 部内部主机翻
网掩码 。
M a x
—
2 . 2设置特权模式口令
e n a b l e p a s s w o r d [ p a S s w o r d ] [ 1 e v e l 1 e v e 1 ] [ e n c r y p t e d ]
c o n n s : 所允许 的并发的最 大连接数。
[ s h u t d o w n ]
h ar d wa r e
—
—
i f n a m e : 要做N A T 的网段所 连接的防火墙接口名称
n a t i d : 为此N A T 定义一个标识
l o c a l
d d r e s s s u b n e t ma s k i ns i d e t e l n e t i pa
— —
— —
i p : 外部 网分配的全局地 址, 不能是P A T 地址。
思科防火墙配置
建立用户和修改密码建立用户和修改密码跟Cisco IOS路由器基本一样。
激活以太端口激活以太端口必须用enable进入,然后进入configure模式PIX525>enablePassword:PIX525#config tPIX525(config)#interface ethernet0 autoPIX525(config)#interface ethernet1 auto在默然情况下ethernet0是属外部网卡outside, ethernet1是属内部网卡inside, inside在初始化配置成功的情况下已经被激活生效了,但是outside必须命令配置激活。
命名端口与安全级别采用命令nameifPIX525(config)#nameif ethernet0 outside security0PIX525(config)#nameif ethernet0 outside security100security0是外部端口outside的安全级别(100安全级别最高)security100是内部端口inside的安全级别,如果中间还有以太口,则security10,security20等等命名,多个网卡组成多个网络,一般情况下增加一个以太口作为DM Z(Demilitarized Zones非武装区域)。
配置以太端口IP 地址采用命令为:ip address如:内部网络为:192.168.1.0 255.255.255.0外部网络为:222.20.16.0 255.255.255.0PIX525(config)#ip address inside 192.168.1.1 255.255.255.0PIX525(config)#ip address outside 222.20.16.1 255.255.255.0配置远程访问[telnet]在默然情况下,PIX的以太端口是不允许telnet的,这一点与路由器有区别。
防火墙实施策略--最高级防火墙
最高级防火墙(思科pix525防火墙)配置命令:PIX525有三个以太接口,分别接入内网,外网和中间区域。
设置:(pix515只有两个口而且固定的优先级)ePix525#conf tPix525(config)#nameif ethernet0 inside security100Pix525(config)#nameif ethernet1 dmz security50Pix525(config)#nameif ethernet2 outside security0设置接口工作方式:Pix525(config)#interface ethernet0 autoPix525(config)#interface ethernet1 autoPix525(config)#interface ethernet2 auto设置接口IP地址:Pix525(config)#ip address outside 10.1.1.1 255.255.255.240Pix525(config)#ip address inside 172.16.1.2 255.255.255.0Pix525(config)#ip address dmz 172.16.6.1 255.255.255.0设置时间:clock set 9:0:0 1 5 2010-5-21指定接口的安全级别:pix525(config)#nameif ethernet0 outside security0 # outside是指pix525(config)#nameif ethernet0 dmz security50 # outside是指外部接口外部接口pix525(config)#nameif ethernet1 inside security100 # inside是指内部接口路由:route inside 172.16.0.0 255.255.0.0 172.16.1.2 1route outside 10.1.0.0 255.255.0.0 10.1.1.1NAT地址转换:将三部门网络地址分别划成一组,并转换成外部地址nat (inside) 1 172.16.3.0 255.255.255.0nat (inside) 2 172.16.4.0 255.255.255.0nat (inside) 3 172.16.4.0 255.255.255.0global (outside) 1 10.1.1.1-10.1.1.41netmask 255.255.255.0global (outside) 2 10.1.1.5-10.1.1.8 netmask 255.255.255.0global (outside) 3 10.1.1.9-10.1.1.12 netmask 255.255.255.0设置内(telnet)外部(ssh)用户登录本地服务器或设备命令:telnet 172.16.13.110 255.255.255.0 insidepassword adminenable password adminssh 130.12.1.0 255.255.255.0 outsideusername miaosen password miaosenaaa authernacation ssh local /使用本地认证认证:config#ca zeroiseconfig#ca generateconfig#ca save包过滤型防火墙的访问控制表(ACL)配置其他部分访问财务部门策略:禁止www,ftp,smtp允许管理主机访问财务access-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0255.255.255.0 eq ftpaccess-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0 255.255.255.0 eq wwwaccess-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0255.255.255.0 eq smtpaccess-list 100 deny tcp 172.16.5.0 255.255.255.0 172.16.3.0255.255.255.0 eq ftpaccess-list 100 denny tcp 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 eq wwwaccess-list 100 deny tcp 172.16.5.0 255.255.255.0 172.16.3.0255.255.255.0 eq smtpaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq smtpaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq wwwaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq icmpaccess-list 100 permit tcp 172.16.3.5 any 255.255.255.0access-list 100 permit tcp 172.16.13.110 172.16.3.0 255.255.255.0access-list 100 permit tcp 172.16.3.5 any 255.255.255.0地址映射:static (inside, outside) 172.16.3.5 10.1.1.1 /重要的财务主机命令主机端口重定向:PIX525(config)#static (inside,outside) tcp172.16.6.0 255.255.255.0telnet 172.16.1.2telnet netmask 255.255.255.255 0 0PIX525(config)#static (inside,outside) ftp 172.16.6.0 255.255.255.0telnet 172.16.1.2 ftp netmask 255.255.255.255 0 0PIX525(config)#static (inside,outside) tcp172.16.6.0 255.255.255.0 www 172.16.1.2 www netmask 255.255.255.255 0 0/到服务器的端口转换配置允许低级向高级的数据流(config)#conduit deny tcp host 172.16.4.0 255.255.255.0 eq www any/办公部不可上网上面已经设置可访问服务器Pix525(config)#conduit permit tcp host 172.16.3.1 eq www any/财务的一台主机可上网Pix525(config)#conduit permit icmp any any/允许内外部的ICMP消息传送配置fixup协议Fixup protocol ftp 21Fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25使能化攻击:执行命令firewall defend ip-spoofing enable,使能IP欺骗攻击防范功能。
