配置Cisco PIX防火墙实现双出口-huoniao326-ChinaUnix博客

绵雨之后的下午，静看着西天的云彩

首页　| 　博文目录　| 　关于我

huoniao326

博客访问： 896937
博文数量： 148
博客积分： 10010
博客等级：上将
技术积分： 3920
用户组：普通用户
注册时间： 2007-06-30 18:17

文章分类

全部博文（148）

在晓通的日子（0）

硬件（0）

交换（0）

无线（0）

语音（0）

生活（0）

技术（0）
大学的日子（148）

工程常识（23）

以太网（2）

TCP/IP格式（1）

信息安全（1）

Multicast（0）

NS-2（7）

ASP（1）

VB.NET（3）

画图（5）

C语言（2）

SNMP（1）

基本概念（2）

解决方案（1）

防火墙（1）

交换机产品（9）

路由器产品（9）

典型配置&配置实（9）

设备选购（8）

英通文档（0）

问题积累（4）

小东西（10）

精（12）

编程设计（1）

网络技术（2）

服务器（0）

在做solaris的日（0）

CISCO（3）

单片机（0）

故障排除（1）

backup（0）

AAA（0）

security（0）

Juniper（0）

h3c（0）

IOS-features（0）

NAT（0）

EIGRP（0）

RIP（0）

ISDN（0）

ATM（0）

STP（0）

VLAN（2）

IPV6（8）

BGP（0）

OSPF（0）

IS-IS（0）

PIX（3）

VoIP（1）

VPN（0）

QOS（0）

MPLS（0）

VC++（12）

cdle（0）

安防技术（0）

FreeBSD（0）

流量监控（0）

服务器（0）

windows 2003 ser（4）

linux AS4.0（0）
未分配的博文（0）

文章存档

2008年（148）

我的朋友

相关博文

配置Cisco PIX防火墙实现双出口

分类：系统运维

2008-04-17 17:26:53

配置Cisco PIX防火墙实现双出口

一、用户需求
　　用户有一台Cisco PIX 515E防火墙，一个网通的出口，一个电信的出口。现在要实现默认都往电信线路出去，而访问网通的网站时使用网通的线路出去。

　　二、实现要点

　　1、首先要收集网通的IP网段（这个可以在网络上搜索，或者电信的朋友要一份）；

　　2、在路由方面，由于Cisco PIX是偏向于防火墙的功能，因此PIX在路由方面是比较弱的无法通过策略路由来实现，在此我使用了默认路由往设成电信的网关，同时添加网通IP网段的静态路由。这样实现了两个出口路由的走向。

　　3、在NAT方面，要配置两条NAT，其中一条是通往网通的转换成网通的出口IP，另一条是通往电信的转换成电信的出口IP，这个NAT应该是网通的NAT要配置在电信NAT前面，否则将无法实现。

　　三、Cisco PIX双出口配置

　　3.1 环境描述

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet5 teloutside security0
ip address outside 224.254.14.164 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip address teloutside 202.99.114.91 255.255.255.128
#备注：outside为网通线路出口；teloutside为电信线路出口；inside为内网接口；

