思科PIX525防火墙配置实例
完整的pix525配置
完整的pix525配置PIX Version 6.3(3)interface ethernet0 100fullinterface ethernet1 100fullinterface gb-ethernet0 1000autointerface gb-ethernet1 1000autonameif ethernet0 cimo security10nameif ethernet1 intf3 security15nameif gb-ethernet0 outside security0nameif gb-ethernet1 inside security100enable password 52network encryptedpasswd 52network encryptedhostname PIX-Adomain-name \\配置接口名称,安全级别,主机名,使用的域名fixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol splnet 1521fixup protocoltftp 69namesaccess-list inside_outbound_nat0_acl permit ip 202.102.54.0 255.255.255.0 10.0.1.0 255.255. 255.0access-list outside_cryptomap_20 permit ip 202.102.54.0 255.255.255.0 10.0.1.0 255.255.255. 0\\ 配置PIX允许的协议类型,要加密保护的数据流量pager lines 24logging timestamplogging standbylogging trap informationallogging facility 22logging host inside 202.102.54.5mtu cimo 1500mtu intf3 1500mtu outside 1500mtu inside 1500ip address cimo 192.168.0.1 255.255.255.252ip address intf3 127.0.0.1 255.255.255.255ip address outside 202.102.53.6 255.255.255.0ip address inside 202.102.54.1 255.255.255.248ip audit info action alarmip audit attack action alarmfailoverfailover timeout 0:00:00failover poll 15failover replication httpfailover ip address shaying 192.168.0.2failover ip address intf3 127.0.0.2failover ip address outside 202.102.53.69failover ip address inside 202.102.54.3failover link shaying\\设置日志服务器,PIX各接口的IP地址,PIX设备的故障切换功能pdm location 219.238.213.192 255.255.255.192 outsidepdm location 202.102.54.0 255.255.255.0 insidepdm location 202.102.54.28 255.255.255.255 insidepdm location 202.102.54.88 255.255.255.255 insidepdm location 202.102.54.89 255.255.255.255 insidepdm location 202.102.54.90 255.255.255.255 insidepdm location 202.102.54.208 255.255.255.240 insidepdm location 202.102.54.48 255.255.255.240 outsidepdm location 202.102.54.48 255.255.255.240 insidepdm location 202.102.54.128 255.255.255.240 insidepdm location 219.238.213.245 255.255.255.255 outsidepdm location 10.0.0.0 255.255.255.0 outsidepdm location 10.0.1.0 255.255.255.0 outsidepdm location 202.102.54.208 255.255.255.240 outsidepdm location 172.16.201.0 255.255.255.0 insidepdm location 202.102.54.0 255.255.255.0 outsidepdm location 219.239.218.192 255.255.255.192 outsidepdm location 219.238.218.248 255.255.255.255 outsidepdm location 219.238.218.241 255.255.255.255 outsidepdm logging information 100no pdm history enablearp timeout 14400\\配置能通过WEB界面管理PIX设备的工作站。
防火墙CISCO-PIX525配置手册
防火墙CISCO-PIX525的配置基础知识现在,我们通过一个相对简单的示例说明如何使用Cisco PIX对企业内部网络进行管理。
网络拓扑图如附图所示。
Cisco PIX安装2个网络接口,一个连接外部网段,另一个连接内部网段,在外部网段上运行的主要是DNS 服务器,在内部网段上运行的有WWW服务器和电子邮件服务器,通过Cisco PIX,我们希望达到的效果是:对内部网络的所有机器进行保护,WWW服务器对外只开放80端口,电子邮件服务器对外只开放25端口。
具体*作步骤如下。
2.获得最新PIX软件---- 从Cisco公司的WWW或FTP站点上,我们可以获得PIX的最新软件,主要包括如下内容。
pix44n.exe――PIX防火墙的软件映像文件。
pfss44n.exe――PIX Firewall Syslog Server服务器软件,能够提供一个Windows NT服务,用来记录PIX的运行日志。
pfm432b.exe――图形化的PIX管理软件。
rawrite.exe――用于生成PIX的启动软盘。
3.配置网络路由---- 在使用防火墙的内部网段上,需要将每台计算机的缺省网关指向防火墙,比如防火墙内部IP地址为10.0.0.250,则内部网段上的每台计算机的缺省网关都要设置为10.0.0.250。
具体设置在“控制面板”*“网络”*“TCP/IP协议”中进行。
4.配置PIX---- 在配置PIX之前,应该对网络进行详细的规划和设计,搜集需要的网络配置信息。
要获得的信息如下。
---- (1)每个PIX网络接口的IP地址。
(2)如果要进行NAT,则要提供一个IP地址池供NAT使用。
NAT是网络地址转换技术,它可以将使用保留地址的内部网段上的机器映射到一个合*的IP地址上以便进行Internet访问(3)外部网段的路由器地址。
---- 进入PIX配置界面的方*是:连接好超级终端,打开电源,在出现启动信息和出现提示符pixfirewall>后输入“enable”,并输入密码,进入特权模式;当提示符变为pixfirewall#>后,输入“configure terminal”,再进入配置界面。
No8.2 pix防火墙配置实验
寒水教研
控制对pix接口的icmp流量
PIX(config)#icmp deny 0 0 outside PIX(config)#icmp deny 0 0 inside
寒水教研
试验二、inside到outside的访问
Firewall VPC(out)
PC(In)
10.1.1.101
E0 10.1.1.1
E1 20.1.1.1
Dns/Web/Ftp 20.1.1.101
需求: 需求: 从内部的10.1.1.0要telnet到外部的20.1.1.101主机。 如果PIX 不做设置,则从LAN 到WAN 的流量是无法出去的。 步骤: 步骤: PIX的基本配置(配ip,配接口级别,配route) NAT转换(由inside到outside) 测试
pix防火墙配置实验 No8.2 pix防火墙配置实验
寒水教研
实验大纲
1 2 3 4 5 6
基本设置 inside到outside的访问 Nat与static的实验 ICMP 控制 保存基本配置到tftp服务器 telnet和ssh到PIX防火墙
PIX525透明模式详细配置过程
PIX525透明模式详细配置过程编者按:为了让网络管理员对技术知识有个全面的认识,IT168网络通信频道将与ChinaUnix联手,选登来自ChinaUnix上优秀的帖子和博客文章,供大家学习、阅读。
这是一篇关于如何配置PIX525防火墙为透明模式的帖子,作者从实际操作入手,逐步阐述。
文章简单易懂,非常适合正在学习中的网管朋友们。
如何连接电脑我就不多说了,网上到处都是。
但好像要注意一点,先吧超级终端打开再给防火墙加电,不然超级终端上什么都看不到。
下面就是正是配置了:由于一般的PIX系列的防火墙出场时候预装的IOS是6.X的版本而只有7.0以上才支持透明模式.所以第一步是升级IOS准备工作:找一台和防火墙在一个交换机机上的计算机安装ciscotftp软件.去上面就有.很简单汉化版.然后去cisco网站上下载一个7.0的bin文件(我下载的是pix701.bin)放到tftp服务器的根目录下正式开始:防火墙通电,按ESC进入monitor> 状态下。
