思科防火墙 pix做***的配置

pix做***的配置

网路环境是中心为pix525，下边分支为pix515和pix506，***相连

下边是中心525的配置：

PIX Version 6.3(1)

interface ethernet0 auto 设定端口0 速率为自动

interface ethernet1 100full 设定端口1 速率为100兆全双工

interface ethernet2 auto 设定端口2 速率为自动

nameif ethernet0 outside security0 设定端口0 名称为 outside 安全级别为0

nameif ethernet1 inside security100 设定端口1 名称为 inside 安全级别为100

nameif ethernet2 dmz security50 设定端口2 名称为 dmz 安全级别为50

enable password Dv0yXUGPM3Xt7xVs encrypted 特权密码

passwd 2KFQnbNIdI.2KYOU encrypted 登陆密码

hostname XXXX 设定防火墙名称

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。

names

access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0

access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0

access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0

建立访问列表，允许特定网段的地址访问某些网段

access-list 120 deny icmp 192.168.2.0 255.255.255.0 any

access-list 120 deny icmp 192.168.3.0 255.255.255.0 any

access-list 120 deny icmp 192.168.4.0 255.255.255.0 any

access-list 120 deny icmp 192.168.5.0 255.255.255.0 any

access-list 120 deny icmp 192.168.6.0 255.255.255.0 any

access-list 120 deny icmp 192.168.7.0 255.255.255.0 any

access-list 120 deny icmp 192.168.8.0 255.255.255.0 any

access-list 120 deny icmp 192.168.9.0 255.255.255.0 any

access-list 120 deny icmp 192.168.10.0 255.255.255.0 any

access-list 120 deny icmp 192.168.11.0 255.255.255.0 any

access-list 120 deny icmp 192.168.12.0 255.255.255.0 any

access-list 120 deny icmp 192.168.13.0 255.255.255.0 any

access-list 120 deny icmp 192.168.14.0 255.255.255.0 any

access-list 120 deny icmp 192.168.15.0 255.255.255.0 any

access-list 120 deny icmp 192.168.16.0 255.255.255.0 any

access-list 120 deny icmp 192.168.17.0 255.255.255.0 any

access-list 120 deny icmp 192.168.18.0 255.255.255.0 any

access-list 120 deny icmp 192.168.19.0 255.255.255.0 any

access-list 120 deny icmp 192.168.20.0 255.255.255.0 any

access-list 120 deny icmp 192.168.21.0 255.255.255.0 any

access-list 120 deny icmp 192.168.22.0 255.255.255.0 any

access-list 120 deny udp any any eq netbios-ns

access-list 120 deny udp any any eq netbios-dgm

access-list 120 deny udp any any eq 4444

access-list 120 deny udp any any eq 1205

access-list 120 deny udp any any eq 1209

access-list 120 deny tcp any any eq 445

access-list 120 deny tcp any any range 135 netbios-ssn

access-list 120 permit ip any any

建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信（主要防止冲击波病毒）

access-list 110 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0

pager lines 24

logging on

logging monitor debugging

logging buffered debugging

logging trap notifications

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 218.XX.45.4 255.255.255.224 设定外端口地址

ip address inside 192.168.1.254 255.255.255.0 设定内端口地址

ip address dmz 192.168.19.1 255.255.255.0 设定DMZ端口地址

ip audit info action alarm

ip audit attack action alarm

ip local pool huayao 192.168.170.1-192.168.170.254

建立名称为huayao的地址池，起始地址段为：192.168.170.1-192.168.170.254

ip local pool yiyuan 192.168.180.1-192.168.180.254

建立名称为yiyuan 的地址池，起始地址段为：192.168.180.1-192.168.180.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no pdm history enable