　　3.2双出口实现

　　A、网通IP网段定义

object-group network wtnetwork
network-object 58.16.0.0 255.248.0.0
network-object 58.100.0.0 255.254.0.0
network-object 58.240.0.0 255.240.0.0
network-object 60.0.0.0 255.248.0.0
network-object 60.8.0.0 255.252.0.0
network-object 60.12.0.0 255.255.0.0
network-object 60.13.0.0 255.255.192.0
network-object 60.13.128.0 255.255.128.0
network-object 60.16.0.0 255.240.0.0
network-object 60.24.0.0 255.248.0.0
network-object 60.31.0.0 255.255.0.0
network-object 60.208.0.0 255.248.0.0
network-object 60.216.0.0 255.254.0.0
network-object 60.220.0.0 255.252.0.0
network-object 61.48.0.0 255.252.0.0
network-object 61.52.0.0 255.254.0.0
network-object 61.54.0.0 255.255.0.0
network-object 61.55.0.0 255.255.0.0
network-object 61.133.0.0 255.255.128.0
network-object 61.134.64.0 255.255.192.0
network-object 61.134.128.0 255.255.128.0
network-object 61.135.0.0 255.255.0.0
network-object 61.136.0.0 255.255.0.0
network-object 61.138.0.0 255.255.128.0
network-object 61.139.128.0 255.255.192.0
network-object 61.148.0.0 255.255.0.0
network-object 61.149.0.0 255.255.0.0
network-object 61.156.0.0 255.255.0.0
network-object 61.158.0.0 255.255.0.0
network-object 61.159.0.0 255.255.192.0
network-object 61.161.0.0 255.255.192.0
network-object 61.161.128.0 255.255.128.0
network-object 61.162.0.0 255.255.0.0
network-object 61.163.0.0 255.255.0.0
network-object 61.167.0.0 255.255.0.0
network-object 61.168.0.0 255.255.0.0
network-object 61.176.0.0 255.255.0.0
network-object 61.179.0.0 255.255.0.0
network-object 61.180.128.0 255.255.128.0
network-object 61.181.0.0 255.255.0.0
network-object 61.182.0.0 255.255.0.0
network-object 61.189.0.0 255.255.128.0
network-object 124.90.0.0 255.254.0.0
network-object 124.162.0.0 255.255.0.0
network-object 202.32.0.0 255.224.0.0
network-object 202.96.64.0 255.255.224.0
network-object 202.97.128.0 255.255.128.0
network-object 202.98.0.0 255.255.224.0
network-object 202.99.0.0 255.255.0.0
network-object 202.102.128.0 255.255.192.0
network-object 202.102.224.0 255.255.254.0
network-object 202.106.0.0 255.255.0.0
network-object 202.107.0.0 255.255.128.0
network-object 202.108.0.0 255.255.0.0
network-object 202.110.0.0 255.255.128.0
network-object 202.110.192.0 255.255.192.0
network-object 202.111.128.0 255.255.192.0
network-object 203.79.0.0 255.255.0.0
network-object 203.80.0.0 255.255.0.0
network-object 203.81.0.0 255.255.224.0
network-object 203.86.32.0 255.255.224.0
network-object 203.86.64.0 255.255.224.0
network-object 203.90.0.0 255.255.128.0
network-object 203.90.128.0 255.255.192.0
network-object 203.90.192.0 255.255.224.0
network-object 203.92.0.0 255.254.0.0
network-object 210.12.0.0 255.255.128.0
network-object 210.12.192.0 255.255.192.0
network-object 210.13.0.0 255.255.255.0
network-object 210.14.160.0 255.255.224.0
network-object 210.14.192.0 255.255.192.0
network-object 210.15.0.0 255.255.128.0
network-object 210.15.128.0 255.255.192.0
network-object 210.16.128.0 255.255.192.0
network-object 210.21.0.0 255.255.0.0
network-object 210.22.0.0 255.255.0.0
network-object 210.51.0.0 255.255.0.0
network-object 210.52.0.0 255.254.0.0
network-object 210.52.128.0 255.255.128.0
network-object 210.53.0.0 255.255.0.0
network-object 210.74.64.0 255.255.192.0
network-object 210.74.128.0 255.255.192.0
network-object 210.78.0.0 255.255.224.0
network-object 210.82.0.0 255.254.0.0
network-object 211.100.0.0 255.255.0.0
network-object 211.101.0.0 255.255.192.0
network-object 211.147.0.0 255.255.0.0
network-object 211.167.96.0 255.255.224.0
network-object 218.4.0.0 255.252.0.0
network-object 218.10.0.0 255.254.0.0
network-object 218.21.128.0 255.255.128.0
network-object 218.24.0.0 255.254.0.0
network-object 218.26.0.0 255.255.0.0
network-object 218.27.0.0 255.255.0.0
network-object 218.28.0.0 255.254.0.0
network-object 218.56.0.0 255.252.0.0
network-object 218.60.0.0 255.254.0.0
network-object 218.62.0.0 255.255.128.0
network-object 218.67.128.0 255.255.128.0
network-object 218.68.0.0 255.254.0.0
network-object 218.109.159.0 255.255.255.0
network-object 219.141.128.0 255.255.128.0
network-object 219.142.0.0 255.254.0.0
network-object 219.154.0.0 255.254.0.0
network-object 219.156.0.0 255.254.0.0
network-object 219.158.0.0 255.255.0.0
network-object 219.159.0.0 255.255.192.0
network-object 220.248.0.0 255.252.0.0
network-object 220.252.0.0 255.255.0.0
network-object 221.0.0.0 255.252.0.0
network-object 221.4.0.0 255.254.0.0
network-object 221.6.0.0 255.255.0.0
network-object 221.7.128.0 255.255.128.0
network-object 221.8.0.0 255.254.0.0
network-object 221.10.0.0 255.255.0.0
network-object 221.11.0.0 255.255.128.0
network-object 221.12.0.0 255.252.0.0
network-object 221.12.0.0 255.255.128.0
network-object 221.12.128.0 255.255.192.0
network-object 221.192.0.0 255.252.0.0
network-object 221.195.0.0 255.255.0.0
network-object 221.196.0.0 255.254.0.0
network-object 221.199.0.0 255.255.224.0
network-object 221.199.32.0 255.255.240.0
network-object 221.199.128.0 255.255.192.0
network-object 221.199.192.0 255.255.240.0
network-object 221.200.0.0 255.252.0.0
network-object 221.204.0.0 255.254.0.0
network-object 221.207.0.0 255.255.192.0
network-object 221.208.0.0 255.240.0.0
network-object 221.208.0.0 255.252.0.0
network-object 221.213.0.0 255.255.0.0
network-object 221.214.0.0 255.254.0.0
network-object 222.128.0.0 255.252.0.0
network-object 222.132.0.0 255.252.0.0
network-object 222.136.0.0 255.248.0.0
network-object 222.160.0.0 255.252.0.0
network-object 222.163.0.0 255.255.224.0

