Chinaunix首页 | 论坛 | 博客
  • 博客访问: 384078
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友

分类: 系统运维

2016-01-15 21:08:56


  1. 在国内的IT环境中,老板对于IT预算还是有限的,老板要求花最少的钱把事情办好,当然在互联网企业或者IDC机房以网络为核心的企业来讲,
  2. 网络架构的好坏是其命脉,许多服务架构集群都需要建立在网络的基础上。
  3. 最近机房互联做的一个项目,之前的设备实在是不能满足需求了,老板当然不愿意出钱,花上万的设备去给你搭建。怎么办呢,在总部机房有一台很老的PIX设备,事实上这台设备问世至今跟我的年龄相差无几,但却稳健的运行了近三个月时间,没有任何故障,当初在淘宝逛的时候看到PIX设备只有不到两百块。
  4. 跟BOSS商量直接买了4台,用于机房搭建。另外购一台cisco 3550的三层交换机,几百块就搞定。现稳定运行,大概需求(让内网可以NAT上网,机房VPN互通,端口映射)
  1. cisco 防火墙容易出现的问题
  2. 问题描述:
  3. 当调试思科VPN的时候,尤其是远程拨入VPN的调试,你会发现,当调试路由器的时候,客户端拨入可以直接访问路由器的内口地址,但是当设备是思科的安全设备(PIX,ASA)的时候,你去尝试一下,你会发现在访问INSIDE接口的时候,结果是不通的。
  4.  
  5. 解决办法:
  6. 因为思科的安全设备安全级别高一些,所以他默认会对从低安全级别的访问做一定的限制,例如设备的管理权限;大家都知道防火墙从外网是不能TELNET到本机上的,相比SSH本身安全的多的多,但是INSIDE可以TELNET,默认内部是最高安全级别,所以TELNET当然对本身不会造成多大破坏,但是思科的人性化体现的很淋漓尽致,对于远程客户端通过VPN客户端拨入的用户(可能会出现帐户泄露等因素),防火墙默认是不允许这些客户访问他本身的,这样就更增强了自身的安全性,个人觉得非常好!!!!
  7. 解决此办法很容易
  8. 在全局模式下 输入
  9. management-access inside 这条命令就可以了
配置pix ssh  (非AAA Authentication方式)
domain-name zsq.cn 
ca gen rsa key 1024 
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd Tcs6688.cn@pix
ca save all 
write mem
需要注意的是write mem并不能保存rsa key的配置,必须使用ca save all来保存
默认用户为pix


总部:
  1. PIX Version 6.3(1)
  2. interface ethernet0 auto
  3. interface ethernet1 auto
  4. interface ethernet2 auto
  5. nameif ethernet0 outside security0
  6. nameif ethernet1 inside security100
  7. nameif ethernet2 dmz security50
  8. enable password .0mHd67BKR2OHO2V encrypted
  9. passwd 2KFQnbNIdI.2KYOU encrypted
  10. hostname pix515E
  11. domain-name zsq.cn
  12. fixup protocol ftp 21
  13. fixup protocol h323 h225 1720
  14. fixup protocol h323 ras 1718-1719
  15. fixup protocol http 80
  16. fixup protocol ils 389
  17. fixup protocol pptp 1723
  18. fixup protocol rsh 514
  19. fixup protocol rtsp 554
  20. fixup protocol sip 5060
  21. fixup protocol sip udp 5060
  22. fixup protocol skinny 2000
  23. fixup protocol smtp 25
  24. fixup protocol sqlnet 1521
  25. names
  26. access-list 140 permit ip 192.168.88.0 255.255.255.0 192.168.15.0 255.255.255.0
  27. access-list 140 permit ip 192.18.121.0 255.255.255.0 192.168.15.0 255.255.255.0
  28. access-list NoNAT permit ip 192.168.88.0 255.255.255.0 192.168.15.0 255.255.255.0
  29. access-list NoNAT permit ip 192.18.121.0 255.255.255.0 192.168.15.0 255.255.255.0
  30. access-list NoNAT permit ip 192.168.88.0 255.255.255.0 192.168.147.0 255.255.255.0
  31. access-list NoNAT permit ip 192.18.121.0 255.255.255.0 192.168.147.0 255.255.255.0
  32. access-list 150 permit ip 192.168.88.0 255.255.255.0 192.168.147.0 255.255.255.0
  33. access-list 150 permit ip 192.18.121.0 255.255.255.0 192.168.147.0 255.255.255.0
  34. pager lines 24
  35. mtu outside 1500
  36. mtu inside 1500
  37. mtu dmz 1500
  38. ip address outside 202.100.100.100 255.255.255.240
  39. ip address inside 192.168.8.81 255.255.255.240
  40. ip audit info action alarm
  41. ip audit attack action alarm
  42. pdm history enable
  43. arp timeout 14400
  44. global (outside) 10 interface
  45. global (outside) 10 202.100.100.101
  46. nat (inside) 0 access-list NoNAT
  47. nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  48. static (inside,outside) tcp 202.100.100.101 ssh 192.168.188.251 ssh netmask 255.255.255.255 0 0