monitor> address 192.1.1.1 --设置防火墙IPaddress 192.1.1.1monitor> server 192.1.1.2 --设置tftp服务器的IPserver 192.1.1.2monitor> ping 192.1.1.2 --检测一下是否能ping通Sending 5, 100-byte 0x7970 ICMP Echoes to 10.32.2.78, timeout is 4 seconds:!!!!!Success rate is 100 percent (5/5)monitor> file pix701.bin --声明你下载的那个bin文件的全称file pix704.binmonitor> tftp --开始灌入tftp pix704.bin@192.168.1.80...........................耐心等待.一直到出现非特权模式的那个">"符号.下面要吧bin文件考到flash里面去,以后启动的时候才能正常使用pixfirewall> enPassword:pixfirewall# con tpixfirewall(config)# interfaceethernet1 --进入端口模式pixfirewall(config-if)# ip address 192.1.11255.255.255.0 --配置e1口的IPpixfirewall(config-if)# nameifinside --配置e1口为防火墙的inside口INFO: Security level for "inside" set to 100 by default.pixfirewall(config-if)# noshutdown --激活inside口pixfirewall(config-if)# ping192.1.1.2 --测试一下Sending 5, 100-byte ICMP Echos to 192.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 mspixfirewall(config-if)#exit --退出端口模式pixfirewall(config)# copy tftpflash: --copybin 文件Address or name of remote host []?192.1.1.2 --tftp服务器IPSource filename []?pix701.bin --文件名Destination filename [pix701.bin]?pix701.bin --确认Accessingtftp://192.1.1.2/pix701.bin...!! --开始copy 耐心等待Writing file flash:pix701.bin...!!!!!!!!!!!!!5124096 bytes copied in 82.80 secs (62488 bytes/sec)pixfirewall(config)#reload --升级完成.重启!!!!!!!ps.第一次启动时间会稍长不要着急下面才是配置.也很简单了,和刚才配置差不多配置outside口和inside口并激活,只是注意不要配置IP.这可是透明模式.谁见过一根网线两端还有IP的?pixfirewall> enPassword:pixfirewall# con tpixfirewall(config)# interface ethernet0pixfirewall(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.pixfirewall(config-if)# no shutdownpixfirewall(config-if)# exitpixfirewall(config)# interface ethernet1pixfirewall(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.pixfirewall(config-if)# no shutdownpixfirewall(config-if)# exit记住哦~~~~~~~~这里可是最重要的了,即下面的五句话:pixfirewall(config)# firewalltransparent --设置防火墙为透明模式pixfirewall(config)# access-list out-list extended permit icmp any any --设置允许通过所有的协议pixfirewall(config)# access-list out-list extended permit ip any any --设置允许通过所有的IPpixfirewall(config)# access-group out-list in interfaceoutside --把刚才的访问列表绑在outside口pixfirewall(config)# access-group out-list out interfaceoutside --把刚才的访问列表绑在outside口pixfirewall(config)# ip address 192.1.1.1255.255.255.0 --设置一个以后配置防火墙的IP。
思科防火墙使用及功能配置
10/100BaseTX Ethernet 1 (RJ-45)
10/100BaseTX Ethernet 0 (RJ-45)
Console port (RJ-45)
Power switch
通常的连接方案
PIX防火墙通用维护命令
访问模式
• PIX Firewall 有4种访问模式:
name 命令
pixfirewall(config)#
name ip_address name
DMZ
• 关联一个名称和一个IP地址
pixfirewall(config)# name 172.16.0.2 bastionhost
192.168.0.0/24
e0
.2 e2
.2
Bastion
.1
host
– 为中小企业而设计 – 并发吞吐量188Mbps – 168位3DES IPSec VPN吞吐量
63Mbps – Intel 赛扬 433 MHz 处理器 – 64 MB RAM – 支持 6 interfaces
PIX 515 基本配件
• PIX 515主机 • 接口转换头 • 链接线 • 固定角架 • 电源线 • 资料
terminal – show interface, show ip address,
show memory, show version, show xlate – exit reload – hostname, ping, telnet
enable 命令
pixfirewall>
enable
– Enables you to enter different access modes
Telecommuter
Cisco 路由器防火墙配置命令及实例
Cisco 路由器防火墙配置命令及实例一、access-list 用于创建访问规则.(1)创建标准访问列表access-list [ normal | special ] listnumber1 { permit | deny } source-addr [ source-mask ](2)创建扩展访问列表access-list [ normal | special ] listnumber2 { permit | deny } protocol source-addr source-mask [ operator port1 [ port2 ] ] dest-addr dest-mask [ operator port1 [ port2 ] | icmp-type [ icmp-code ] ] [ log ](3)删除访问列表no access-list { normal | special } { all | listnumber [ subitem ] }【参数说明】normal 指定规则加入普通时间段.special 指定规则加入特殊时间段.listnumber1 是1到99之间的一个数值,表示规则是标准访问列表规则.listnumber2 是100到199之间的一个数值,表示规则是扩展访问列表规则.permit 表明允许满足条件的报文通过.deny 表明禁止满足条件的报文通过.protocol 为协议类型,支持ICMP、TCP、UDP等,其它的协议也支持,此时没有端口比较的概念;为IP时有特殊含义,代表所有的IP协议.source-addr 为源地址.source-mask 为源地址通配位,在标准访问列表中是可选项,不输入则代表通配位为0.0.0.0.dest-addr 为目的地址.dest-mask 为目的地址通配位.operator[可选] 端口操作符,在协议类型为TCP或UDP时支持端口比较,支持的比较操作有:等于(eq)、大于(gt)、小于(lt)、不等于(neq)或介于(range);如果操作符为range,则后面需要跟两个端口.port1 在协议类型为TCP或UDP时出现,可以为关键字所设定的预设值(如telnet)或0~65535之间的一个数值.port2 在协议类型为TCP或UDP且操作类型为range时出现;可以为关键字所设定的预设值(如telnet)或0~65535之间的一个数值.icmp-type[可选] 在协议为ICMP时出现,代表ICMP报文类型;可以是关键字所设定的预设值(如echo-reply)或者是0~255之间的一个数值.icmp-code在协议为ICMP且没有选择所设定的预设值时出现;代表ICMP码,是0~255之间的一个数值.log [可选] 表示如果报文符合条件,需要做日志.listnumber 为删除的规则序号,是1~199之间的一个数值.subitem[可选] 指定删除序号为listnumber的访问列表中规则的序号.【缺省情况】系统缺省不配置任何访问规则.【命令模式】全局配置模式【使用指南】同一个序号的规则可以看作一类规则;所定义的规则不仅可以用来在接口上过滤报文,也可以被如DDR等用来判断一个报文是否是感兴趣的报文,此时,permit与deny表示是感兴趣的还是不感兴趣的.使用协议域为IP的扩展访问列表来表示所有的IP协议.同一个序号之间的规则按照一定的原则进行排列和选择,这个顺序可以通过show access-list 命令看到.【举例】允许源地址为10.1.1.0 网络、目的地址为10.1.2.0网络的WWW访问,但不允许使用FTP.Quidway(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www Quidway(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp【相关命令】ip access-group二、clear access-list counters 清除访问列表规则的统计信息.clear access-list counters [ listnumber ]【参数说明】listnumber [可选] 要清除统计信息的规则的序号,如不指定,则清除所有的规则的统计信息.【缺省情况】任何时候都不清除统计信息.【命令模式】特权用户模式【使用指南】使用此命令来清除当前所用规则的统计信息,不指定规则编号则清除所有规则的统计信息.【举例】例1:清除当前所使用的序号为100的规则的统计信息.Quidway#clear access-list counters 100例2:清除当前所使用的所有规则的统计信息.Quidway#clear access-list counters【相关命令】access-list三、firewall 启用或禁止防火墙.firewall { enable | disable }【参数说明】enable 表示启用防火墙.disable 表示禁止防火墙.