　　B、定义Access-list 为作NAT准备

　　access-list 101 permit ip 192.168.0.0 object-group wtnetwork

　　#内部网络到网通IP网段的Access-list

　　access-list 104 permit ip 192.168.0.0 255.255.255.0 any

　　#内部网络到任何IP的Access-list

　　C、NAT配置

　　global （outside） 1 interface

　　#定义NAT ID 1为网通的出口ip

　　global （teloutside） 4 interface

　　#定义NAT ID 4为电信的出口ip

　　nat （inside） 1 access-list 101

　　#定义符合access-list 101（就是内部到网通IP网段）就转换成NAT ID 1的IP（网通的出口）

　　nat （inside） 5 access-list 105

　　#定义符合access-list 101（就是内部到网通IP网段）就转换成NAT ID 1的IP（网通的出口）

　　注意：nat （inside） 1 access-list 101一定要在nat （inside） 5 access-list 105前面。

　　D、Route路由配置

#####添加默认路由往电信的网关出去################
route teloutside 0.0.0.0 0.0.0.0 202.99.114.126 1
##################################################
#######添加静态路由往网通IP网段往网通的网关出去######
route outside 58.16.0.0 255.248.0.0 224.254.14.161
route outside 58.100.0.0 255.254.0.0 224.254.14.161
route outside 58.240.0.0 255.240.0.0 224.254.14.161
route outside 60.0.0.0 255.248.0.0 224.254.14.161
route outside 60.8.0.0 255.252.0.0 224.254.14.161
route outside 60.12.0.0 255.255.0.0 224.254.14.161
route outside 60.13.0.0 255.255.192.0 224.254.14.161
route outside 60.13.128.0 255.255.128.0 224.254.14.161
route outside 60.16.0.0 255.240.0.0 224.254.14.161
route outside 60.24.0.0 255.248.0.0 224.254.14.161
route outside 60.31.0.0 255.255.0.0 224.254.14.161
route outside 60.208.0.0 255.248.0.0 224.254.14.161
route outside 60.216.0.0 255.254.0.0 224.254.14.161
route outside 60.220.0.0 255.252.0.0 224.254.14.161
route outside 61.48.0.0 255.252.0.0 224.254.14.161
route outside 61.52.0.0 255.254.0.0 224.254.14.161
route outside 61.54.0.0 255.255.0.0 224.254.14.161
route outside 61.55.0.0 255.255.0.0 224.254.14.161
route outside 61.133.0.0 255.255.128.0 224.254.14.161
route outside 61.134.64.0 255.255.192.0 224.254.14.161
route outside 61.134.128.0 255.255.128.0 224.254.14.161
route outside 61.135.0.0 255.255.0.0 224.254.14.161
route outside 61.136.0.0 255.255.0.0 224.254.14.161
route outside 61.138.0.0 255.255.128.0 224.254.14.161
route outside 61.139.128.0 255.255.192.0 224.254.14.161
route outside 61.148.0.0 255.255.0.0 224.254.14.161
route outside 61.149.0.0 255.255.0.0 224.254.14.161
route outside 61.156.0.0 255.255.0.0 224.254.14.161
route outside 61.158.0.0 255.255.0.0 224.254.14.161
route outside 61.159.0.0 255.255.192.0 224.254.14.161
route outside 61.161.0.0 255.255.192.0 224.254.14.161
route outside 61.161.128.0 255.255.128.0 224.254.14.161
route outside 61.162.0.0 255.255.0.0 224.254.14.161
route outside 61.163.0.0 255.255.0.0 224.254.14.161
route outside 61.167.0.0 255.255.0.0 224.254.14.161
route outside 61.168.0.0 255.255.0.0 224.254.14.161
route outside 61.176.0.0 255.255.0.0 224.254.14.161
route outside 61.179.0.0 255.255.0.0 224.254.14.161
route outside 61.180.128.0 255.255.128.0 224.254.14.161