  49. static (inside,outside) tcp 202.100.100.101 3306 192.168.188.251 3306 netmask 255.255.255.255 0 0
  50. conduit permit icmp any any
  51. conduit permit tcp any eq ssh any
  52. conduit permit tcp any eq 3306 any
  53. route outside 0.0.0.0 0.0.0.0 200.100.100.1 1
  54. route inside 192.18.121.0 255.255.255.0 192.168.8.82 1
  55. route inside 192.168.88.0 255.255.255.0 192.168.8.82 1
  56. route inside 192.168.188.0 255.255.255.0 192.168.8.82 1
  57. route inside 192.168.201.0 255.255.255.0 192.168.8.82 1
  58. timeout xlate 3:00:00
  59. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  60. timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  61. timeout uauth 0:05:00 absolute
  62. aaa-server TACACS+ protocol tacacs+
  63. aaa-server RADIUS protocol radius
  64. aaa-server LOCAL protocol local
  65. no snmp-server location
  66. no snmp-server contact
  67. snmp-server community public
  68. no snmp-server enable traps
  69. floodguard enable
  70. sysopt connection permit-ipsec
  71. crypto ipsec transform-set chevelle esp-des esp-md5-hmac
  72. crypto map transam 3 ipsec-isakmp
  73. crypto map transam 3 match address 140
  74. crypto map transam 3 set peer 200.2.2.2
  75. crypto map transam 3 set transform-set chevelle
  76. crypto map transam 5 ipsec-isakmp
  77. crypto map transam 5 match address 150
  78. crypto map transam 5 set peer 200.3.3.3
  79. crypto map transam 5 set transform-set chevelle
  80. crypto map transam interface outside
  81. isakmp enable outside
  82. isakmp key ******** address 200.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
  83. isakmp key ******** address 200.3.3.3 netmask 255.255.255.255 no-xauth no-config-mode
  84. isakmp identity address
  85. isakmp policy 1 authentication pre-share
  86. isakmp policy 1 encryption des
  87. isakmp policy 1 hash md5
  88. isakmp policy 1 group 1
  89. isakmp policy 1 lifetime 1000
  90. telnet 192.168.88.0 255.255.255.0 inside
  91. telnet timeout 5
  92. ssh 0.0.0.0 0.0.0.0 outside
  93. ssh 0.0.0.0 0.0.0.0 inside
  94. ssh timeout 60
  95. management-access inside
  96. console timeout 0
  97. terminal width 80
  98. Cryptochecksum:e7b86f9334809d6729b4cef717cfa4c3
  99. : end



  1. fenbu1
  2. PIX Version 6.3(5)105
  3. interface ethernet0 auto
  4. interface ethernet1 auto
  5. interface ethernet2 auto shutdown
  6. interface ethernet3 auto shutdown
  7. nameif ethernet0 outside security0
  8. nameif ethernet1 inside security100
  9. nameif ethernet2 intf2 security4
  10. nameif ethernet3 intf3 security6
  11. enable password txRVih4pMuVm6qlI encrypted
  12. passwd .0mHd67BKR2OHO2V encrypted
  13. hostname TCSPIX
  14. domain-name ZSQ.CN
  15. fixup protocol dns maximum-length 512
  16. fixup protocol ftp 21
  17. fixup protocol h323 h225 1720
  18. fixup protocol h323 ras 1718-1719
  19. fixup protocol http 80
  20. fixup protocol rsh 514
  21. fixup protocol rtsp 554
  22. fixup protocol sip 5060
  23. fixup protocol sip udp 5060
  24. fixup protocol skinny 2000
  25. fixup protocol smtp 25
  26. fixup protocol sqlnet 1521
  27. fixup protocol tftp 69
  28. names
  29. access-list 140 permit ip 192.168.15.0 255.255.255.0 192.168.88.0 255.255.255.0
  30. access-list 140 permit ip 192.168.15.0 255.255.255.0 192.18.121.0 255.255.255.0
