補(bǔ)充一下
Licensed Features:
VPN-DES: Enabled
VPN-3DES: Disabled
用SSH就可以。 telnet不可以!
對(duì)inside 倒dmz的訪問(wèn),需要做nat配 置,對(duì)于dmz到inside的訪問(wèn),需要做static 與access-list的配置。
PIX 515E連接ADSL 路由MODEM!
想知道E0口上怎么配置與開(kāi)啟路由的MODEM的連接。讓內(nèi)網(wǎng)所有用戶可以都通過(guò)這個(gè)MODEM上網(wǎng)。
ADSL MODEM ip:192.168.1.1
pixfirwall(config)#vpdn group <組名> request dialout pppoe
pixfirwall(config)#vpdn group <組名> ppp auth PAP/CHAP/MSCHAP
pixfirwall(config)#vpdn group <組名> localname <撥號(hào)的用戶名>
pixfirwall(config)#vpdn username <用戶名> passWord <密碼>
pixfirwall(config)#ip add <接口名稱-隨便定義> pppoe
我想通過(guò)在pix 515e 上進(jìn)行設(shè)置使某些內(nèi)網(wǎng)用戶只能上一個(gè)特定的網(wǎng)站
當(dāng)前配置如下:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup PRotocol dns maximum-length 512
fixup protocol FTP 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol SKINny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 61.155.88.82 255.255.255.252
ip address inside 10.10.3.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 3 interface
nat (inside) 3 10.10.1.1 255.255.255.255 0 0
nat (inside) 3 10.10.1.9 255.255.255.255 0 0
nat (inside) 3 10.10.1.81 255.255.255.255 0 0
nat (inside) 3 10.10.1.82 255.255.255.255 0 0
nat (inside) 3 10.10.1.113 255.255.255.255 0 0
nat (inside) 3 10.10.1.161 255.255.255.255 0 0
nat (inside) 3 10.10.1.162 255.255.255.255 0 0
nat (inside) 3 10.10.1.165 255.255.255.255 0 0
nat (inside) 3 10.10.1.240 255.255.255.255 0 0
nat (inside) 3 10.10.2.240 255.255.255.248 0 0
nat (inside) 3 10.10.1.240 255.255.255.240 0 0
route outside 0.0.0.0 0.0.0.0 61.155.88.81 1
route inside 10.0.0.0 255.0.0.0 10.10.3.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc
0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:72a261056ba18f4dbefab375fb871688
: end
是的,可以將針對(duì)這些主機(jī)的限制策略放在acl的最上端,應(yīng)用在inside口的in的方向上。
你可以用支持時(shí)間的acl來(lái)做,也可以用tacacs來(lái)驗(yàn)證用戶,定義downloaded acl
請(qǐng)教pix515 acl 如何屏蔽一個(gè)網(wǎng)段?
deny ip host 61.129.64.* any
61.129.64.*這樣的網(wǎng)段該咋樣屏蔽?
juechen70 (版主)
deny ip 61.129.64.0 255.255.255.0
csco10334975 (普通用戶)
deny ip 61.129.64.0 255.255.255.0 any
mythis (普通用戶)
access-list 100 deny ip 61.129.64.0 255.255.255.0 any
pix上啟用了DHCP,不答應(yīng)內(nèi)網(wǎng)自動(dòng)獲取只答應(yīng)DMZ自動(dòng)獲如何做。
dhcpd address 192.118.0.5-192.118.0.254 dmz
dhcpd enable dmz
dhcpd dns 219.141.136.10 218.247.141.68
這樣就可以了!
pix7.0 如何在routed 和 transparent 兩種方式中切換?
我的pix 515e 升級(jí)到pix7.01 我想使用 transparent 模式, 請(qǐng)大家教如何做了?
firewall transparent
no firewall transparent
在515E中配置DHCP網(wǎng)關(guān)的命令是什么
dhcpd enable inside
pix能不能實(shí)現(xiàn)dmz和inside透明模式呢?
有客戶想把服務(wù)器搬到dmz區(qū),但是服務(wù)器地址不變,這樣除了透明模式我還想不到其他辦法,inside和outside的透明模式我知道,但是
inside和dmz的透明模式怎么辦?地址必須改變。透明橋模式下是沒(méi)有DMZ概念的。地址不變也可以.做地址映射的時(shí)候翻譯相同的地址就行了. 但是想搬到dmz區(qū)的機(jī)器和inside區(qū)的機(jī)器是同一網(wǎng)段的服務(wù)器和用戶都是用一網(wǎng)段的,不改變地址怎么搞?
如何配置PIX透明模式?
首先,需要升級(jí)pix os到7.0.1
直接輸入firewall transparent 命令就可以讓PIX工作在透明模式下面。 工作在透明模式下時(shí),pix相當(dāng)于一條網(wǎng)線,故障切換由其它的三層設(shè)
備完成。
做防火墻的策略一般多是和端口對(duì)應(yīng)的,外網(wǎng)在透明模式時(shí)怎樣訪問(wèn)內(nèi)網(wǎng)HTTI.HTTPS.PPTP,TCP/UDP-5060/1270
有一點(diǎn),透明模式下必須設(shè)置治理地址才會(huì)通
有所變化,以前用PIX515雙機(jī)作failover,pix os版本似乎是6.3就不支持透明模式.看來(lái)透明模式的應(yīng)用還是挺多的,可以做網(wǎng)絡(luò)分區(qū)之間的安全隔離,最重要的是可以讓動(dòng)態(tài)路由協(xié)議穿過(guò).