route outside 61.181.0.0 255.255.0.0 224.254.14.161
route outside 61.182.0.0 255.255.0.0 224.254.14.161
route outside 61.189.0.0 255.255.128.0 224.254.14.161
route outside 124.90.0.0 255.254.0.0 224.254.14.161
route outside 124.162.0.0 255.255.0.0 224.254.14.161
route outside 202.32.0.0 255.224.0.0 224.254.14.161
route outside 202.96.64.0 255.255.224.0 224.254.14.161
route outside 202.97.128.0 255.255.128.0 224.254.14.161
route outside 202.98.0.0 255.255.224.0 224.254.14.161
route outside 202.99.0.0 255.255.0.0 224.254.14.161
route outside 202.102.128.0 255.255.192.0 224.254.14.161
route outside 202.102.224.0 255.255.254.0 224.254.14.161
route outside 202.106.0.0 255.255.0.0 224.254.14.161
route outside 202.107.0.0 255.255.128.0 224.254.14.161
route outside 202.108.0.0 255.255.0.0 224.254.14.161
route outside 202.110.0.0 255.255.128.0 224.254.14.161
route outside 202.110.192.0 255.255.192.0 224.254.14.161
route outside 202.111.128.0 255.255.192.0 224.254.14.161
route outside 203.79.0.0 255.255.0.0 224.254.14.161
route outside 203.80.0.0 255.255.0.0 224.254.14.161
route outside 203.81.0.0 255.255.224.0 224.254.14.161
route outside 203.86.32.0 255.255.224.0 224.254.14.161
route outside 203.86.64.0 255.255.224.0 224.254.14.161
route outside 203.90.0.0 255.255.128.0 224.254.14.161
route outside 203.90.128.0 255.255.192.0 224.254.14.161
route outside 203.90.192.0 255.255.224.0 224.254.14.161
route outside 203.92.0.0 255.254.0.0 224.254.14.161
route outside 210.12.0.0 255.255.128.0 224.254.14.161
route outside 210.12.192.0 255.255.192.0 224.254.14.161
route outside 210.13.0.0 255.255.255.0 224.254.14.161
route outside 210.14.160.0 255.255.224.0 224.254.14.161
route outside 210.14.192.0 255.255.192.0 224.254.14.161
route outside 210.15.0.0 255.255.128.0 224.254.14.161
route outside 210.15.128.0 255.255.192.0 224.254.14.161
route outside 210.16.128.0 255.255.192.0 224.254.14.161
route outside 210.21.0.0 255.255.0.0 224.254.14.161
route outside 210.22.0.0 255.255.0.0 224.254.14.161
route outside 210.51.0.0 255.255.0.0 224.254.14.161
route outside 210.52.0.0 255.254.0.0 224.254.14.161
route outside 210.52.128.0 255.255.128.0 224.254.14.161
route outside 210.53.0.0 255.255.0.0 224.254.14.161
route outside 210.74.64.0 255.255.192.0 224.254.14.161
route outside 210.74.128.0 255.255.192.0 224.254.14.161
route outside 210.78.0.0 255.255.224.0 224.254.14.161
route outside 210.82.0.0 255.254.0.0 224.254.14.161
route outside 211.100.0.0 255.255.0.0 224.254.14.161
route outside 211.101.0.0 255.255.192.0 224.254.14.161
route outside 211.147.0.0 255.255.0.0 224.254.14.161
route outside 211.167.96.0 255.255.224.0 224.254.14.161
route outside 218.4.0.0 255.252.0.0 224.254.14.161
route outside 218.10.0.0 255.254.0.0 224.254.14.161
route outside 218.21.128.0 255.255.128.0 224.254.14.161