  31. access-list NoNAT permit ip 192.168.15.0 255.255.255.0 192.168.88.0 255.255.255.0
  32. access-list NoNAT permit ip 192.168.15.0 255.255.255.0 192.18.121.0 255.255.255.0
  33. pager lines 24
  34. mtu outside 1500
  35. mtu inside 1500
  36. mtu intf2 1500
  37. mtu intf3 1500
  38. ip address outside 200.2.2.2 255.255.255.248
  39. ip address inside 10.1.1.1 255.255.255.248
  40. no ip address intf2
  41. no ip address intf3
  42. ip audit info action alarm
  43. ip audit attack action alarm
  44. no failover
  45. failover timeout 0:00:00
  46. failover poll 15
  47. no failover ip address outside
  48. no failover ip address inside
  49. no failover ip address intf2
  50. no failover ip address intf3
  51. pdm history enable
  52. arp timeout 14400
  53. global (outside) 10 interface
  54. global (outside) 10 200.2.2.3
  55. global (outside) 10 200.2.2.4
  56. nat (inside) 0 access-list NoNAT
  57. nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  58. static (inside,outside) tcp 200.2.2.3 10022 192.168.15.240 ssh netmask 255.255.255.255 0 0
  59. static (inside,outside) tcp 200.2.2.3 13306 192.168.15.240 3306 netmask 255.255.255.255 0 0
  60. static (inside,outside) tcp 200.2.2.3 8085 192.168.15.240 8085 netmask 255.255.255.255 0 0
  61. static (inside,outside) tcp 200.2.2.3 8088 192.168.15.240 8088 netmask 255.255.255.255 0 0
  62. static (inside,outside) tcp 200.2.2.3 8089 192.168.15.240 8089 netmask 255.255.255.255 0 0
  63. static (inside,outside) tcp 200.2.2.3 8888 192.168.15.240 8888 netmask 255.255.255.255 0 0
  64. static (inside,outside) tcp 200.2.2.3 8090 192.168.15.240 8090 netmask 255.255.255.255 0 0
  65. static (inside,outside) tcp 200.2.2.3 https 192.168.15.245 https netmask 255.255.255.255 0 0
  66. conduit permit icmp any any
  67. conduit permit tcp any eq 10022 any
  68. conduit permit tcp any eq 13306 any
  69. conduit permit tcp any eq 8085 any
  70. conduit permit tcp any eq 8088 any
  71. conduit permit tcp any eq 8089 any
  72. conduit permit tcp any eq 8888 any
  73. conduit permit tcp any eq 8090 any
  74. conduit permit tcp any eq https any
  75. route outside 0.0.0.0 0.0.0.0 200.2.2.1 1
  76. route inside 192.168.15.0 255.255.255.0 10.1.1.2 1
  77. timeout xlate 3:00:00
  78. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  79. timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  80. timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  81. timeout uauth 0:05:00 absolute
  82. aaa-server TACACS+ protocol tacacs+
  83. aaa-server TACACS+ max-failed-attempts 3
  84. aaa-server TACACS+ deadtime 10
  85. aaa-server RADIUS protocol radius
  86. aaa-server RADIUS max-failed-attempts 3
  87. aaa-server RADIUS deadtime 10
  88. aaa-server LOCAL protocol local
  89. no snmp-server location
  90. no snmp-server contact
  91. snmp-server community public
  92. no snmp-server enable traps
  93. floodguard enable
  94. sysopt connection permit-ipsec
  95. crypto ipsec transform-set chevelle esp-des esp-md5-hmac
  96. crypto map transam 3 ipsec-isakmp
  97. crypto map transam 3 match address 140
  98. crypto map transam 3 set peer 200.100.100.100
  99. crypto map transam 3 set transform-set chevelle
  100. crypto map transam interface outside
  101. isakmp enable outside
  102. isakmp key ******** address 200.100.100.100 netmask 255.255.255.255 no-xauth no-config-mode