【缺省情况】系统缺省为禁止防火墙.【命令模式】全局配置模式【使用指南】使用此命令来启用或禁止防火墙,可以通过show firewall命令看到相应结果.如果采用了时间段包过滤,则在防火墙被关闭时也将被关闭;该命令控制防火墙的总开关.在使用firewalldisable 命令关闭防火墙时,防火墙本身的统计信息也将被清除.【举例】启用防火墙.Quidway(config)#firewall enable【相关命令】access-list,ip access-group四、firewall default 配置防火墙在没有相应的访问规则匹配时,缺省的过滤方式.firewall default { permit | deny }【参数说明】permit 表示缺省过滤属性设置为“允许”.deny 表示缺省过滤属性设置为“禁止”.【缺省情况】在防火墙开启的情况下,报文被缺省允许通过.【命令模式】全局配置模式【使用指南】当在接口应用的规则没有一个能够判断一个报文是否应该被允许还是禁止时,缺省的过滤属性将起作用;如果缺省过滤属性是“允许”,则报文可以通过,否则报文被丢弃.【举例】设置缺省过滤属性为“允许”.Quidway(config)#firewall default permit五、ip access-group 使用此命令将规则应用到接口上.使用此命令的no形式来删除相应的设置.ip access-group listnumber { in | out }[ no ] ip access-group listnumber { in | out }【参数说明】listnumber 为规则序号,是1~199之间的一个数值.in 表示规则用于过滤从接口收上来的报文.out 表示规则用于过滤从接口转发的报文.【缺省情况】没有规则应用于接口.【命令模式】接口配置模式.【使用指南】使用此命令来将规则应用到接口上;如果要过滤从接口收上来的报文,则使用in 关键字;如果要过滤从接口转发的报文,使用out 关键字.一个接口的一个方向上最多可以应用20类不同的规则;这些规则之间按照规则序号的大小进行排列,序号大的排在前面,也就是优先级高.对报文进行过滤时,将采用发现符合的规则即得出过滤结果的方法来加快过滤速度.所以,建议在配置规则时,尽量将对同一个网络配置的规则放在同一个序号的访问列表中;在同一个序号的访问列表中,规则之间的排列和选择顺序可以用show access-list命令来查看.【举例】将规则101应用于过滤从以太网口收上来的报文.Quidway(config-if-Ethernet0)#ip access-group 101 in【相关命令】access-list六、settr 设定或取消特殊时间段.settr begin-time end-timeno settr【参数说明】begin-time 为一个时间段的开始时间.end-time 为一个时间段的结束时间,应该大于开始时间.【缺省情况】系统缺省没有设置时间段,即认为全部为普通时间段.【命令模式】全局配置模式【使用指南】使用此命令来设置时间段;可以最多同时设置6个时间段,通过show timerange 命令可以看到所设置的时间.如果在已经使用了一个时间段的情况下改变时间段,则此修改将在一分钟左右生效(系统查询时间段的时间间隔).设置的时间应该是24小时制.如果要设置类似晚上9点到早上8点的时间段,可以设置成“settr 21:00 23:59 0:00 8:00”,因为所设置的时间段的两个端点属于时间段之内,故不会产生时间段内外的切换.另外这个设置也经过了2000问题的测试.【举例】例1:设置时间段为8:30 ~ 12:00,14:00 ~ 17:00.Quidway(config)#settr 8:30 12:00 14:00 17:00例2:设置时间段为晚上9点到早上8点.Quidway(config)#settr 21:00 23:59 0:00 8:0【相关命令】timerange,show timerange七、show access-list 显示包过滤规则及在接口上的应用.show access-list [ all | listnumber | interface interface-name ]【参数说明】all 表示所有的规则,包括普通时间段内及特殊时间段内的规则.listnumber 为显示当前所使用的规则中序号为listnumber的规则.interface 表示要显示在指定接口上应用的规则序号.interface-name 为接口的名称.【命令模式】特权用户模式【使用指南】使用此命令来显示所指定的规则,同时查看规则过滤报文的情况.每个规则都有一个相应的计数器,如果用此规则过滤了一个报文,则计数器加1;通过对计数器的观察可以看出所配置的规则中,哪些规则是比较有效,而哪些基本无效.可以通过带interface关键字的show access-list命令来查看某个接口应用规则的情况.【举例】例1:显示当前所使用的序号为100的规则.Quidway#show access-list 100Using normal packet-filtering access rules now.100 deny icmp 10.1.0.0 0.0.255.255 any host-redirect (3 matches,252 bytes -- rule 1)100 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches -- rule 2)100 deny udp any any eq rip (no matches -- rule 3)例2:显示接口Serial0上应用规则的情况.Quidway#show access-list interface serial 0Serial0:access-list filtering In-bound packets : 120access-list filtering Out-bound packets: None【相关命令】access-list八、show firewall 显示防火墙状态.show firewall【命令模式】特权用户模式【使用指南】使用此命令来显示防火墙的状态,包括防火墙是否被启用,启用防火墙时是否采用了时间段包过滤及防火墙的一些统计信息.【举例】显示防火墙状态.Quidway#show firewallFirewall is enable, default filtering method is 'permit'.TimeRange packet-filtering enable.InBound packets: None;OutBound packets: 0 packets, 0 bytes, 0% permitted,0 packets, 0 bytes, 0% denied,2 packets, 104 bytes, 100% permitted defaultly,0 packets, 0 bytes, 100% denied defaultly.From 00:13:02 to 06:13:21: 0 packets, 0 bytes, permitted.【相关命令】firewall九、show isintr 显示当前时间是否在时间段之内.show isintr【命令模式】特权用户模式【使用指南】使用此命令来显示当前时间是否在时间段之内.【举例】显示当前时间是否在时间段之内.Quidway#show isintrIt is NOT in time ranges now.【相关命令】timerange,settr十、show timerange 显示时间段包过滤的信息.show timerange【命令模式】特权用户模式【使用指南】使用此命令来显示当前是否允许时间段包过滤及所设置的时间段.【举例】显示时间段包过滤的信息.Quidway#show timerangeTimeRange packet-filtering enable.beginning of time range:01:00 - 02:0003:00 - 04:00end of time range.【相关命令】timerange,settr十一、timerange 启用或禁止时间段包过滤功能.timerange { enable | disable }【参数说明】enable 表示启用时间段包过滤.disable 表示禁止采用时间段包过滤.【缺省情况】系统缺省为禁止时间段包过滤功能.【命令模式】全局配置模式【使用指南】使用此命令来启用或禁止时间段包过滤功能,可以通过show firewall命令看到,也可以通过show timerange命令看到配置结果.在时间段包过滤功能被启用后,系统将根据当前的时间和设置的时间段来确定使用时间段内(特殊)的规则还是时间段外(普通)的规则.系统查询时间段的精确度为1分钟.所设置的时间段的两个端点属于时间段之内.【举例】启用时间段包过滤功能.Quidway(config)#timerange enable【相关命令】settr,show timerangeCisco PIX防火墙配置(转载)硬件防火墙,是网络间的墙,防止非法侵入,过滤信息等,从结构上讲,简单地说是一种PC式的电脑主机加上闪存(Flash)和防火墙操作系统。
PIX 防火墙应用举例
PIX 防火墙应用举例设:ethernet0命名为外部接口outside,安全级别是0。
ethernet1被命名为内部接口inside,安全级别100。
ethernet2被命名为中间接口dmz,安全级别50。
参考配置:PIX525#conf t ;进入配置模式PIX525(config)#nameif ethernet0 outside security0 ;设置优先级0PIX525(config)#nameif ethernet1 inside security100 ;设优先级100PIX525(config)#nameif ethernet2 dmz security50 ;设置优先级50 PIX525(config)#interface ethernet0 auto ;设置自动方式PIX525(config)#interface ethernet1 100full ;设置全双工PIX525(config)#interface ethernet2 100full ;设置全双工PIX525(config)#ip address outside 133.0.0.1 255.255.255.252 ;设置接口IPPIX525(config)#ip address inside 10.66.1.200 255.255.0.0 ;设置接口IPPIX525(config)#ip address dmz 10.65.1.200 255.255.0.0 ;设置接口IPPIX525(config)#global (outside) 1 133.1.0.1-133.1.0.14 ;定义地址池PIX525(config)#nat (inside) 1 0 0 ;动态NATPIX525(config)#route outside 0 0 133.0.0.2 ;设置默认路由PIX525(config)#static (dmz,outside) 133.1.0.1 10.65.1.101 ;静态NATPIX525(config)#static (dmz,outside) 133.1.0.2 10.65.1.102 ;静态NATPIX525(config)#static (inside,dmz) 10.66.0.0 10.66.0.0 netmask 255.255.0.0PIX525(config)#access-list 101 permit ip any host 133.1.0.1 eq www;设置ACLPIX525(config)#access-list 101 permit ip any host 133.1.0.2 eq ftp;设置ACLPIX525(config)#access-list 101 deny ip any any ;设置ACLPIX525(config)#access-group 101 in interface outside ;将ACL应用在outside端口当内部主机访问外部主机时,通过nat转换成公网IP,访问internet。
