思科官方PIX配置实例.docx
《思科官方PIX配置实例.docx》由会员分享,可在线阅读,更多相关《思科官方PIX配置实例.docx(10页珍藏版)》请在冰豆网上搜索。
思科官方PIX配置实例
Introduction
ThissampleconfigurationdemonstrateshowtoconfigureaSecurityAppliancetoseparateacorporatenetworkfromtheInternet.
Prerequisites
Requirements
TheinternalnetworkhasaWebserver,amailserver,andanFTPserverthatusersontheInternetcanaccess.Allotheraccesstohostsontheinternalnetworkisdeniedfromoutsideusers.
∙RealaddressoftheWebserver-192.168.1.4;Internetaddress10.1.1.3
∙RealaddressoftheMailserver-192.168.1.15;Internetaddress10.1.1.4
∙RealaddressoftheFTPserver-192.168.1.10;Internetaddress10.1.1.5
AllusersontheinternalnetworkareallowedunrestrictedaccesstotheInternet.InternalusersareallowedtopingdevicesontheInternet,butusersontheInternetarenotallowedtopingdevicesontheinside.
ThecompanyusedinthisconfigurationhaspurchasedaClassCnetworkfromtheirISP(10.1.1.x).The.1and.2addressesarereservedfortheexternalrouterandtheoutsideinterfaceofthePIXrespectively.Addresses.3-.5areusedforinternalserversthatusersontheInternetcanaccess.Addresses.6-.14arereservedforfutureuseforserversthatexternaluserscanaccess.
ThePIXFirewallintheexamplehasfournetworkinterfacecards,butonlytwoofthemareinuse.ThePIXissetuptosendsyslogstoasyslogserverontheinsidewithanIPaddressof192.168.1.220(notshownintheNetworkDiagram).
ComponentsUsed
Theinformationinthisdocumentisbasedonthesesoftwareandhardwareversions:
∙CiscoPIXFirewall535
∙CiscoPIXFirewallSoftwareRelease6.xandlater
Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,makesurethatyouunderstandthepotentialimpactofanycommand.
RelatedProducts
ThisconfigurationcanalsobeusedwiththeCisco5500SeriesAdaptiveSecurityAppliance,whichrunsVersion7.xandlater.
Conventions
RefertoCiscoTechnicalTipsConventionsformoreinformationondocumentconventions.
Configure
Inthissection,youarepresentedwiththeinformationtoconfigurethefeaturesdescribedinthisdocument.
Note:
UsetheCommandLookupTool(registeredcustomersonly)toobtainmoreinformationonthecommandsusedinthissection.
NetworkDiagram
Thisdocumentusesthisnetworksetup:
PIXV6.3配置
Buildingconfiguration...
:
Saved
:
PIXVersion6.3(3)
nameifgb-ethernet0outsidesecurity0
nameifgb-ethernet1insidesecurity100
nameifethernet0intf2security10
nameifethernet1intf3security15
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
hostnamepixfirewall
!
---OutputSuppressed
!
---Createanaccesslisttoallowpingsout
!
---andreturnpacketsbackin.
access-list100permiticmpanyanyecho-reply
access-list100permiticmpanyanytime-exceeded
access-list100permiticmpanyanyunreachable
!
---AllowsanyoneontheInternettoconnectto
!
---theweb,mail,andFTPservers.
access-list100permittcpanyhost10.1.1.3eqwww
access-list100permittcpanyhost10.1.1.4eqsmtp
access-list100permittcpanyhost10.1.1.5eqftp
pagerlines24
!
---Enablelogging.
loggingon
nologgingtimestamp
nologgingstandby
nologgingconsole
nologgingmonitor
!
---Enableerrorandmoreseveresyslogmessages
!
---tobesavedtothelocalbuffer.
loggingbufferederrors
!
---Sendnotificationandmoreseveresyslogmessages
!
---tothesyslogserver.
loggingtrapnotifications
nologginghistory
loggingfacility20
loggingqueue512
!
---Sendsyslogmessagestoasyslogserver
!
---ontheinsideinterface.
logginghostinside192.168.1.220
!
---Allinterfacesareshutdownbydefault.
interfacegb-ethernet01000auto
interfacegb-ethernet11000auto
interfaceethernet0autoshutdown
interfaceethernet1autoshutdown
mtuoutside1500
mtuinside1500
mtuintf21500
mtuintf31500
ipaddressoutside10.1.1.2255.255.255.0
ipaddressinside192.168.1.1255.255.255.0
ipaddressintf2127.0.0.1255.255.255.255
ipaddressintf3127.0.0.1255.255.255.255
ipauditinfoactionalarm
ipauditattackactionalarm
nofailover
failovertimeout0:
00:
00
failoverpoll15
failoveripaddressoutside0.0.0.0
failoveripaddressinside0.0.0.0
failoveripaddressintf20.0.0.0
failoveripaddressintf30.0.0.0
arptimeout14400
!