  103. isakmp identity address
  104. isakmp policy 1 authentication pre-share
  105. isakmp policy 1 encryption des
  106. isakmp policy 1 hash md5
  107. isakmp policy 1 group 1
  108. isakmp policy 1 lifetime 1000
  109. telnet 192.168.15.0 255.255.255.0 inside
  110. telnet 10.1.1.0 255.255.255.248 inside
  111. telnet timeout 5
  112. ssh 0.0.0.0 0.0.0.0 outside
  113. ssh 0.0.0.0 0.0.0.0 inside
  114. ssh timeout 60
  115. management-access inside
  116. console timeout 0
  117. terminal width 80
  118. Cryptochecksum:72ae6d3955f615a4c2bf6443849d5b7f
  119. : end
备注:
这个机房连接的三层交换,vlan段是15段的,故VPN感兴趣流是15段,这里就不贴配置了,其实就是接口跟本PIX接口互联下。然后设置VLAN
  1. fenbu2
  2.     PIX Version 6.3(5)125
  3. interface ethernet0 auto
  4. interface ethernet1 auto
  5. interface ethernet2 auto shutdown
  6. interface ethernet3 auto shutdown
  7. nameif ethernet0 outside security0
  8. nameif ethernet1 inside security100
  9. nameif ethernet2 intf2 security4
  10. nameif ethernet3 intf3 security6
  11. enable password txRVih4pMuVm6qlI encrypted
  12. passwd .0mHd67BKR2OHO2V encrypted
  13. hostname pix-t
  14. domain-name dqtcs.cn
  15. fixup protocol dns maximum-length 512
  16. fixup protocol ftp 21
  17. fixup protocol h323 h225 1720
  18. fixup protocol h323 ras 1718-1719
  19. fixup protocol http 80
  20. fixup protocol rsh 514
  21. fixup protocol rtsp 554
  22. fixup protocol sip 5060
  23. fixup protocol sip udp 5060
  24. fixup protocol skinny 2000
  25. fixup protocol smtp 25
  26. fixup protocol sqlnet 1521
  27. fixup protocol tftp 69
  28. names
  29. object-group service Lync_RTP_UDP udp
  30.   port-object range 10000 20000
  31. access-list 150 permit ip 192.168.147.0 255.255.255.0 192.168.88.0 255.255.255.0
  32. access-list 150 permit ip 192.168.147.0 255.255.255.0 192.18.121.0 255.255.255.0
  33. access-list NoNAT permit ip 192.168.147.0 255.255.255.0 192.168.88.0 255.255.255.0
  34. access-list NoNAT permit ip 192.168.147.0 255.255.255.0 192.18.121.0 255.255.255.0
  35. pager lines 24
  36. mtu outside 1500
  37. mtu inside 1500
  38. mtu intf2 1500
  39. mtu intf3 1500
  40. ip address outside 200.3.3.3 255.255.255.248
  41. ip address inside 192.168.147.254 255.255.255.0
  42. no ip address intf2
  43. no ip address intf3
  44. ip audit info action alarm
  45. ip audit attack action alarm
  46. no failover
  47. failover timeout 0:00:00
  48. failover poll 15
  49. no failover ip address outside
  50. no failover ip address inside
  51. no failover ip address intf2
  52. no failover ip address intf3
  53. pdm history enable
  54. arp timeout 14400
  55. global (outside) 10 interface
  56. nat (inside) 0 access-list NoNAT
  57. nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  58. static (inside,outside) tcp interface 10022 192.168.147.250 ssh netmask 255.255.255.255 0 0
  59. static (inside,outside) udp interface 10000 192.168.147.135 10000 netmask 255.255.255.255 0 0
  60. static (inside,outside) udp interface 10001 192.168.147.135 10001 netmask 255.255.255.255 0 0
  61. static (inside,outside) udp interface 10002 192.168.147.135 10002 netmask 255.255.255.255 0 0
  62. static (inside,outside) udp interface 10003 192.168.147.135 10003 netmask 255.255.255.255 0 0