PIX防火墙基本配置命令和配置实例
PIX防火墙基本配置命令和配置实例PIX防火墙基本配置命令和配置实例1. PIX 的配置命令(1) 配置防火墙接口的名字,并指定安全级别(nameif)Pix525(config)#nameif ethernet0 outside security0Pix525(config)#nameif ethernet1 inside security100Pix525(config)#nameif dmz security50提示:在缺省配置中,以太网0被命名为外部接口(outside),安全级别是0;以太网1被命名为内部接口(inside),安全级别是100.安全级别取值范围为1~99,数字越大安全级别越高。
若添加新的接口,语句可以这样写:Pix525(config)#nameif pix/intf3 security40 (安全级别任取)(2) 配置以太口参数(interface)Pix525(config)#interface ethernet0 auto(auto选项表明系统自适应网卡类型)Pix525(config)#interface ethernet1 100full(100full选项表示100Mbit/s以太网全双工通信)Pix525(config)#interface ethernet1 100full shutdown(shutdown选项表示关闭这个接口,若启用接口去掉shutdown)(3) 配置内外网卡的IP地址(ip address)Pix525(config)#ip address outside 61.144.51.42 255.255.255.248Pix525(config)#ip address inside 192.168.0.1 255.255.255.0很明显,Pix525防火墙在外网的ip地址是61.144.51.42,内网ip地址是192.168.0.1 (4) 指定外部地址范围(global)Global命令的配置语法:global (if_name) nat_id ip_address - ip_address [netmark global_mask]global命令把内网的IP地址翻译成外网的IP地址或一段地址范围。
Cisco PIX防火墙的基本配置
Cisco PIX防火墙的基本配置1. 同样是用一条串行电缆从电脑的COM口连到Cisco PIX 525防火墙的console口;2. 开启所连电脑和防火墙的电源,进入Windows系统自带的"终端",通讯参数可按系统默然。
进入防火墙初始化配置,在其中主要设置有:Date(日期)、time(时间)、hostname(主机名称)、inside ip address(内部网卡IP地址)、domain(主域)等,完成后也就建立了一个初始化设置了。
此时的提示符为:pix255>。
3. 输入enable命令,进入Pix 525特权用户模式,默然密码为空。
如果要修改此特权用户模式密码,则可用enable password命令,命令格式为:enable password password [encrypted],这个密码必须大于16位。
Encrypted选项是确定所加密码是否需要加密。
4、定义以太端口:先必须用enable命令进入特权用户模式,然后输入configure terminal(可简称为config t),进入全局配置模式模式。
具体配置pix525>enablePassword:pix525#config tpix525 (config)#interface ethernet0 autopix525 (config)#interface ethernet1 auto在默然情况下ethernet0是属外部网卡outside, ethernet1是属内部网卡inside, inside在初始化配置成功的情况下已经被激活生效了,但是outside必须命令配置激活。
5. clock配置时钟,这也非常重要,这主要是为防火墙的日志记录而资金积累的,如果日志记录时间和日期都不准确,也就无法正确分析记录中的信息。
这须在全局配置模式下进行。
时钟设置命令格式有两种,主要是日期格式不同,分别为:clock set hh:mm:ss month day month year和clock set hh:mm:ss day month year前一种格式为:小时:分钟:秒月日年;而后一种格式为:小时:分钟:秒日月年,主要在日、月份的前后顺序不同。
思科防火墙个人总结
防火墙硬件防火墙,是网络间的墙,防止非法侵入,过滤信息等,从结构上讲,简单的说是一种PC式的电脑主机加上闪存和防火墙操作系统。
所有从外部到内部或内部到外部的通信都必须经过它;只有有内部访问策略授权的通信才能被允许通过;系统本身具有很强的高可靠性;防火墙技术:包过滤技术(访问控制列表);状态检测我第一次亲手配置的是防火墙Cisco firewall pix 525.下面是一般用到的最基本配置1.建立用户、设置密码跟Cisco IOS路由器基本一样。
2.激活以太端口、命名端口与安全级别、配置以太网端口IP地址及静态路由,配置telnetPIX525(config)#interface ethernet0PIX525(config-if)#nameif outsidePIX525(config-if)#security-level 0PIX525(config-if)#ip address 221.12.59.243 255.255.255.128PIX525(config-if)#no shutPIX525(config)#ip address outside 221.12.59.243 255.255.255.128PIX525(config)#route outside 0.0.0.0 0.0.0.0 221.12.59.241 1PIX525(config)#telnet 172.18.32.0 255.255.224.0 insideXG-PIX-525# show nameifnameif ethernet0 outside security0nameif ethernet1 inside security100nameif gb-ethernet0 dmz security20nameif gb-ethernet1 inside1 security80XG-PIX-525# show routeoutside 0.0.0.0 0.0.0.0 221.12.59.241 1 OTHER staticinside1 172.16.0.0 255.240.0.0 172.18.254.134 1 OTHER staticinside1 172.18.254.132 255.255.255.252 172.18.254.133 1 CONNECT static dmz 192.168.254.0 255.255.255.0 192.168.254.1 1 CONNECT static outside 221.12.59.240 255.255.255.248 221.12.59.243 1 CONNECT static XG-PIX-525# show ipSystem IP Addresses:ip address outside 221.12.59.243 255.255.255.248no ip address insideip address dmz 192.168.254.1 255.255.255.0ip address inside1 172.18.254.133 255.255.255.252Current IP Addresses:ip address outside 221.12.59.243 255.255.255.248no ip address insideip address dmz 192.168.254.1 255.255.255.0ip address inside1 172.18.254.133 255.255.255.252XG-PIX-525# show telnet192.168.254.0 255.255.255.0 dmz172.18.240.0 255.255.240.0 inside1172.18.32.0 255.255.224.0 inside12.访问列表此功能与cisco IOS基本上是相似的,有permit和deny两个功能,网络协议一般有IP、TCP、UDP、ICMP、SSH等等,如:PIX525(config)#access-list 110 permit icmp any anyPIX525(config)#access-list 110 permit tcp any host 221.12.59.244 eq www PIX525(config)#access-list 110 permit tcp any host 221.12.59.243 eq ssh PIX525(config)#access-list 110 permit tcp any host 221.12.59.244 eq ftp PIX525(config)#access-group 100 in interface outside3.global指定公网地址范围:定义地址池Global(if_name) nat_id ip_address-ip-address [netmark global_mask](if_name):表示外网接口名称,一般为outside。
PIX525高级命令及实例第10单元
作业