如何在思科路由器上做端口映射
如何在思科路由器上做端口映射先给一个环境:cisco路由器内网接口s1/0: 192.168.1.1 255.255.255.0外网接口s1/1: 10.0.0.1 255.255.255.0服务器ip:192.168.1.100首先telnet到路由器上:User Access V erificationUsername: cisco #输入用户名Password: #输入密码Router>en #进入特权模式Password: #输入特权模式密码Router#conf t #进入全局配置模式Enter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255 #建立访问控制列表准备做nat转换Router(config)#ip nat inside source list 1 interface s1/1 #建立NA T转换,将192.168.1.0的地址转换为接口s1/1的地址Router(config)#int s1/0 #进入接口模式Router(config-if)#ip nat inside #设定s1/0为NA T内部接口Router(config-if)#int s1/1 #进入S1/1的接口模式Router(config-if)#ip nat outside #设定S1/1为NA T外部接口Router(config-if)#exitRouter(config)#此时已经启用了NA T,内网可以上网了。
现在开始端口映射,让外网访问内网服务器:Router(config)#ip nat inside source static tcp 192.168.1.100 5631 10.0.0.1 5631 extendableRouter(config)#ip nat inside source static tcp 192.168.1.100 5632 10.0.0.1 5632 extendable #因为10.0.0.1这个地址已经应用在s1/1接口上并做了NA T转换的地址,这里必须加上extendable这个关键字,否则报错。
关于PIX的配置及注解完全手册
关于PIX的配置及注解完全手册定义一个名称为myset的交换集crypto dynamic-map dynmap 10 set transform-set myset根据myset交换集产生名称为dynmap的动态加密图集(可选)crypto map vpn 10 ipsec-isakmp dynamic dynmap将dynmap动态加密图集应用为IPSEC的策略模板(可选)crypto map vpn 20 ipsec-isakmp用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流crypto map vpn 20 match address 110为加密图指定列表110作为可匹配的列表crypto map vpn 20 set peer 10.1.1.41在加密图条目中指定IPSEC对等体crypto map vpn 20 set transform-set myset指定myset交换集可以被用于加密条目crypto map vpn client configuration address initiate指示PIX防火墙试图为每个对等体设置IP地址crypto map vpn client configuration address respond指示PIX防火墙接受来自任何请求对等体的IP地址请求crypto map vpn interface outside将加密图应用到外部接口isakmp enable outside在外部接口启用IKE协商isakmp key ******** address 10.1.1.41 netmask 255.255.255.255 指定预共享密钥和远端对等体的地址isakmp identity addressIKE身份设置成接口的IP地址isakmp client configuration address-pool local yy outside isakmp policy 10 authentication pre-share指定预共享密钥作为认证手段isakmp policy 10 encryption des指定56位DES作为将被用于IKE策略的加密算法isakmp policy 10 hash md5指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法isakmp policy 10 group 2。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Cisco PIX525 配置说明及端口影射方法
命令Rel 重新刷新防火墙配置
命令show run 显示配置信息
命令wri mem 将配置的数据写入内存
命令conf t 开始配置状态
命令passwd 配置防火墙登陆密码
命令no 后面跟命令行,就会消除该命令行所输入的参数
命令clear xlate 清除连接,使配置生效
配置过程
enable 进入防火墙
conf t 开始配置
ip add outside 211.95.160.225 255.255.255.0 配置放火墙外部地址
ip add inside 192.168.1.225 255.255.255.0 配置防火墙内部地址
interface ethernet0 auto 配置外部网卡
interface ethernet1 auto 配置内部网卡
static (inside,outside) 211.95.160.222 192.168.1.11 netmask 255.255.255.255 0 0 配置内网和外
网影射关系
global (outside) 1 211.95.160.224 配置NAT的公网地址,后面会提示Global 211.95.160.224 will
be Port Address Translated,不用理睬
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 允许192.168.1.X 的内网地址通过global(outside) 所配置的地址访问公网,需要将这些地址的网关配置为防火墙的内部地址
telnet 192.168.1.0 255.255.255.0 允许192.168.1.X 网段的内网地址可以telnet 进去
access-list acl_outside permit icmp any host 211.95.160.222 允许公网Ping 211.95.160.222
access-list acl_outside permit tcp any host 211.95.160.222 eq telnet 允许公网telnet
211.95.160.222
access-list acl_outside permit tcp any host 211.95.160.222 eq ftp 允许公网ftp 211.95.160.222 access-group acl_outside in interface outside 内网地址能访问公网
route outside 0.0.0.0 0.0.0.0 211.95.160.254 1 设置防火墙的下一条路由地址
static (inside,outside) tcp 61.240.148.130 9201 10.17.0.22 9201 netmask 255.255.255.255 0 0 设置端口映射,将防火墙配置地址的某个端口映射到内部某机器的某个端口
conduit permit tcp host 61.240.148.130 eq 9201 any
设置端口访问权限
static 与access-list 是成对出现的,
需要做地址一一影射就用static 和access-list
需要做NAT 就用global 和Nat
每次写完参数就使用wri mem 写如内存。