  63. static (inside,outside) udp interface 10004 192.168.147.135 10004 netmask 255.255.255.255 0 0
  64. static (inside,outside) udp interface 10005 192.168.147.135 10005 netmask 255.255.255.255 0 0
  65. static (inside,outside) udp interface 10006 192.168.147.135 10006 netmask 255.255.255.255 0 0
  66. static (inside,outside) udp interface 10007 192.168.147.135 10007 netmask 255.255.255.255 0 0
  67. static (inside,outside) udp interface 10008 192.168.147.135 10008 netmask 255.255.255.255 0 0
  68. static (inside,outside) udp interface 10009 192.168.147.135 10009 netmask 255.255.255.255 0 0
  69. static (inside,outside) udp interface 65060 192.168.147.135 65060 netmask 255.255.255.255 0 0
  70. static (inside,outside) tcp interface 63540 192.168.147.135 63540 netmask 255.255.255.255 0 0
  71. static (inside,outside) udp interface 10010 192.168.147.135 10010 netmask 255.255.255.255 0 0
  72. conduit permit icmp any any
  73. conduit permit tcp any eq 10022 any
  74. conduit permit tcp any eq 63540 any
  75. conduit permit udp any eq 65060 any
  76. conduit permit udp any eq 5060 any
  77. conduit permit udp any eq 10000 any
  78. conduit permit udp any eq 10001 any
  79. conduit permit udp any eq 10002 any
  80. conduit permit udp any eq 10003 any
  81. conduit permit udp any eq 10004 any
  82. conduit permit udp any eq 10005 any
  83. conduit permit udp any eq 10006 any
  84. conduit permit udp any eq 10007 any
  85. conduit permit udp any eq 10008 any
  86. conduit permit udp any eq 10009 any
  87. conduit permit udp any eq 10010 any
  88. route outside 0.0.0.0 0.0.0.0 200.3.3.1 1
  89. timeout xlate 3:00:00
  90. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  91. timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  92. timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  93. timeout uauth 0:05:00 absolute
  94. aaa-server TACACS+ protocol tacacs+
  95. aaa-server TACACS+ max-failed-attempts 3
  96. aaa-server TACACS+ deadtime 10
  97. aaa-server RADIUS protocol radius
  98. aaa-server RADIUS max-failed-attempts 3
  99. aaa-server RADIUS deadtime 10
  100. aaa-server LOCAL protocol local
  101. no snmp-server location
  102. no snmp-server contact
  103. snmp-server community public
  104. no snmp-server enable traps
  105. floodguard enable
  106. sysopt connection permit-ipsec
  107. crypto ipsec transform-set chevelle esp-des esp-md5-hmac
  108. crypto map transam 2 ipsec-isakmp
  109. crypto map transam 2 match address 150
  110. crypto map transam 2 set peer 200.100.100.100
  111. crypto map transam 2 set transform-set chevelle
  112. crypto map transam interface outside
  113. isakmp enable outside
  114. isakmp key ******** address 200.100.100.100 netmask 255.255.255.255 no-xauth no-config-mode
  115. isakmp identity address
  116. isakmp policy 1 authentication pre-share
  117. isakmp policy 1 encryption des
  118. isakmp policy 1 hash md5
  119. isakmp policy 1 group 1
  120. isakmp policy 1 lifetime 1000
  121. telnet 0.0.0.0 0.0.0.0 inside
  122. telnet timeout 5
  123. ssh 0.0.0.0 0.0.0.0 outside
  124. ssh 0.0.0.0 0.0.0.0 inside
  125. ssh timeout 60
  126. management-access inside
  127. console timeout 0
  128. terminal width 80
  129. Cryptochecksum:9013788574c09419e12d829bb6767c2b
  130. : end
阅读(1017) | 评论(0) | 转发(0) |
0

上一篇:sar

下一篇:grep命令详解

给主人留下些什么吧!~~