作业1 作业1 P62 2.1 2.2 作业2 作业2 1、访问控制列表有哪些类型,基本语法是怎样的? 2、简述各种NAT技术及其适用环境。 、简述各种NAT技术及其适用环境。 作业3 作业3 1、简述你所知道的节省IP地址的方法,并对其优 、简述你所知道的节省IP地址的方法,并对其优 缺点进行分析 2、如果让你为我们目前的校园网选购一款防火墙, 你先哪一款,为什么?( 你先哪一款,为什么?(从性能价格比及适用性方 面阐述) 面阐述)
实例分析
实验报告
四个高级命令
conduit命令配置语法: conduit命令配置语法:conduit permit|deny 命令配置语法 global_ip port[-port] protocol foreign_ip [netmask] port[其中permit|deny为允许|拒绝访问,global_ip指 其中permit|deny为允许|拒绝访问,global_ip指 的是先前由global或static命令定义的全局ip地址, 的是先前由global或static命令定义的全局ip地址, 如果global_ip为 ,就用any代替0;如果global_ip是 如果global_ip为0,就用any代替0;如果global_ip是 一台主机,就用host命令参数。port指的是服务所 一台主机,就用host命令参数。port指的是服务所 作用的端口,例如www使用80,smtp使用25等等, 作用的端口,例如www使用80,smtp使用25等等, 我们可以通过服务名称或端口数字来指定端口。 protocol指的是连接协议,比如:TCP、UDP、 protocol指的是连接协议,比如:TCP、UDP、 ICMP等。foreign_ip表示可访问global_ip的外部ip。 ICMP等。foreign_ip表示可访问global_ip的外部ip。 对于任意主机可以用any表示。如果foreign_ip是一 对于任意主机可以用any表示。如果foreign_ip是一 台主机,就用host命令参数。 台主机,就用host命令参数。
PIX525防火墙操作手册
Cisco PIX525操作手册2006年10月第一章、Cisco PIX硬件安装1.1. 打开封箱,将Cisco PIX 525取出,观察外观是否有损坏,前后面如图:1.2.添加网卡,打开机箱,插入网卡,如下图:1.3.机箱上机架,在机箱两边用螺丝将固定条固定(机箱内有固定条和螺丝),然后固定在机架上。
1.4. 连接网线、Console配置线和电源,如图:1.5. 通过超级终端开始配置Cisco PIX 525,启动Cisco PIX 525 直到屏幕显示如下信息-----------------------------------------------------------------------|| |||| |||||| ||||..:||||||:..:||||||:..c i s c o S y s t e m sPrivate Internet eXchange-----------------------------------------------------------------------Cisco Secure PIX FirewallCisco Secure PIX Firewall Version 6.2(1)Licensed Features:Failover: EnabledVPN-DES: EnabledVPN-3DES: DisabledMaximum Interfaces: 6If an encryption circuit board is present, the following export statement appears:****************************** Warning *******************************An encryption device has been discovered.This product is not authorized for use by persons located outside theUnited States and Canada that do not have export license authorityfrom Cisco Systems, Inc. and/or the U.S. Government.This product may not be exported outside the U.S. and Canada either byphysical or electronic means without the prior written approval ofCisco Systems, Inc. and/or the U.S. Government.Persons outside the U.S. and Canada may not reexport, resell, ortransfer this product by either physical or electronic means withoutprior written approval of Cisco Systems, Inc. and/or U.S. Government.******************************* Warning ******************************* If you have an activation key that supports encryption, the following statement appears:****************************** Warning ******************************* Compliance with U.S. Export Laws and Regulations - Encryption.This product performs encryption and is regulated for exportby the U.S. Government.This product is not authorized for use by persons locatedoutside the United States and Canada that do not have priorapproval from Cisco Systems, Inc. or the U.S. Government.This product may not be exported outside the U.S. and Canadaeither by physical or electronic means without PRIOR approvalof Cisco Systems, Inc. or the U.S. Government.Persons outside the U.S. and Canada may not re-export, resellor transfer this product by either physical or electronic meanswithout prior approval of Cisco Systems, Inc. or the U.S.Government.******************************* Warning ******************************* PIX Firewall then displays the following messages:The 'logging trap' command now sets only the syslog server logging level.Use the 'logging history' command to set the SNMP logging level.Cryptochecksum(unchanged): 29bd47de e4c13958 db57ee04 282ae9deCopyright (c) 1998-2002 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706第二章、CiscoPIX配置2.1 . CISCO PIX常规操作启动CiscoPIX后,连接上控制台终端连接到PIX上。
PIX525-IPSEC-VPN实际工程配置
PIX525-IPSEC-VPN实际工程配置(摘)PIX配置专题PIX零起点配置PIX零起点配置我们需要掌握以下基本命令(以V7.0以上为例):1、接口配置:Interface,Nameif,Security-level2、地址转换:Nat,Global3、内网远程登陆:Telnet,PasswdPIX零起点配置-1接口配置:pix525(config)# interface ethernet 0pix525(config-if)# ip address 10.1.1.254 255.255.255.0pix525(config-if)# nameif outside//为接口命名,该名称可在后面应用接口的时候使用pix525(config-if)# security-level 0//指定接口安全等级,0为最低,表示接入的是外部网络,如果给接口命名时使用Outside,则接口安全等级自动设置为0,命名为Inside,则等级为100,为内部网络。
设置DMZ时一般使用40以下内容需要回复才能看到pix525(config)# interface ethernet 1pix525(config-if)# ip address 192.168.10.254 255.255.255.0pix525(config-if)# nameif insidepix525(config-if)# security-level 100PIX零起点配置-2地址转换:pix525(config)# global (outside) 1 interface//将内部主机的地址映射到外部的接口pix525(config)# nat (inside) 1 192.168.10.0 255.255.255.0//指定内部允许进行NAT转换的主机地址,指定的列表“1”要与Outside对应有的PIX IOS默认时内部主机Ping的回显请求包是不允许通过Outside接口,为了让内网的机器能够PING出去还要加上:pix525(config)# access-list for_icmp permit icmp any anypix525(config)# access-group for_icmp in interface outside//将ACL应用在Outside接口的in方向PIX零起点配置-3内网远程登陆:pix525(config)# telnet 0.0.0.0 0.0.0.0 inside//这里的地址可以指定为某个主机pix525(config)# passwd [passwd]//设置登陆密码pix525(config)# enable password [passwd]配置到这里,我们可以利用Cisco PIX防火墙的功能顺利地实现内部用户的正常上网(NAT),也可以在内网利用远程登陆的功能访问接入防火墙。
