Chinaunix首页 | 论坛 | 博客

春乐

首页 |  博文目录 |  关于我

幸福就在我的身边

  • 博客访问: 43117
  • 博文数量: 12
  • 博客积分: 1400
  • 博客等级: 上尉
  • 技术积分: 230
  • 用 户 组: 普通用户
  • 注册时间: 2010-01-18 22:53
文章分类

全部博文(12)

文章存档

2010年(12)

我的朋友
最近访客
推荐博文
Cisco Pix 防火墙基本配置(二

分类: IT职场

2010-01-19 00:34:54

Cisco Pix 防火墙基本配置(二)
pix 525 基本配置
2009-09-13 08:00
pix 525
PIX Version 7.2(1)
清空配置
clear configure all,然后wr mem 然后reload即可
pix 525
PIX Version 7.2(1)
清空配置
clear configure all,然后wr mem 然后reload即可



第一部分 基本配置

清空配置
write erase
reload

第一步
配置好各个端口

第二步
配置全局地址,NAT,和inside到outdide的路由
pixP(config)# global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0
查看
pixP(config)# show run global
global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0

配置允许inside的host 使用nat 出去
pixP(config)# nat (inside) 1 0 0

查看
pixP(config)# show run nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

指定默认出去的默认路由
pixP(config)# route outside 0 0 192.168.1.254
查看路由表
pixP(config)# show route
outside 0.0.0.0 0.0.0.0 192.168.P.254 1 OTHER static
inside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT static
dmz 172.16.1.0 255.255.255.0 172.16.1.P 1 CONNECT static
outside 192.168.P.0 255.255.255.0 192.168.P.1 1 CONNECT static

现在inside host 就可以访问wan了.
用show xlate 查看 nat 转换表

第三步
配置 访问DMZ
指定访问dmz的ip池
pixP(config)# global (dmz) 1 172.16.1.110-172.16.1.119 netmask 255.255.255.0

现在就可以访问dmz了.
show arp show conn show xlate 查看详细信息.


第二部分 访问控制

第一步 在接口上禁用ping
通过lan ping测试
lan#ping 10.0.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
lan#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

在pix上禁用ping
pixfirewall(config)# icmp deny any echo-reply inside

查看
show running-configre icmp
icmp deny any echo-reply inside

在lan上ping测试
lan#ping 10.0.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

启用ping
pixfirewall(config)# no icmp deny any echo-reply inside

在lan上ping测试
lan#ping 10.0.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/12 ms

从inside ping outside 默认是禁止的. 启用echo-replies
创建acl-list
pixfirewall(config)# access-list ping permit icmp any any echo-reply
应用acl
pixfirewall(config)# access-group ping in interface outside

从lan上ping测试
lan#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/381/1036 ms

6.3版本之前使用如下命令
conduit permit icmp any any echo-reply

第二步
配置出口acl
目的
允许 出去的web流量
拒绝内部到192.168.1.2 的ftp流量
允许所有其他流量.

从lan上测试 访问192.168.1.2
lan#telnet 192.168.1.2 80
Trying 192.168.1.2, 80 ... Open

lan#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/20 ms


配置acl
pixfirewall(config)# access-list ACLOUT permit tcp any any eq www
pixfirewall(config)# access-group ACLOUT in interface inside
查看acl
pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ping; 1 elements
access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=5) 0x6431b796
access-list ACLOUT; 1 elements
access-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=0) 0x455d1434

lan#telnet 192.168.1.2 80
Trying 192.168.1.2, 80 ... Open
lan#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

移除acl
pixfirewall(config)# no access-group ACLOUT in interface inside


pixfirewall(config)# access-list ACLOUT deny tcp 10.0.1.0 255.255.255.0 host 192.168.1.2 eq ftp
pixfirewall(config)# access-list ACLOUR permit ip any any


pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ping; 1 elements
access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=10) 0x6431b796
access-list ACLOUT; 2 elements
access-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=1) 0x455d1434
access-list ACLOUT line 2 extended deny tcp 10.0.1.0 255.255.255.0 host 192.168.1.2 eq ftp (hitcnt=0) 0x854f8818
access-list ACLOUR; 1 elements
access-list ACLOUR line 1 extended permit ip any any (hitcnt=0) 0x9996460b

测试 略

第三步
配置一个进入的acl
目的:
允许外部访问内部web
允许外部访问内部ftp
允许进入的icmp
拒绝其他进入的数据

pixfirewall(config)# no access-group ping in interface outside

pixfirewall(config)# static (dmz,outside) 192.168.1.10 172.16.1.50

pixfirewall(config)# static (inside,outside) 192.168.1.11 10.0.1.2

pixfirewall(config)# show running-config static
static (dmz,outside) 192.168.1.10 172.16.1.50 netmask 255.255.255.255
static (inside,outside) 192.168.1.11 10.0.1.2 netmask 255.255.255.255
pixfirewall(config)#


pixfirewall(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq www
pixfirewall(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq ftp
pixfirewall(config)# access-list ACLIN permit icmp any host 192.168.1.11 echo

pixfirewall(config)#access-group ACLIN in interface outside

阅读(1091) | 评论(0) | 转发(0) |
0

上一篇:交换机的端口聚合

下一篇:Cisco Pix 防火墙基本配置(一)

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6