思科官方PIX配置实例Word格式文档下载.docx
《思科官方PIX配置实例Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《思科官方PIX配置实例Word格式文档下载.docx(10页珍藏版)》请在冰豆网上搜索。
∙CiscoPIXFirewall535
∙CiscoPIXFirewallSoftwareRelease6.xandlater
Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
RelatedProducts
ThisconfigurationcanalsobeusedwiththeCisco5500SeriesAdaptiveSecurityAppliance,whichrunsVersion7.xandlater.
Conventions
RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.
Configure
Inthissection,youarepresentedwiththeinformationtoconfigurethefeaturesdescribedinthisdocument.
Note:
UsetheCommandLookupTool(registeredcustomersonly)toobtainmoreinformationonthecommandsusedinthissection.
NetworkDiagram
Thisdocumentusesthisnetworksetup:
PIXV6.3配置
Buildingconfiguration...
:
Saved
PIXVersion6.3(3)
nameifgb-ethernet0outsidesecurity0
nameifgb-ethernet1insidesecurity100
nameifethernet0intf2security10
nameifethernet1intf3security15
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
hostnamepixfirewall
!
---OutputSuppressed
---Createanaccesslisttoallowpingsout
---andreturnpacketsbackin.
access-list100permiticmpanyanyecho-reply
access-list100permiticmpanyanytime-exceeded
access-list100permiticmpanyanyunreachable
---AllowsanyoneontheInternettoconnectto
---theweb,mail,andFTPservers.
access-list100permittcpanyhost10.1.1.3eqwww
access-list100permittcpanyhost10.1.1.4eqsmtp
access-list100permittcpanyhost10.1.1.5eqftp
pagerlines24
---Enablelogging.
loggingon
nologgingtimestamp
nologgingstandby
nologgingconsole
nologgingmonitor
---Enableerrorandmoreseveresyslogmessages
---tobesavedtothelocalbuffer.
loggingbufferederrors
---Sendnotificationandmoreseveresyslogmessages
---tothesyslogserver.
loggingtrapnotifications
nologginghistory
loggingfacility20
loggingqueue512
---Sendsyslogmessagestoasyslogserver
---ontheinsideinterface.
logginghostinside192.168.1.220
---Allinterfacesareshutdownbydefault.
interfacegb-ethernet01000auto
interfacegb-ethernet11000auto
interfaceethernet0autoshutdown
interfaceethernet1autoshutdown
mtuoutside1500
mtuinside1500
mtuintf21500
mtuintf31500
ipaddressoutside10.1.1.2255.255.255.0
ipaddressinside192.168.1.1255.255.255.0
ipaddressintf2127.0.0.1255.255.255.255
ipaddressintf3127.0.0.1255.255.255.255
ipauditinfoactionalarm
ipauditattackactionalarm
nofailover
failovertimeout0:
00:
00
failoverpoll15
failoveripaddressoutside0.0.0.0
failoveripaddressinside0.0.0.0
failoveripaddressintf20.0.0.0
failoveripaddressintf30.0.0.0
arptimeout14400
---DefineaNetworkAddressTranslation(NAT)poolthat
---internalhostsusewhengoingouttotheInternet.
global(outside)110.1.1.15-10.1.1.253
---DefineaPortAddressTranslation(PAT)addressthat
---isusedoncetheNATpoolisexhausted.
global(outside)110.1.1.254
---Allowallinternalhoststouse
---theNATorPATaddressesspecifiedpreviously.
nat(inside)10.0.0.00.0.0.000
---Defineastatictranslationfortheinternal
---webservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.3192.168.1.4
netmask255.255.255.25500
---mailservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.4192.168.1.15
---FTPservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.5192.168.1.10
---Applyaccesslist100totheoutsideinterface.
access-group100ininterfaceoutside
---DefineadefaultroutetotheISProuter.
routeoutside0.0.0.00.0.0.0204.69.198.11
---Allowthehost192.168.1.254tobeableto
---TelnettotheinsideofthePIX.
telnet192.168.1.254255.255.255.255inside
end
[OK]
ConfiguringPIX/ASA7.xandlater
Nondefaultcommandsareshowninbold
pixfirewall#shrun
Saved
PIXVersion8.0
(2)
hostnamepixfirewall
enablepassword2KFQnbNIdI.2KYOUencrypted
names
interfaceEthernet0
nameifoutside
security-level0
ipaddress10.1.1.2255.255.255.0
interfaceEthernet1
nameifinside
security-level100
ipaddress192.168.1.1255.255.255.0
---andreturnpacketsbackin.
access-list100extendedpermiticmpanyanyecho-reply
access-list100extendedpermiticmpanyanytime-exceeded
access-list100extendedpermiticmpanyanyunreachable
access-list100extendedpermittcpanyhost10.1.1.3eqwww
access-list100extendedpermittcpanyhost10.1.1.4eqsmtp
access-list100extendedpermittcpanyhost10.1.1.5eqftp
pagerlines24
---Enablelogging.
loggingenable
loggingbufferederrors
loggingtrapnotifications
logginghostinside192.168.1.220
mtuoutside1500
mtuinside1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
global(outside)110.1.1.15-204.69.198.253
global(outside)110.1.1.254
---!
nat(inside)10.0.0.00.0.0.0
static(inside,outside)10.1.1.3192.168.1.4netmask255.255.255.255
static(inside,outside)10.1.1.4192.168.1.15netmask255.255.255.255
static(inside,outside)10.1.1.5192.168.1.10netmask255.255.255.255
access-group100ininterfaceoutside
routeoutside0.0.0.00.0.0.0204.69.198.11
telnet192.168.1.254255.255.255.255inside
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
end