实验8-Cisco防火墙pix525配置实例
实验8 Cisco防火墙pix525配置实例一、引言硬件防火墙的应用,现在是越来越多,产品也很丰富。
一般国产的防火墙多带有中文的说明和一些相应的配置实例,但国外的产品几乎都没有中文的说明书。
二、物理连接Pix525的外观:是一种标准的机架式设备,高度为2U,电源开关和接线在背后。
正面有一些指示灯,如电源、工作是否正常的表示等;背面板有一些接口和扩展口,我们这次要用到的接口有三个:两个以太(RJ-45网卡)和一个配置口,其英文分别是:ETHERNET0、ETHERNET1和CONSOLE.先将防火墙固定在机架上,接好电源;用随机带来的一根蓝色的线缆将防火墙与笔记本连接起来。
注意:该线缆是扁平的,一端是RJ-45接口,要接在防火墙的console端口;另一端是串口,要接到笔记本的串口上。
三、初始化配置程序启动笔记本,防火墙通电。
1.新建一个超级终端运行windows里的超级终端程序。
其步骤如下:单击开始→所有程序→附件→通讯→超级终端,就会出现对话框:此时需要输入一个所建超级终端的名称,可输PIX515 ↙;出现下一对话框:需要选择串口的端口,我们选择com1↙;出现下一对话框:需要选择传输速率,我们选择9600↙.2.基本配置此时,出现超级终端对话框,按↙对应提示填写:Password(口令):自定。
↙Year(年):[2004] ↙Moth(月):[Feb] ↙Day(天):[20] ↙Time(时间):[10:21:30] ↙Inside IP address(内部IP地址) :192.168.10.0↙Inside network mask(内部掩码):255.255.255.0↙Host name(主机名称):FIX525↙Domain name(主域):↙随后出现以上设置的总结,提示是否保存。
选择YES,存入到flash四、具体配置在配置之前,需要了解一些具体的需求。
在本实例中,该单位是通过防火墙接入到Internet,防火墙要有路由的功能;net1接外网,net0接内网。
一个思科PIX防火墙的实际应用配置
一个思科PIX防火墙的实际应用配置一个思科PIX防火墙的实际应用配置一个思科PIX防火墙的实际应用配置PIX:一个合法IP完成inside、outside和dmz之间的访问现有条件:100M宽带接入,分配一个合法的IP(222.134.135.98)(只有1个静态IP是否够用?);Cisco防火墙PiX515e-r-DMZ-BUN1台(具有Inside、Outside、DMZ三个RJ45接口)!请问能否实现以下功能:1、内网中的所有用户可以防问Internet和DMZ中的WEB服务器。
2、外网的用户可以防问DMZ区的Web平台。
3、DMZ区的WEB服务器可以防问内网中的SQL数据库服务器和外网中的其它服务器。
注:DMZ区WEB服务器作为应用服务器,使用内网中的数据库服务器。
解决方案:一、概述本方案中,根据现有的设备,只要1个合法的IP地址(电信的IP 地址好贵啊,1年租期10000元RMB),分别通过PIX515所提供的NAT、PAT、端口重定向、ACL和route功能完全可以实现所提的功能要求。
二、实施步骤初始化Pix防火墙:给每个边界接口分配一个名字,并指定安全级别pix515e(config)#nameif ethernet0outside security0pix515e(config)#nameif ethernet1inside security100pix515e(config)#nameif ethernet2dmz security50给每个接口分配IP地址pix515e(config)#ip address outside222.134.135.98255.255.255.252pix515e(config)#ip address inside192.168.1.1255.255.255.0 pix515e(config)#ip address dmz10.0.0.1255.255.255.0为Pix 防火墙每个接口定义一条静态或缺省路由pix515e(config)#route outside0.0.0.00.0.0.0222.134.135.971(通过IP地址为222.134.135.97的路由器路由所有的出站数据包/外部接口/)pix515e(config)#route dmz10.0.0.0255.255.255.010.0.0.11pix515e(config)#route inside192.168.1.0255.255.255.0192.168.1.11pix515e(config)#routeoutside222.134.135.96255.255.255.252 222.134.135.981 配置Pix防火墙作为内部用户的DPCH服务器pix515e(config)#dhcpd address192.168.1.2-192.168.1.100inside pix515e(config)#dhcpd dns202.102.152.3202.102.134.68pix515e(config)#dhcpd enable inside思科PIX防火墙命令集解释说明思科PIX防火墙命令集解释说明Aaa允许、禁止或查看以前使用“aaa-server”命令为服务器指定的TACACS+或RADIUS用户认证、授权和帐户Aaa-server指定一个AAA服务器Access-group将访问列表名绑定到接口名以允许或拒绝IP信息包进入接口Access-list创建一个访问列表Alias管理双向NAT中的重叠地址Arp改变或查看ARP缓存,设置超时值Auth-prompt改变AAA的提示文本Ca配置PIX防火墙和CA的交互Clock设置PIX防火墙时钟以供PIX防火墙系统日志服务器和PKI 协议使用Conduit为向内连接添加、删除或显示通过防火墙的管道Configure清除或融合当前配置与软盘或闪存中的配置。
Quidway S3528+Cisco PIX525配置
情况描述:S3528P作为核心交换机,划分VLAN隔离广播PIX525作为防火墙及NA T转换在这个网里有一个WWW服务器是公网IP要求:LAN的用户隔离广播风暴,可以上INTERNET 并且可以用域名访问WWW服务器当然WWW服务器也可以让公网用户访问到,WWW服务器是用主机头+IP+端口号访问的拓扑:配置:1.S3528dis cu#sysname HUAWEI_S3528P#radius scheme systemserver-type huaweiprimary authentication 127.0.0.1 1645primary accounting 127.0.0.1 1646user-name-format without-domaindomain systemradius-scheme systemaccess-limit disablestate activeidle-cut disableself-service-url disablemessenger time disabledomain default enable system#local-server nas-ip 127.0.0.1 key huawei #temperature-limit 0 20 80#dhcp server ip-pool cheduinetwork 192.168.70.0 mask 255.255.255.0 gateway-list 192.168.70.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool fuliannetwork 192.168.30.0 mask 255.255.255.0 gateway-list 192.168.30.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool govnetwork 192.168.50.0 mask 255.255.255.0 gateway-list 192.168.50.254dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool jiweinetwork 192.168.20.0 mask 255.255.255.0 gateway-list 192.168.20.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool shiweinetwork 192.168.10.0 mask 255.255.255.0 gateway-list 192.168.10.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool xinfangnetwork 192.168.40.0 mask 255.255.255.0 gateway-list 192.168.40.1dns-list 202.99.224.8 202.99.224.68#dhcp server ip-pool xxzxnetwork 192.168.60.0 mask 255.255.255.0gateway-list 192.168.60.1dns-list 202.99.224.8 202.99.224.68#acl number 2000rule 0 permit source 192.168.0.0 0.0.255.255#acl number 3000 match-order autorule 0 deny udp source-port eq tftp destination-port eq tftprule 1 deny tcp source-port eq 135 destination-port eq 135rule 2 deny udp source-port eq 135 destination-port eq 135rule 3 deny udp source-port eq netbios-ns destination-port eq netbios-ns rule 4 deny udp source-port eq netbios-dgm destination-port eq netbios-dgm rule 5 deny udp source-port eq netbios-ssn destination-port eq netbios-ssn rule 6 deny tcp source-port eq 139 destination-port