arp timeout 14400

不支持故障切换

global (outside) 1 218.XX.45.13-218.XX.45.28

global (outside) 1 218.XX.45.7-218.XX.45.9

global (outside) 1 218.XX.45.10

定义内部网络地址将要翻译成的全局地址或地址范围

nat (inside) 0 access-list 101

使得符合访问列表为101地址不通过翻译，对外部网络是可见的

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

内部网络地址翻译成外部地址

nat (dmz) 1 192.168.0.0 255.255.0.0 0 0

DMZ区网络地址翻译成外部地址

static (inside,outside) 218.X.45.5 192.168.12.100 netmask 255.255.255.255 0 0

static (inside,outside) 218.X45.12 192.168.12.158 netmask 255.255.255.255 0 0

static (inside,outside) 218.X45.3 192.168.2.4 netmask 255.255.255.255 0 0

设定固定主机与外网固定IP之间的一对一静态转换

static (dmz,outside) 218.X.45.2 192.168.19.2 netmask 255.255.255.255 0 0

设定DMZ区固定主机与外网固定IP之间的一对一静态转换

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

设定内网固定主机与DMZ IP之间的一对一静态转换

static (dmz,outside) 218.X.45.29 192.168.19.3 netmask 255.255.255.255 0 0

设定DMZ区固定主机与外网固定IP之间的一对一静态转换

access-group 120 in interface outside

access-group 120 in interface inside

access-group 120 in interface dmz

将访问列表应用于端口

conduit permit tcp host 218.XX.45.2 any

conduit permit tcp host 218.XX45.3 any

conduit permit tcp host 218.X.45.12 any

conduit permit tcp host 218.X.45.29 any

设置管道：允许任何地址对全局地址进行TCP协议的访问

conduit permit icmp 192.168.99.0 255.255.255.0 any

设置管道：允许任何地址对192.168.99.0 255.255.255.0地址进行PING测试

rip outside passive version 2

rip inside passive version 2

route outside 0.0.0.0 0.0.0.0 218.X.45.1 1

设定默认路由到电信端

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

route inside 192.168.4.0 255.255.255.0 192.168.1.1 1

route inside 192.168.5.0 255.255.255.0 192.168.1.1 1

route inside 192.168.6.0 255.255.255.0 192.168.1.1 1

route inside 192.168.7.0 255.255.255.0 192.168.1.1 1

route inside 192.168.8.0 255.255.255.0 192.168.1.1 1

route inside 192.168.9.0 255.255.255.0 192.168.1.1 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route inside 192.168.11.0 255.255.255.0 192.168.1.1 1

