PIX的基本 配置
PIX 配 置基本配置步骤
1. 用Null Modem(DTE—DTE)线连接Console口(9600-N-8-1)
2. 进入Enable,用enable(第一次口令为空)
3. 进入配置状态,用configure terminal
4. 配置Telnet和Enable口令 Telnet:passwd xxxxxxx
Enable enable passwd xxxxxxx
5. 配置Hostname,用hostname pix
6. 配置Ethernet Interface interface ethernet outside auto(外部网卡类型)
interface ethernet inside auto(内部网卡类型) ip address inside 10.1.1.1 255.255.0.0(内部网卡IP) ip address outside 192.31.7.1 255.255.255.0(外部网卡IP)
7. 配置Global IP,用global 1 192.31.7.128-192.31.7.252
8. 配置NAT IP,用nat 1 10.1.0.0 255.255.0.
9. 配置Route
10. 限制Telnet到PIX的主机IP(只能是私有IP),用telnet 10.1.1.252 255.255.255.255
11. 保存配置,用write memory
12. 退出,用quit
可选配置
1. 配置SYSLOG
syslog output 20.7 facility = Local4 (20) Level = debug (7)
no syslog console
syslog host 10.1.1.254
2. 配置Static IP及
对外Web服务
Static static 192.31.7.254 10.1.1.254
conduit 192.31.7.254 80 tcp 0.0.0.0 0.0.0.0 (允许外部Host访问Web端口)
3. 配置Mailhost
Mailhost mailhost 192.31.7.253 10.1.1.253
conduit 192.31.7.253 25 tcp 0.0.0.0 0.0.0.0 (允许外部Host访问SMTP端口)
4. 配置Access
Control
(缺省不配置)
outbound 10 deny 0.0.0.0 0.0.0.0 (deny所有Tcp访问)
outbound 10 permit 0.0.0.0 0.0.0.0 21 (permit所有Ftp访问)
outbound 10 permit 0.0.0.0 0.0.0.0 23 (permit所有Telnet访问)
outbound 10 permit 0.0.0.0 0.0.0.0 110 (permit所有POP3访问)
outbound 10 permit 10.1.1.253 255.255.255.255 25(permit该IP访问外部SMTP主机)
apply 10 outgoing_src (使Access Control生效,以源地址为控制对象)
附:配置文件:
Saved
PIX Version 4.0.7
enable password Pq3YLuPkVBVUDLjn encrypted
passwd C4kSfJjCHk1gkyo7 encrypted
hostname pix
failover
names
syslog output 20.7
no syslog console 配置SYSLOG
syslog host 10.1.1.254
interface ethernet outside auto
interface ethernet inside auto
ip address inside 10.1.1.1 255.255.0.0 配置Ethernet Interface
ip address outside 192.31.7.1 255.255.255.0
arp timeout 14400
global 1 192.31.7.128-192.31.7.252
nat 1 10.1.0.0 255.255.0.0
static 192.31.7.254 10.1.1.254
mailhost 192.31.7.253 10.1.1.253
conduit 192.31.7.254 80 tcp 0.0.0.0 0.0.0.0
conduit 192.31.7.253 25 tcp 0.0.0.0 0.0.0.0
outbound 10 deny 0.0.0.0 0.0.0.0
outbound 10 permit 0.0.0.0 0.0.0.0 21
outbound 10 permit 0.0.0.0 0.0.0.0 23
outbound 10 permit 0.0.0.0 0.0.0.0 110 配置Access Control
outbound 10 permit 10.1.1.253 255.255.255.255 25
apply 10 outgoing_src
age 10
no rip outside passive
no rip outside default
no rip inside passive 配置Route
no rip inside default
route outside 0.0.0.0 0.0.0.0 192.31.7.1 1
route inside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 10000 conn 120000 udp 10000
timeout rpc 01000 h323 00500 uauth 00500
no snmp-server location
no snmp-server contact
telnet 10.1.1.252 255.255.255.255
mtu outside 1500
mtu inside 1500
end pix1(config)# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 dmz security54
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
domain-name yutian
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 1 permit tcp 10.10.10.0 255.255.255.0 host 10.10.10.11 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu dmz 1500
ip address outside 10.10.10.1 255.255.255.0
ip address inside 192.168.128.20 255.255.255.0
no ip address intf2
ip address dmz 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address dmz
pdm location 192.168.128.0 255.255.255.0 inside
pdm location 192.168.128.25 255.255.255.255 inside
pdm location 192.168.128.120 255.255.255.255 inside
pdm location 10.10.10.111 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 10.10.10.11
nat (inside) 1 192.168.128.0 255.255.255.0 0 0
static (inside,outside) 10.10.10.11 192.168.128.26 netmask 255.255.255.255 0 0
conduit permit ip any any
conduit permit icmp any any
routing interface outside
routing interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.128.25 255.255.255.255 inside
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.128.118-192.168.128.224 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:62e77d8546aee2c385cfbd7e27d67647
: end
页:
[1]