eq 139rule 7 deny tcp source-port eq 445 destination-port eq 445rule 8 deny tcp source-port eq 593 destination-port eq 593rule 9 deny tcp source-port eq 4444 destination-port eq 5444rule 11 deny tcp destination-port eq 5554rule 12 deny tcp destination-port eq 9995rule 13 deny tcp destination-port eq 9996rule 14 deny tcp destination-port eq 3127rule 15 deny tcp destination-port eq 1025rule 16 deny tcp destination-port eq 137rule 17 deny tcp destination-port eq 138rule 18 deny tcp destination-port eq 5800rule 19 deny tcp destination-port eq 5900rule 20 deny tcp destination-port eq 8998#vlan 1#vlan 100description to-CNC#vlan 200description to-WAN#vlan 300description to-PIX_NAT#vlan 500description to-shiwei#vlan 600description to-GOV#vlan 700description to-jiwei#vlan 800description to-fulian#vlan 900description to-xinfang#vlan 1000description to-xxzx#vlan 1100description to-chedu#interface Vlan-interface100description to CNCip address 61.138.127.133 255.255.255.128 #interface Vlan-interface200description to WANip address 202.99.241.9 255.255.255.248 #interface Vlan-interface300description to pix_natip address 192.168.0.2 255.255.255.248#interface Vlan-interface500description to shiweiip address 192.168.10.1 255.255.255.0#interface Vlan-interface600description to shiweiip address 192.168.50.254 255.255.255.0 #interface Vlan-interface700description to jiweiip address 192.168.20.1 255.255.255.0#interface Vlan-interface800description to fulianip address 192.168.30.1 255.255.255.0#interface Vlan-interface900description to xinfangip address 192.168.40.1 255.255.255.0#interface Vlan-interface1000description to xxzxip address 192.168.60.1 255.255.255.0#interface Vlan-interface1100description to cheduiip address 192.168.70.1 255.255.255.0#interface Aux0/0#interface Ethernet0/1port access vlan 100packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/2port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/3port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/4port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/5port access vlan 200packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/6port access vlan 200packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/7port access vlan 300packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 packet-filter inbound ip-group 3000 rule 13 packet-filter inbound ip-group 3000 rule 14 packet-filter inbound ip-group 3000 rule 15 packet-filter inbound ip-group 3000 rule 16 packet-filter inbound ip-group 3000 rule 17 packet-filter inbound ip-group 3000 rule 18 packet-filter inbound ip-group 3000 rule 19 packet-filter inbound ip-group 3000 rule 20 #interface Ethernet0/8port access vlan 1100packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/9port access vlan 500packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/10port access vlan 600packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/11port access vlan 700packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/12port access vlan 800packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/13port access vlan 900packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/14port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/15port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/16port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/17port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/18port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/19port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/20port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/21port access vlan 1000packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/22packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/23packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14packet-filter inbound ip-group 3000 rule 15packet-filter inbound ip-group 3000 rule 16packet-filter inbound ip-group 3000 rule 17packet-filter inbound ip-group 3000 rule 18packet-filter inbound ip-group 3000 rule 19packet-filter inbound ip-group 3000 rule 20traffic-redirect inbound ip-group 2000 rule 0 next-hop 192.168.0.1 #interface Ethernet0/24packet-filter inbound ip-group 3000 rule 0packet-filter inbound ip-group 3000 rule 1packet-filter inbound ip-group 3000 rule 2packet-filter inbound ip-group 3000 rule 3packet-filter inbound ip-group 3000 rule 4packet-filter inbound ip-group 3000 rule 5packet-filter inbound ip-group 3000 rule 6packet-filter inbound ip-group 3000 rule 7packet-filter inbound ip-group 3000 rule 8packet-filter inbound ip-group 3000 rule 9packet-filter inbound ip-group 3000 rule 11packet-filter inbound ip-group 3000 rule 12packet-filter inbound ip-group 3000 rule 13packet-filter inbound ip-group 3000 rule 14。
Cisco PIX525防火墙的开通设置