route inside 192.168.12.0 255.255.255.0 192.168.1.1 1

route inside 192.168.13.0 255.255.255.0 192.168.1.1 1

route inside 192.168.14.0 255.255.255.0 192.168.1.1 1

route inside 192.168.15.0 255.255.255.0 192.168.1.1 1

route inside 192.168.16.0 255.255.255.0 192.168.1.1 1

route inside 192.168.17.0 255.255.255.0 192.168.1.1 1

route inside 192.168.18.0 255.255.255.0 192.168.1.1 1

route inside 192.168.20.0 255.255.255.0 192.168.1.1 1

route inside 192.168.21.0 255.255.255.0 192.168.1.1 1

route inside 192.168.22.0 255.255.255.0 192.168.1.1 1

route inside 192.168.23.0 255.255.255.0 192.168.1.1 1

route inside 192.168.24.0 255.255.255.0 192.168.1.1 1

route inside 192.168.88.0 255.255.255.0 192.168.1.1 1

route inside 192.168.99.0 255.255.255.0 192.168.1.1 1

设定路由回指到内部的子网（4006S3的子网）

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

service resetinbound

service resetoutside

crypto ipsec transform-set myset esp-des esp-md5-hmac

定义一个名称为myset的交换集

crypto dynamic-map dynmap 10 set transform-set myset

根据myset交换集产生名称为dynmap的动态加密图集（可选）

crypto map *** 10 ipsec-isakmp dynamic dynmap

将dynmap动态加密图集应用为IPSEC的策略模板（可选）

crypto map *** 20 ipsec-isakmp

用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流

crypto map *** 20 match address 110

为加密图指定列表110作为可匹配的列表

crypto map *** 20 set peer 218.XX.73.41

在加密图条目中指定IPSEC对等体（本地址为华胜的外网口）

crypto map *** 20 set transform-set myset

指定myset交换集可以被用于加密条目

crypto map *** client configuration address initiate

指示PIX防火墙试图为每个对等体设置IP地址

crypto map *** client configuration address respond

指示PIX防火墙接受来自任何请求对等体的IP地址请求

crypto map *** interface outside

将加密图应用到外部接口

isakmp enable outside

在外部接口启用IKE协商

isakmp key ******** address 218.X.73.41 netmask 255.255.255.255

指定预共享密钥和远端对等体的地址

isakmp identity address

IKE身份设置成接口的IP地址

isakmp client configuration address-pool local yiyuan outside

isakmp policy 10 authentication pre-share

指定预共享密钥作为认证手段

isakmp policy 10 encryption des

指定56位DES作为将被用于IKE策略的加密算法

isakmp policy 10 hash md5

指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法

isakmp policy 10 group 2

指定1024比特Diffie-Hellman组将被用于IKE策略

isakmp policy 10 lifetime 86400

每个安全关联的生存周期为86400秒（一天）

***group cisco idle-time 1800

***group pix_*** address-pool yiyuan

***group pix_*** idle-time 1800

***group pix_*** password ********

***group sgl address-pool yiyuan

***group sgl idle-time 1800

***group sgl password ********

***group lsh address-pool yiyuan

***group lsh idle-time 1800

***group lsh password ********

***group xzy address-pool yiyuan

***group xzy idle-time 1800

***group xzy password ********

telnet 192.168.88.144 255.255.255.255 inside

telnet 192.168.88.154 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local huayao

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username cisco password *********

vpdn username qhdgs password *********

vpdn username wek password *********

vpdn username wkd password *********

vpdn username tihg password *********

vpdn username hs password *********

vpdn username jlxh password *********

vpdn username bdgs password *********

vpdn username hxgs password *********

vpdn username gdjt password *********

vpdn username pyha password *********

vpdn username hshc password *********

vpdn username hygs password *********

vpdn username hrgs password *********

vpdn username ynpq password *********

vpdn username hnhyxs password *********

vpdn username hbzx password *********

vpdn username txgs password *********

vpdn username zdxx password *********

vpdn username jyzx password *********

vpdn username tygs password *********

vpdn username jhgs password *********

vpdn username shhz password *********

vpdn username hlgs password *********

vpdn username ty password *********

vpdn username sxbk password *********

vpdn username xtgs password *********

vpdn username hst password *********

vpdn username htgs password *********

vpdn username sygs password *********

vpdn username angs password *********

vpdn username aqd password *********

vpdn username rdgs password *********

vpdn username dbgs password *********

vpdn username jtgs password *********

vpdn username sbzz password *********

vpdn username azgs password *********

vpdn username fdc password *********

vpdn username bags password *********

vpdn username zhsy password *********

vpdn username hsgg password *********

vpdn username tx password *********

vpdn username bl password *********

vpdn username shfw password *********

vpdn username zjer password *********

vpdn username hyds password *********

vpdn username 116 password *********

vpdn username cwgs password *********

vpdn username kxgs password *********

vpdn username zjscj password *********

vpdn username liujiang password *********

vpdn username sgl password *********

vpdn username hgh password *********

vpdn username jswyh password *********

vpdn username cx password *********

vpdn username lsw password *********

vpdn username zqb password *********

vpdn username wyw password *********

vpdn username zmf password *********

vpdn username chx password *********

vpdn username lfz password *********

vpdn username hpq password *********

vpdn username zyx password *********

vpdn username cgx password *********

vpdn username xlm password *********

vpdn username ljz password *********

vpdn username yzm password *********

vpdn username ldj password *********

vpdn username lgc password *********

vpdn username lgt password *********

vpdn username wzgy password *********

vpdn enable outside

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2

***client ***group cisco_*** password ********

***client username pix password ********

terminal width 80