2008年(5)
分类: 网络与安全
2008-04-30 14:07:09
failover configuration
The following example outlines how to configure LAN-based failover between two PIX Firewall units.
Primary PIX Firewall configuration:
:
pix(config)# nameif ethernet0 outside security0
pix(config)# nameif ethernet1 inside security100
pix(config)# nameif ethernet2 stateful security20
pix(config)# nameif ethenret3 lanlink security30
:
pix(config)#interface ethernet0 100full
pix(config)#interface ethernet1 100full
pix(config)#interface ethernet2 100full
pix(config)#interface ethenret3 100full
pix(config)#interface ethernet4 100full
:
pix(config)# ip address outside 172.23.58.70 255.255.255.0
pix(config)# ip address inside 10.0.0.2 255.255.255.0
pix(config)# ip address stateful 10.0.1.2 255.255.255.0
pix(config)# ip address lanlink 10.0.2.2 255.255.255.0
pix(config)# failover ip address outside 172.23.58.51
pix(config)# failover ip address inside 10.0.0.4
pix(config)# failover ip address stateful 10.0.1.4
pix(config)# failover ip address lanlink 10.0.2.4
pix(config)# failover
pix(config)# failover poll 15
pix(config)# failover lan unit primary
pix(config)# failover lan interface lanlink
pix(config)# failover lan key 12345678
pix(config)# failover lan enable
:
Secondary PIX Firewall configuration:
Pix2(config)# nameif ethernet3 lanlink security30
pix2(config)# interface ethernet3 100full
pix2(config)# ip address lanlink 10.0.2.2 255.255.255.0
pix2(config)# failover ip address lanlink 10.0.2.4
pix2(config)# failover
pix2(config)# failover lan unit secondary (optional)
pix2(config)# failover lan interface lanlink
pix2(config)# failover lan key 12345678
pix2(config)# failover lan enable
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1
filter url 80 0 0 0 0
filter url except 10.0.2.54 255.255.255.255 0 0
The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
filter url 8080 0 0 0 0 proxy-block
The default ports for the PIX Firewall fixup protocols are as follows:
pixHA(config)# sh fix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
The fixup protocol rtsp command lets PIX Firewall pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.
If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554
fixup protocol rtsp 8554The following example shows how to enable the MGCP fixup on your firewall:
pixfirewall(config)# fixup protocol mgcp 2427pixfirewall(config)# fixup protocol mgcp 2727The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255access-list acl_out permit tcp any host 209.165.201.1 eq smtpaccess-group acl_out in interface outsidefixup protocol smtp 25The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255access-list acl_out permit tcp any host 209.165.201.1 eq smtpaccess-group acl_out in interface outsideno fixup protocol smtp 25Enable or disable Flood Guard to protect against flood attacks.
floodguard enable
floodguard disable
clear floodguard
show floodguard
The following partial configuration example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable if_name commands to configure an address pool for the DHCP clients and a DNS server address for the DHCP client, and how to enable the dmz interface of the PIX Firewall for the DHCP server function.
dhcpd address 10.0.1.100-10.0.1.108 dmzdhcpd dns 209.165.200.226dhcpd enable dmzThe following partial configuration example shows how to define a DHCP pool of 253 addresses and use the auto_config command to configure the DNS, WINS, and DOMAIN parameters. Note that the dmz interface of the firewall is configured as the DHCP server, and the netmask of the dmz interface is 255.255.254.0:
ip address dmz 10.0.1.1 255.255.254.0dhcpd address 10.0.1.2-10.0.1.254 dmzdhcpd auto_config outsidedhcpd enable dmzshow dhcpd bindingshow dhcpd statisticsThe following example configures the DHCP relay agent for a DHCP server with the IP address of 10.1.1.1 on the outside interface of the firewall and client requests on the inside interface of the firewall, and sets the timeout value to 90 seconds:
pixfirewall(config)# dhcprelay server 10.1.1.1 outsidepixfirewall(config)# show dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay timeout 50pixfirewall(config)# dhcprelay timeout 60pixfirewall(config)# show dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay timeout 60pixfirewall(config)# dhcprelay enable insidepixfirewall(config)# show dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 60The following example shows how to disable the DHCP relay agent if there is only one dhcprelay enable command in the configuration:
pixfirewall(config)# no dhcprelay enablepixfirewall(config)# show dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay timeout 60The following is sample output from the show dhcprelay statistics command:
pixfirewall(config)# show dhcprelay statistics
A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT. Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.
