pix 525 基本配置
2009-09-13 08:00
pix 525 PIX Version 7.2(1) 清空配置 clear configure all,然后wr mem 然后reload即可 |
pix 525 PIX Version 7.2(1) 清空配置 clear configure all,然后wr mem 然后reload即可
第一部分 基本配置
清空配置 write erase reload
第一步 配置好各个端口
第二步 配置全局地址,NAT,和inside到outdide的路由 pixP(config)# global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0 查看 pixP(config)# show run global global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0
配置允许inside的host 使用nat 出去 pixP(config)# nat (inside) 1 0 0
查看 pixP(config)# show run nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0
指定默认出去的默认路由 pixP(config)# route outside 0 0 192.168.1.254 查看路由表 pixP(config)# show route outside 0.0.0.0 0.0.0.0 192.168.P.254 1 OTHER static inside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT static dmz 172.16.1.0 255.255.255.0 172.16.1.P 1 CONNECT static outside 192.168.P.0 255.255.255.0 192.168.P.1 1 CONNECT static
现在inside host 就可以访问wan了. 用show xlate 查看 nat 转换表
第三步 配置 访问DMZ 指定访问dmz的ip池 pixP(config)# global (dmz) 1 172.16.1.110-172.16.1.119 netmask 255.255.255.0
现在就可以访问dmz了. show arp show conn show xlate 查看详细信息.
第二部分 访问控制
第一步 在接口上禁用ping 通过lan ping测试 lan#ping 10.0.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms lan#ping 192.168.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
在pix上禁用ping pixfirewall(config)# icmp deny any echo-reply inside
查看 show running-configre icmp icmp deny any echo-reply inside
在lan上ping测试 lan#ping 10.0.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
启用ping pixfirewall(config)# no icmp deny any echo-reply inside
在lan上ping测试 lan#ping 10.0.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/12 ms
从inside ping outside 默认是禁止的. 启用echo-replies 创建acl-list pixfirewall(config)# access-list ping permit icmp any any echo-reply 应用acl pixfirewall(config)# access-group ping in interface outside
从lan上ping测试 lan#ping 192.168.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/381/1036 ms
6.3版本之前使用如下命令 conduit permit icmp any any echo-reply
第二步 配置出口acl 目的 允许 出去的web流量 拒绝内部到192.168.1.2 的ftp流量 允许所有其他流量.
从lan上测试 访问192.168.1.2 lan#telnet 192.168.1.2 80 Trying 192.168.1.2, 80 ... Open
lan#ping 192.168.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/20 ms
配置acl pixfirewall(config)# access-list ACLOUT permit tcp any any eq www pixfirewall(config)# access-group ACLOUT in interface inside 查看acl pixfirewall(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ping; 1 elements access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=5) 0x6431b796 access-list ACLOUT; 1 elements access-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=0) 0x455d1434
lan#telnet 192.168.1.2 80 Trying 192.168.1.2, 80 ... Open lan#ping 192.168.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
移除acl pixfirewall(config)# no access-group ACLOUT in interface inside
pixfirewall(config)# access-list ACLOUT deny tcp 10.0.1.0 255.255.255.0 host 192.168.1.2 eq ftp pixfirewall(config)# access-list ACLOUR permit ip any any
pixfirewall(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ping; 1 elements access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=10) 0x6431b796 access-list ACLOUT; 2 elements access-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=1) 0x455d1434 access-list ACLOUT line 2 extended deny tcp 10.0.1.0 255.255.255.0 host 192.168.1.2 eq ftp (hitcnt=0) 0x854f8818 access-list ACLOUR; 1 elements access-list ACLOUR line 1 extended permit ip any any (hitcnt=0) 0x9996460b
测试 略
第三步 配置一个进入的acl 目的: 允许外部访问内部web 允许外部访问内部ftp 允许进入的icmp 拒绝其他进入的数据
pixfirewall(config)# no access-group ping in interface outside
pixfirewall(config)# static (dmz,outside) 192.168.1.10 172.16.1.50
pixfirewall(config)# static (inside,outside) 192.168.1.11 10.0.1.2 pixfirewall(config)# show running-config static static (dmz,outside) 192.168.1.10 172.16.1.50 netmask 255.255.255.255 static (inside,outside) 192.168.1.11 10.0.1.2 netmask 255.255.255.255 pixfirewall(config)#
pixfirewall(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq www pixfirewall(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq ftp pixfirewall(config)# access-list ACLIN permit icmp any host 192.168.1.11 echopixfirewall(config)#access-group ACLIN in interface outside
| | | |