route outside 218.24.0.0 255.254.0.0 224.254.14.161
route outside 218.26.0.0 255.255.0.0 224.254.14.161
route outside 218.27.0.0 255.255.0.0 224.254.14.161
route outside 218.28.0.0 255.254.0.0 224.254.14.161
route outside 218.56.0.0 255.252.0.0 224.254.14.161
route outside 218.60.0.0 255.254.0.0 224.254.14.161
route outside 218.62.0.0 255.255.128.0 224.254.14.161
route outside 218.67.128.0 255.255.128.0 224.254.14.161
route outside 218.68.0.0 255.254.0.0 224.254.14.161
route outside 218.109.159.0 255.255.255.0 224.254.14.161
route outside 219.141.128.0 255.255.128.0 224.254.14.161
route outside 219.142.0.0 255.254.0.0 224.254.14.161
route outside 219.154.0.0 255.254.0.0 224.254.14.161
route outside 219.156.0.0 255.254.0.0 224.254.14.161
route outside 219.158.0.0 255.255.0.0 224.254.14.161
route outside 219.159.0.0 255.255.192.0 224.254.14.161
route outside 220.248.0.0 255.252.0.0 224.254.14.161
route outside 220.252.0.0 255.255.0.0 224.254.14.161
route outside 221.0.0.0 255.252.0.0 224.254.14.161
route outside 221.4.0.0 255.254.0.0 224.254.14.161
route outside 221.6.0.0 255.255.0.0 224.254.14.161
route outside 221.7.128.0 255.255.128.0 224.254.14.161
route outside 221.8.0.0 255.254.0.0 224.254.14.161
route outside 221.10.0.0 255.255.0.0 224.254.14.161
route outside 221.11.0.0 255.255.128.0 224.254.14.161
route outside 221.12.0.0 255.252.0.0 224.254.14.161
route outside 221.12.0.0 255.255.128.0 224.254.14.161
route outside 221.12.128.0 255.255.192.0 224.254.14.161
route outside 221.192.0.0 255.252.0.0 224.254.14.161
route outside 221.195.0.0 255.255.0.0 224.254.14.161
route outside 221.196.0.0 255.254.0.0 224.254.14.161
route outside 221.199.0.0 255.255.224.0 224.254.14.161
route outside 221.199.32.0 255.255.240.0 224.254.14.161
route outside 221.199.128.0 255.255.192.0 224.254.14.161
route outside 221.199.192.0 255.255.240.0 224.254.14.161
route outside 221.200.0.0 255.252.0.0 224.254.14.161
route outside 221.204.0.0 255.254.0.0 224.254.14.161
route outside 221.207.0.0 255.255.192.0 224.254.14.161
route outside 221.208.0.0 255.240.0.0 224.254.14.161
route outside 221.208.0.0 255.252.0.0 224.254.14.161
route outside 221.213.0.0 255.255.0.0 224.254.14.161
route outside 221.214.0.0 255.254.0.0 224.254.14.161
route outside 222.128.0.0 255.252.0.0 224.254.14.161
route outside 222.132.0.0 255.252.0.0 224.254.14.161
route outside 222.136.0.0 255.248.0.0 224.254.14.161
route outside 222.160.0.0 255.252.0.0 224.254.14.161
route outside 222.163.0.0 255.255.224.0 224.254.14.161
#备注：224.254.14.161为通往的网通的网关，##################

　　四、实现效果

　　目前国内的骨干网分为南、北两张网。南电信北网通，不通运营商之间的通讯都需要到骨干进行数据交换，因此网通的用户访问电信网站很慢而电信用户访问方位网通网站也很慢，因此对大型网络设置双出口可以使不同运营商之间网络访问速度得到改善，本文档是在这一背景下产生的需求。

阅读(818) | 评论(0) | 转发(0) |

上一篇：PIX配置详解

下一篇：MySQL基本语句和连接字符串

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6