For example, PAT is enabled with these commands:
nat (inside) 1 192.168.1.0 255.255.255.0global (inside) 1 209.165.202.128 netmask 255.255.255.224However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.
To ensure that the inside DNS server can access the root name server, insert the following static command statement:
static (inside,outside) 209.165.202.129 192.168.1.5The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5
1.
Deny all ping requests and permit all unreachable messages at the outside interface:
icmp permit any unreachable outsideThe default behavior of the PIX Firewall is to deny ICMP messages to the outside interface.
2.
Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
icmp permit host 172.16.2.15 echo-reply outsideicmp permit 172.22.1.0 255.255.0.0 echo-reply outsideicmp permit any unreachable outside
ip address inside 10.1.1.1 255.255.0.0
route inside 10.1.2.0 255.255.0.0 10.1.1.1 1
route inside 10.1.3.0 255.255.0.0 10.1.1.1 1
ip verify reverse-path interface outside
ip verify reverse-path interface inside
The ip verify reverse-path interface outside command statement protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command statement protects the inside interface from network egress attacks from users on the internal network.
pixfirewall(config)# show ip verify statistics
interface outside: 2 unicast rpf drops
interface inside: 1 unicast rpf drops
interface intf2: 3 unicast rpf drops
pixfirewall(config)# clear ip verify statistics
interface outside: 0 unicast rpf drops
interface inside: 0 unicast rpf drops
interface intf2: 0 unicast rpf drops
Configures the Internet Security Association Key Management Protocol (ISAKMP) for IPSec Internet Key Exchange (IKE).
By default, NAT traversal (isakmp nat-traversal) is disabled.
The default ISAKMP identity is isakmp identity hostname.
The show isakmp identity command displays the current ISAKMP identity.
The show isakmp sa command displays all current IKE security associations between the PIX Firewall and its peer.
The sections that follow describe each isakmp command.
isakmp client configuration address-pool local
The isakmp client configuration address-pool local command is used to configure the IP address local pool to reference IKE. Use the no crypto isakmp client configuration address-pool local command to restore to the default value.
Before using this command, use the ip local pool command to define a pool of local addresses to be assigned to a remote IPSec peer.
Examples
The following example references IP address local pools to IKE with "mypool" as the pool-name:
isakmp client configuration address-pool local mypool outsideisakmp enable
Use the isakmp enable interface-name command to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Firewall. Use the no isakmp enable command to disable IKE.
The following example shows how to disable IKE on the inside interface:
no isakmp enable insideThe example shows each security gateway peer has a unique pre-shared key to share with the PIX Firewall. The peers' IP addresses are 10.1.1.1, 10.1.1.2, 10.1.1.3, and the netmask of 255.255.255.255 is specified.isakmp key secretkey1234 address 10.1.1.1 netmask 255.255.255.255 no-xauthno-config-modeisakmp key secretkey4567 address 10.1.1.2 netmask 255.255.255.255 no-xauthno-config-modeisakmp key secretkey7890 address 10.1.1.3 netmask 255.255.255.255 no-xauthno-config-modeIf you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.The following example shows "sharedkeystring" as the authentication key to share between the PIX Firewall and its peer specified by an IP address of 10.1.0.0:
isakmp key sharedkeystring address 10.1.0.0The following example shows use of a wildcard, pre-shared key. The "sharedkeystring" is the authentication key to share between the PIX Firewall and its peer (in this case a VPN client) specified by an IP address of 0.0.0.0. and a netmask of 0.0.0.0.
isakmp key sharedkeystring address 0.0.0.0 netmask 0.0.0.0Configures specific Internet Key Exchange (IKE) algorithms and parameters, within the IPSec Internet Security Association Key Management Protocol (ISAKMP) framework, for the Authentication Header (AH) and Encapsulating Security Payload (ESP) IPSec protocols.
[no] isakmp policy priority authentication pre-share | rsa-sig
[no] isakmp policy priority encryption aes | aes-192| aes-256 | des | 3des
[no] isakmp policy priority group 1 | 2 | 5
[no] isakmp policy priority hash md5 | sha
[no] ipolicy priority lifetime seconds
The following example sets the IKE security association to an infinite lifetime.
isakmp policy 40 lifetime 0show isakmp policy
pixfirewall(config)# show isakmpisakmp enable outsideisakmp key ******** address 0.0.0.0 netmask 0.0.0.0isakmp policy 1 authentication pre-shareisakmp policy 1 encryption 3desisakmp policy 1 hash md5isakmp policy 1 group 5isakmp policy 1 lifetime 86400