如何看用命令看這兩臺(tái)PIX支持的最大連接數(shù)(不是使用中的最大連接數(shù),而是license所限制的最大連接數(shù))
show ver.
PIX的版本是6.3(4),設(shè)置了515E的outside地址和inside地址后,用網(wǎng)線將筆記本和515E的outside端口聯(lián)起來(lái),本本的地址和outside地址在
一個(gè)網(wǎng)段內(nèi),但總是ping不通outside地址,但同樣的配置在6.2版本的515E上使用時(shí)是沒(méi)有問(wèn)題的,好希奇啊??
icmp pemit any outside
========================================================
pix vpn設(shè)置好了,DDN方式可以上,為什么家里的adsl不行?
配置如下:pix520
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 Outside security0
nameif ethernet1 inside security100
nameif ethernet2 Outside-DMZ security50
enable password GyBjREM5Y/fIjrzB encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname PIX-yinhetech
domain-name test.cn
clock timezone CST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.128.1.0 notebookpoolIP
access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0
access-list 101 permit ip 10.10.0.0 255.255.0.0 any
access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any
access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any
access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any
access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0
access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any
pager lines 24
logging on
logging standby
logging buffered debugging
logging trap notifications
icmp deny any Outside
mtu Outside 1500
mtu inside 1500
mtu Outside-DMZ 1500
ip address Outside ***.***.***.** 255.255.255.240
ip address inside 10.127.1.253 255.255.255.0
ip address Outside-DMZ 172.18.3.254 255.255.255.0
ip verify reverse-path interface Outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool notebookpool 10.128.1.1-10.128.1.250
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address Outside
no failover ip address inside
no failover ip address Outside-DMZ
pdm history enable
arp timeout 14400
global (Outside) 1 ***.***.***.** netmask 255.255.255.240
global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.128.0.0 0 0
access-group 101 in interface inside
route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1
route inside 10.0.0.0 255.128.0.0 10.127.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.74 255.255.255.255 inside
http 10.10.10.88 255.255.255.255 inside
snmp-server host inside 10.10.10.10
snmp-server host inside 10.10.10.74
snmp-server location soft_yuan_internet
snmp-server contact bill
snmp-server community public
snmp-server enable traps
tftp-server inside 10.10.10.74 /
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-md5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp identity address
isakmp keepalive 60 5
isakmp nat-traversal 120
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup notebookpc address-pool notebookpool
vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68
vpngroup notebookpc default-domain yhgroup.cn
vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl
vpngroup notebookpc idle-time 1800
vpngroup notebookpc password ********
telnet 10.0.0.0 255.128.0.0 inside
telnet 10.10.10.110 255.255.255.255 inside
telnet 10.10.10.110 255.255.255.255 Outside-DMZ
telnet timeout 31
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35
surf_qj (普通用戶)
對(duì)了,是使用cisco system VPN Client 4.01登錄的,家里adsl可以連上VPN,但是不能訪問(wèn),DDN就可以其實(shí),不光是PIX問(wèn)題,我用2620做的和你的也一樣,用一般的ADSL是不行的,但假如是用帶路由功能ADSL就可以。
isakmp nat-traversal 120
還有客戶端NAT打開(kāi),估計(jì)是NAT穿透的問(wèn)題吧。
========================================================
pix515的問(wèn)題
具體現(xiàn)象是,DMZ和inside各接一臺(tái)單機(jī),DMZ的單機(jī)能用上網(wǎng),其他不能,inside的機(jī)器什么都干不了。單機(jī)保證無(wú)問(wèn)題。請(qǐng)各位幫忙看看配置吧。 outside的地址和global的地址不同,有影響么?(沒(méi)有空閑的連續(xù)地址了,只能用兩個(gè)不同地址表示一下)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password O53fPNRgHkA6IEsY encrypted
passwd TWjtI1emvjruV4SY encrypted
hostname jygatewall
domain-name 219.2.2.2
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list dmz_jygate_acl deny icmp any any
access-list dmz_jygate_acl permit udp any any eq domain
access-list dmz_jygate_acl permit tcp any any eq www
access-list dmz_jygate_acl permit udp any any eq 20
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 20817
access-list dmz_jygate_acl permit tcp any host 219.150.1..1eq 20820
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8080
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8383
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 32002
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 219.150.1.2 255.255.255.224
ip address inside 192.168.168.1 255.255.255.0
ip address dmz 172.172.172.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 219.150.1.2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
access-group dmz_jygate_acl in interface outside
access-group dmz_jygate_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 219.150.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:594b9bbf77abf8a342afee1764e4f7cd
: end
nyb0319 (普通用戶)
no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
改為static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0
加一條
static (inside,outside)
219.150.1.2 192.168.168.0
netmask 255.255.255.0 0 0
no access-group dmz_jygate_acl in interface dmz
crazytank (普通用戶)
按照上面的提示改了,結(jié)果提示global address overlaps with mask 請(qǐng)各位大俠再幫忙看看啊
lcschina (活躍用戶) ip address outside 219.150.1.2 255.255.255.224
global (outside) 1 219.150.1.2
地址重疊!!!
加上 global (outside) 1 interface 去掉你的那個(gè)global
新聞熱點(diǎn)
疑難解答
圖片精選
網(wǎng)友關(guān)注