用s t a t i c 命令将需要被外 网访 问的内部主机 的I P 映射为一 个静态全局I P 地址。
f s t a t i c [ ( i n t e r n a li
—
n a me , e xt e r n al i f
—
—
~
n a m e ) ]
g l o bn t e r f a c e 命令 : a c c e s s — g r o u p I D i n i n t e r f a c e l o wi
_
l o w
_
i n t e r f a c e : 具有较低优先级的外部接 口
6 设置内部对外网的访问
使用g l o b a l 和n a t 命令可 以设 置将 部分或全 部内部主机翻
网掩码 。
M a x
—
2 . 2设置特权模式口令
e n a b l e p a s s w o r d [ p a S s w o r d ] [ 1 e v e l 1 e v e 1 ] [ e n c r y p t e d ]
c o n n s : 所允许 的并发的最 大连接数。
[ s h u t d o w n ]
h ar d wa r e
—
—
i f n a m e : 要做N A T 的网段所 连接的防火墙接口名称
n a t i d : 为此N A T 定义一个标识
l o c a l
d d r e s s s u b n e t ma s k i ns i d e t e l n e t i pa
— —
— —
i p : 外部 网分配的全局地 址, 不能是P A T 地址。
思科防火墙配置
建立用户和修改密码建立用户和修改密码跟Cisco IOS路由器基本一样。
激活以太端口激活以太端口必须用enable进入,然后进入configure模式PIX525>enablePassword:PIX525#config tPIX525(config)#interface ethernet0 autoPIX525(config)#interface ethernet1 auto在默然情况下ethernet0是属外部网卡outside, ethernet1是属内部网卡inside, inside在初始化配置成功的情况下已经被激活生效了,但是outside必须命令配置激活。
命名端口与安全级别采用命令nameifPIX525(config)#nameif ethernet0 outside security0PIX525(config)#nameif ethernet0 outside security100security0是外部端口outside的安全级别(100安全级别最高)security100是内部端口inside的安全级别,如果中间还有以太口,则security10,security20等等命名,多个网卡组成多个网络,一般情况下增加一个以太口作为DM Z(Demilitarized Zones非武装区域)。
配置以太端口IP 地址采用命令为:ip address如:内部网络为:192.168.1.0 255.255.255.0外部网络为:222.20.16.0 255.255.255.0PIX525(config)#ip address inside 192.168.1.1 255.255.255.0PIX525(config)#ip address outside 222.20.16.1 255.255.255.0配置远程访问[telnet]在默然情况下,PIX的以太端口是不允许telnet的,这一点与路由器有区别。
防火墙实施策略--最高级防火墙
最高级防火墙(思科pix525防火墙)配置命令:PIX525有三个以太接口,分别接入内网,外网和中间区域。
设置:(pix515只有两个口而且固定的优先级)ePix525#conf tPix525(config)#nameif ethernet0 inside security100Pix525(config)#nameif ethernet1 dmz security50Pix525(config)#nameif ethernet2 outside security0设置接口工作方式:Pix525(config)#interface ethernet0 autoPix525(config)#interface ethernet1 autoPix525(config)#interface ethernet2 auto设置接口IP地址:Pix525(config)#ip address outside 10.1.1.1 255.255.255.240Pix525(config)#ip address inside 172.16.1.2 255.255.255.0Pix525(config)#ip address dmz 172.16.6.1 255.255.255.0设置时间:clock set 9:0:0 1 5 2010-5-21指定接口的安全级别:pix525(config)#nameif ethernet0 outside security0 # outside是指pix525(config)#nameif ethernet0 dmz security50 # outside是指外部接口外部接口pix525(config)#nameif ethernet1 inside security100 # inside是指内部接口路由:route inside 172.16.0.0 255.255.0.0 172.16.1.2 1route outside 10.1.0.0 255.255.0.0 10.1.1.1NAT地址转换:将三部门网络地址分别划成一组,并转换成外部地址nat (inside) 1 172.16.3.0 255.255.255.0nat (inside) 2 172.16.4.0 255.255.255.0nat (inside) 3 172.16.4.0 255.255.255.0global (outside) 1 10.1.1.1-10.1.1.41netmask 255.255.255.0global (outside) 2 10.1.1.5-10.1.1.8 netmask 255.255.255.0global (outside) 3 10.1.1.9-10.1.1.12 netmask 255.255.255.0设置内(telnet)外部(ssh)用户登录本地服务器或设备命令:telnet 172.16.13.110 255.255.255.0 insidepassword adminenable password adminssh 130.12.1.0 255.255.255.0 outsideusername miaosen password miaosenaaa authernacation ssh local /使用本地认证认证:config#ca zeroiseconfig#ca generateconfig#ca save包过滤型防火墙的访问控制表(ACL)配置其他部分访问财务部门策略:禁止www,ftp,smtp允许管理主机访问财务access-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0255.255.255.0 eq ftpaccess-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0 255.255.255.0 eq wwwaccess-list 100 deny tcp 172.16.4.0 255.255.255.0 172.16.3.0255.255.255.0 eq smtpaccess-list 100 deny tcp 172.16.5.0 255.255.255.0 172.16.3.0255.255.255.0 eq ftpaccess-list 100 denny tcp 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 eq wwwaccess-list 100 deny tcp 172.16.5.0 255.255.255.0 172.16.3.0255.255.255.0 eq smtpaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq smtpaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq wwwaccess-list 100 permit tcp 172.16.0.0//255.255.0.0 172.16.6.0 255.255.255.0 eq icmpaccess-list 100 permit tcp 172.16.3.5 any 255.255.255.0access-list 100 permit tcp 172.16.13.110 172.16.3.0 255.255.255.0access-list 100 permit tcp 172.16.3.5 any 255.255.255.0地址映射:static (inside, outside) 172.16.3.5 10.1.1.1 /重要的财务主机命令主机端口重定向:PIX525(config)#static (inside,outside) tcp172.16.6.0 255.255.255.0telnet 172.16.1.2telnet netmask 255.255.255.255 0 0PIX525(config)#static (inside,outside) ftp 172.16.6.0 255.255.255.0telnet 172.16.1.2 ftp netmask 255.255.255.255 0 0PIX525(config)#static (inside,outside) tcp172.16.6.0 255.255.255.0 www 172.16.1.2 www netmask 255.255.255.255 0 0/到服务器的端口转换配置允许低级向高级的数据流(config)#conduit deny tcp host 172.16.4.0 255.255.255.0 eq www any/办公部不可上网上面已经设置可访问服务器Pix525(config)#conduit permit tcp host 172.16.3.1 eq www any/财务的一台主机可上网Pix525(config)#conduit permit icmp any any/允许内外部的ICMP消息传送配置fixup协议Fixup protocol ftp 21Fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25使能化攻击:执行命令firewall defend ip-spoofing enable,使能IP欺骗攻击防范功能。