ciscoPIX防火墙的配置及注解完全手册

qq122399093
3 ℃
2020-01-11

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

ciscoPIX防火墙的配置及注解完全手册日期：2008-7-28浏览次数：6753出处：bbs.net130.comPIXVersion6.3(1)interfaceethernet0auto设定端口0速率为自动interfaceethernet1100full设定端口1速率为100兆全双工interfaceethernet2auto设定端口2速率为自动nameifethernet0outsidesecurity0设定端口0名称为outside安全级别为0nameifethernet1insidesecurity100设定端口1名称为inside安全级别为100nameifethernet2dmzsecurity50设定端口2名称为dmz安全级别为50enablepasswordDv0yXUGPM3Xt7xVsencrypted特权密码passwd2KFQnbNIdI.2KYOUencrypted登陆密码hostnamehhyy设定防火墙名称fixupprotocolftp21fixupprotocolh323h2251720fixupprotocolh323ras1718-1719fixupprotocolhttp80fixupprotocolils389fixupprotocolrsh514fixupprotocolrtsp554fixupprotocolsip5060fixupprotocolsipudp5060nofixupprotocolskinny2000fixupprotocolsmtp25fixupprotocolsqlnet1521允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。namesaccess-list101permitip192.168.99.0255.255.255.0192.168.170.0255.255.255.0access-list101permitip192.168.12.0255.255.255.0192.168.180.0255.255.255.0access-list101permitip192.168.23.0255.255.255.0192.168.180.0255.255.255.0access-list101permitip192.168.99.0255.255.255.0192.168.101.0255.255.255.0建立访问列表，允许特定网段的地址访问某些网段access-list120denyicmp192.168.2.0255.255.255.0anyaccess-list120denyicmp192.168.3.0255.255.255.0anyaccess-list120denyicmp192.168.4.0255.255.255.0anyaccess-list120denyicmp192.168.5.0255.255.255.0anyaccess-list120denyicmp192.168.6.0255.255.255.0anyaccess-list120denyicmp192.168.7.0255.255.255.0anyaccess-list120denyicmp192.168.8.0255.255.255.0anyaccess-list120denyicmp192.168.9.0255.255.255.0anyaccess-list120denyicmp192.168.10.0255.255.255.0anyaccess-list120denyicmp192.168.11.0255.255.255.0anyaccess-list120denyicmp192.168.12.0255.255.255.0anyaccess-list120denyicmp192.168.13.0255.255.255.0anyaccess-list120denyicmp192.168.14.0255.255.255.0anyaccess-list120denyicmp192.168.15.0255.255.255.0anyaccess-list120denyicmp192.168.16.0255.255.255.0anyaccess-list120denyicmp192.168.17.0255.255.255.0anyaccess-list120denyicmp192.168.18.0255.255.255.0anyaccess-list120denyicmp192.168.19.0255.255.255.0anyaccess-list120denyicmp192.168.20.0255.255.255.0anyaccess-list120denyicmp192.168.21.0255.255.255.0anyaccess-list120denyicmp192.168.22.0255.255.255.0anyaccess-list120denyudpanyanyeqnetbios-nsaccess-list120denyudpanyanyeqnetbios-dgmaccess-list120denyudpanyanyeq4444access-list120denyudpanyanyeq1205access-list120denyudpanyanyeq1209access-list120denytcpanyanyeq445access-list120denytcpanyanyrange135netbios-ssnaccess-list120permitipanyany建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信（主要防止冲击波病毒）access-list110permitip192.168.99.0255.255.255.0192.168.101.0255.255.255.0pagerlines24loggingonloggingmonitordebuggingloggingbuffereddebuggingloggingtrapnotificationsmtuoutside1500mtuinside1500mtudmz1500ipaddressoutside10.1.1.4255.255.255.224设定外端口地址ipaddressinside192.168.1.254255.255.255.0设定内端口地址ipaddressdmz192.168.19.1255.255.255.0设定DMZ端口地址ipauditinfoactionalarmipauditattackactionalarmiplocalpoolhhyy192.168.170.1-192.168.170.254建立名称为hhyy的地址池，起始地址段为：192.168.170.1-192.168.170.254iplocalpoolyy192.168.180.1-192.168.180.254建立名称为yy的地址池，起始地址段为：192.168.180.1-192.168.180.254nofailoverfailovertimeout0:00:00failoverpoll15nofailoveripaddressoutsidenofailoveripaddressinsidenofailoveripaddressdmznopdmhistoryenablearptimeout14400不支持故障切换global(outside)110.1.1.13-10.1.1.28global(outside)110.1.1.7-10.1.1.9global(outside)110.1.1.10定义内部网络地址将要翻译成的全局地址或地址范围nat(inside)0access-list101使得符合访问列表为101地址不通过翻译，对外部网络是可见的nat(inside)1192.168.0.0255.255.0.000内部网络地址翻译成外部地址nat(dmz)1192.168.0.0255.255.0.000DMZ区网络地址翻译成外部地址static(inside,outside)10.1.1.5192.168.12.100netmask255.255.255.25500static(inside,outside)10.1.1.12192.168.12.158netmask255.255.255.25500static(inside,outside)10.1.1.3192.168.2.4netmask255.255.255.25500设定固定主机与外网固定IP之间的一对一静态转换static(dmz,outside)10.1.1.2192.168.19.2netmask255.255.255.25500设定DMZ区固定主机与外网固定IP之间的一对一静态转换static(inside,dmz)192.168.0.0192.168.0.0netmask255.255.0.000设定内网固定主机与DMZIP之间的一对一静态转换static(dmz,outside)10.1.1.29192.168.19.3netmask255.255.255.25500设定DMZ区固定主机与外网固定IP之间的一对一静态转换access-group120ininterfaceoutsideaccess-group120ininterfaceinsideaccess-group120ininterfacedmz将访问列表应用于端口conduitpermittcphost10.1.1.2anyconduitpermittcphost10.1.1.3anyconduitpermittcphost10.1.1.12anyconduitpermittcphost10.1.1.29any设置管道：允许任何地址对全局地址进行TCP协议的访问conduitpermiticmp192.168.99.0255.255.255.0any设置管道：允许任何地址对192.168.99.0255.255.255.0地址进行PING测试ripoutsidepassiveversion2ripinsidepassiveversion2routeoutside0.0.0.00.0.0.010.1.1.1设定默认路由到电信端routeinside192.168.2.0255.255.255.0192.168.1.11routeinside192.168.3.0255.255.255.0192.168.1.11routeinside192.168.4.0255.255.255.0192.168.1.11routeinside192.168.5.0255.255.255.0192.168.1.11routeinside192.168.6.0255.255.255.0192.168.1.11routeinside192.168.7.0255.255.255.0192.168.1.11routeinside192.168.8.0255.255.255.0192.168.1.11routeinside192.168.9.0255.255.255.0192.168.1.11routeinside192.168.10.0255.255.255.0192.168.1.11routeinside192.168.11.0255.255.255.0192.168.1.11设定路由回指到内部的子网timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00rpc0:10:00h2251:00:00timeouth3230:05:00mgcp0:05:00s