PIX Configure ex. 31s
2008-02-23 04:54:48来源:互联网 阅读 ()
1) pix tftp server:
tftp-server 10.0.0.11 pixfireall/config/test_config
configure net
write net
2) pix ntp server
ntp server 10.0.0.12 key 1234 source inside prefer
3)nameif
nameif ethernet2 dmz sec50
4)interface
interface ethernet4 100full
interface ethernet4 vlan1 physical
interface ethetnet4 vlan5 logical
5)ip address
ip address outside dhcp
ip address dmz 172.16.0.1 255.255.255.0
6) nat0
nat (inside) 0 192.168.0.0 255.255.255.0
7) nat / global
nat (inside) 1 0 0
global (outside) 1 192.168.0.20-192.168.0.254
8)default route
route ouside 0 0 192.168.1.1
9) static route
route dmz 10.0.1.0 255.255.255.0 10.0.0.1 1
route dmz 10.0.2.0 255.255.255.0 10.0.0.1 1
10) dhcp
dhcpd dns 10.0.1.10 10.0.1.11
dhcpd wins 10.0.1.10 10.0.1.11
dhcpd domain cisco.com
dhcpd address 10.0.1.50-10.0.1.100 inside
dhcpd enable inside
dhcpd address 172.16.0.50-172.16.0.100 dmz1
dhcpd enable dmz1
11) 2 nats
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 2 10.2.0.0 255.255.255.0
global (outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
global (outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
12) 3 nats
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
globa (dmz) 172.16.0.20-172.16.0.254 netmask 255.255.255.0
13) condiut / static
static (inside,outside) 192.168.0.10 10.0.0.11
14) port redirect
access-list 101 permit tcp any any host 192.168.0.2 eq telnet
access-list 101 permit tco any host 192.168.0.9 eq 8080
access-group 101 in interface outside
global (outside) 1 192.168.0.9
nat (inside) 1 0 0
static (inside,outside) tcp interface telnet 10.0.0.4 telnet netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.0.9 8080 172.16.0.2 www netmask 255.255.255.255 0 0
15) nat 0 / acl
access-list NONAT permit ip host 10.0.0.11 host 10.2.1.1
nat (inside) 0 access-list NONAT
16) filter
filter activex 80 0 0 0 0
filter url http 0 0 0 0 longurltruncate cgi-truncate
url-block url-mempool 1500
url-block url-size 4
url-server (inside) vendor Websense host 10.0.0.30 timeout 1 protocol tcp version 1
17) rip
rip outside passvie version 2 authentication md5 cisco 1
rip inside default
18) ospf
prefix-list secure-ospf seq 1 deny 10.0.1.0/24
prefix-list secure-ospf seq 2 permit 0.0.0.0/0 le 32
routing interface outside
ospf message-digest-key 1 md5 cisco
ospf authentication message-digest
routing interface inside
ospf message-digest-key 1 md5 cisco
ospf authentication message-digest
router ospf 1
network 10.0.1.0 255.255.255.0 area 0
network 192.168.0.0 255.255.255.0 area 1
area 0 authentication message-digest
area 1 authentication message-digest
area 1 filter-list prefix secure-ospf in
20) fixup
fixup protocol ftp 2121
fixup protocol ftp 2001
21) fragment
fragment chain 1 inside
fragment outside size 1000
fragment chain 40 outside
fragment outside timeout 10
22) defence D.o.S
nat (inside) 1 0 0 5000 5000
nat (dmz) 0 0 500 500
23) anti fake
ip verify reverse-path interface outside
24) IDS
ip audit name ATTACKPOLICY attack action alarm reset
ip audit interface outside ATTACKPOLICY
25) shun
shun 172.26.26.45 192.168.0.10 4000 53
26) virtual telnet
virtual telnet 192.168.0.5
aaa-server MYTACACS protocl tacacs
aaa-server MYTACACS (inside) host 10.0.0.11 secretkey
aaa authentication include any outbound 0 0 0 0 MYTACACS
27) console authen
aaa authenticaiton serial console MYTACACS
aaa authentication enable console MYTACACS
aaa authentication telnet console MYTACACS
aaa authentication ssh console MYTACACS
aaa authentication http console MYTACACS
28) authen&author
aaa authorization include ftp outbound 0 0 0 0 MYTACACS
aaa authentication exclude ftp outbound 10.0.0.33 255.255.255.255 0 0 MYTACACS
29) failover with virtual MAC
failover ip address outside 1921.68.0.7
failover ip address inside 10.0.0.7
failover ip address dmz 172.16.0.7
failover ip address MYFAILOVER 172.17.0.7
failover mac address outside ####.####.####.####
failover mac address inside ####.####.####.####
failover mac address dmz ####.####.####.####
failover mac address MYFAILOVER ####.####.####.####
30) LAN based failover
nameif ethernet3 MYFAILOVER security 55
interface ethetnet3 100full
ip address MYFAILOVER 172.17.0.1 255.255.255.0
failover ip address MYFAILOVER 172.17.0.7
failover lan unit secondary
failover lan interface MYFAILOVER
failover lan key 1234567
failover lan enable
31) crypto map
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address crypto_acl_6
crypto map mymap 10 set peer 192.168.6.2
crypto map mymap 10 set peer 192.168.6.3
crypto map mymap 10 set transform-set pix6
crypto map mymap 10 set pfs group2
crypto map mymap 10 set security-association lifetime seconds 28800
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