---DefineaNetworkAddressTranslation(NAT)poolthat
!
---internalhostsusewhengoingouttotheInternet.
global(outside)110.1.1.15-10.1.1.253
!
---DefineaPortAddressTranslation(PAT)addressthat
!
---isusedoncetheNATpoolisexhausted.
global(outside)110.1.1.254
!
---Allowallinternalhoststouse
!
---theNATorPATaddressesspecifiedpreviously.
nat(inside)10.0.0.00.0.0.000
!
---Defineastatictranslationfortheinternal
!
---webservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.3192.168.1.4
netmask255.255.255.25500
!
---Defineastatictranslationfortheinternal
!
---mailservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.4192.168.1.15
netmask255.255.255.25500
!
---Defineastatictranslationfortheinternal
!
---FTPservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.5192.168.1.10
netmask255.255.255.25500
!
---Applyaccesslist100totheoutsideinterface.
access-group100ininterfaceoutside
!
---DefineadefaultroutetotheISProuter.
routeoutside0.0.0.00.0.0.0204.69.198.11
!
---OutputSuppressed
!
---Allowthehost192.168.1.254tobeableto
!
---TelnettotheinsideofthePIX.
telnet192.168.1.254255.255.255.255inside
:
end
[OK]
!
---OutputSuppressed
ConfiguringPIX/ASA7.xandlater
Note:
Nondefaultcommandsareshowninbold
pixfirewall#shrun
:
Saved
:
PIXVersion8.0
(2)
!
hostnamepixfirewall
enablepassword2KFQnbNIdI.2KYOUencrypted
names
!
interfaceEthernet0
nameifoutside
security-level0
ipaddress10.1.1.2255.255.255.0
!
interfaceEthernet1
nameifinside
security-level100
ipaddress192.168.1.1255.255.255.0
!
!
---OutputSuppressed
!
---Createanaccesslisttoallowpingsout
!
---andreturnpacketsbackin.
access-list100extendedpermiticmpanyanyecho-reply
access-list100extendedpermiticmpanyanytime-exceeded
access-list100extendedpermiticmpanyanyunreachable
!
---AllowsanyoneontheInternettoconnectto
!
---theweb,mail,andFTPservers.
access-list100extendedpermittcpanyhost10.1.1.3eqwww
access-list100extendedpermittcpanyhost10.1.1.4eqsmtp
access-list100extendedpermittcpanyhost10.1.1.5eqftp
pagerlines24
!
---Enablelogging.
loggingenable
!
---Enableerrorandmoreseveresyslogmessages
!
---tobesavedtothelocalbuffer.
loggingbufferederrors
!
---Sendnotificationandmoreseveresyslogmessages
!
---tothesyslogserver.
loggingtrapnotifications
!
---Sendsyslogmessagestoasyslogserver
!
---ontheinsideinterface.
logginghostinside192.168.1.220
mtuoutside1500
mtuinside1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
!
---DefineaNetworkAddressTranslation(NAT)poolthat
!
---internalhostsusewhengoingouttotheInternet.
global(outside)110.1.1.15-204.69.198.253
!
---DefineaPortAddressTranslation(PAT)addressthat
!
---isusedoncetheNATpoolisexhausted.
global(outside)110.1.1.254
!
---!
---Allowallinternalhoststouse
!
---theNATorPATaddressesspecifiedpreviously.
nat(inside)10.0.0.00.0.0.0
!
---Defineastatictranslationfortheinternal
!
---webservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.3192.168.1.4netmask255.255.255.255
!
---Defineastatictranslationfortheinternal
!
---mailservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.4192.168.1.15netmask255.255.255.255
!
---Defineastatictranslationfortheinternal
!
---FTPservertobeaccessiblefromtheInternet.
static(inside,outside)10.1.1.5192.168.1.10netmask255.255.255.255
!
---Applyaccesslist100totheoutsideinterface.
access-group100ininterfaceoutside
!
---!
---DefineadefaultroutetotheISProuter.
routeoutside0.0.0.00.0.0.0204.69.198.11
!
---OutputSuppressed
!
---Allowthehost192.168.1.254tobeableto
!
---TelnettotheinsideofthePIX.
telnet192.168.1.254255.255.255.255inside
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
!
:
end
!
---OutputSuppressed