思科官方PIX配置实例.docx

1、思科官方PIX配置实例Introduction This sample configuration demonstrates how to configure a Security Appliance to separate a corporate network from the Internet. Prerequisites Requirements The internal network has a Web server, a mail server, and an FTP server that users on the Internet can access. All other

2、access to hosts on the internal network is denied from outside users. Real address of the Web server - 192.168.1.4; Internet address 10.1.1.3 Real address of the Mail server - 192.168.1.15; Internet address 10.1.1.4 Real address of the FTP server - 192.168.1.10; Internet address 10.1.1.5 All users o

3、n the internal network are allowed unrestricted access to the Internet. Internal users are allowed to ping devices on the Internet, but users on the Internet are not allowed to ping devices on the inside. The company used in this configuration has purchased a Class C network from their ISP (10.1.1.x

4、). The .1 and .2 addresses are reserved for the external router and the outside interface of the PIX respectively. Addresses .3 - .5 are used for internal servers that users on the Internet can access. Addresses .6 - .14 are reserved for future use for servers that external users can access. The PIX

5、 Firewall in the example has four network interface cards, but only two of them are in use. The PIX is set up to send syslogs to a syslog server on the inside with an IP address of 192.168.1.220 (not shown in the Network Diagram). Components Used The information in this document is based on these so

6、ftware and hardware versions: Cisco PIX Firewall 535 Cisco PIX Firewall Software Release 6.x and laterThe information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network

7、is live, make sure that you understand the potential impact of any command.Related Products This configuration can also be used with the Cisco 5500 Series Adaptive Security Appliance, which runs Version 7.x and later.Conventions Refer to Cisco Technical Tips Conventions for more information on docum

8、ent conventions.Configure In this section, you are presented with the information to configure the features described in this document. Note:Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.Network Diagram This document uses thi

9、s network setup:PIX V6.3配置Building configuration. : Saved : PIX Version 6.3(3) nameif gb-ethernet0 outside security0 nameif gb-ethernet1 inside security100 nameif ethernet0 intf2 security10 nameif ethernet1 intf3 security15 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted

10、 hostname pixfirewall !- Output Suppressed!- Create an access list to allow pings out !- and return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable !- Allows anyone on the Internet to co

11、nnect to !- the web, mail, and FTP servers. access-list 100 permit tcp any host 10.1.1.3 eq www access-list 100 permit tcp any host 10.1.1.4 eq smtp access-list 100 permit tcp any host 10.1.1.5 eq ftp pager lines 24 !- Enable logging. logging on no logging timestamp no logging standby no logging con

12、sole no logging monitor !- Enable error and more severe syslog messages !- to be saved to the local buffer. logging buffered errors !- Send notification and more severe syslog messages!- to the syslog server. logging trap notifications no logging history logging facility 20 logging queue 512 !- Send

13、 syslog messages to a syslog server !- on the inside interface. logging host inside 192.168.1.220 !- All interfaces are shutdown by default. interface gb-ethernet0 1000auto interface gb-ethernet1 1000auto interface ethernet0 auto shutdown interface ethernet1 auto shutdown mtu outside 1500 mtu inside

14、 1500 mtu intf2 1500 mtu intf3 1500 ip address outside 10.1.1.2 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip address intf3 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00

15、 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 failover ip address intf3 0.0.0.0 arp timeout 14400 !- Define a Network Address Translation (NAT) pool that!- internal hosts use when going out to the Internet.global (outside)

16、1 10.1.1.15-10.1.1.253 !- Define a Port Address Translation (PAT) address that !- is used once the NAT pool is exhausted.global (outside) 1 10.1.1.254 !- Allow all internal hosts to use !- the NAT or PAT addresses specified previously.nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !- Define a static translation

17、 for the internal !- web server to be accessible from the Internet.static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255 0 0 !- Define a static translation for the internal !- mail server to be accessible from the Internet.static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.

18、255.255 0 0 !- Define a static translation for the internal !- FTP server to be accessible from the Internet.static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255 0 0 !- Apply access list 100 to the outside interface.access-group 100 in interface outside !- Define a default route to

19、the ISP router.route outside 0.0.0.0 0.0.0.0 204.69.198.1 1 !- Output Suppressed!- Allow the host 192.168.1.254 to be able to !- Telnet to the inside of the PIX. telnet 192.168.1.254 255.255.255.255 inside : end OK !- Output SuppressedConfiguring PIX/ASA 7.x and later Note:Nondefault commands are sh

20、own in boldpixfirewall# sh run: Saved:PIX Version 8.0(2)!hostname pixfirewallenable password 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0 nameif outside security-level 0 ip address 10.1.1.2 255.255.255.0!interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0

21、!- Output Suppressed!- Create an access list to allow pings out !- and return packets back in.access-list 100 extended permit icmp any any echo-replyaccess-list 100 extended permit icmp any any time-exceededaccess-list 100 extended permit icmp any any unreachable!- Allows anyone on the Internet to c

22、onnect to !- the web, mail, and FTP servers. access-list 100 extended permit tcp any host 10.1.1.3 eq wwwaccess-list 100 extended permit tcp any host 10.1.1.4 eq smtpaccess-list 100 extended permit tcp any host 10.1.1.5 eq ftppager lines 24!- Enable logging.logging enable!- Enable error and more sev

23、ere syslog messages !- to be saved to the local buffer. logging buffered errors!- Send notification and more severe syslog messages!- to the syslog server. logging trap notifications!- Send syslog messages to a syslog server !- on the inside interface. logging host inside 192.168.1.220mtu outside 15

24、00mtu inside 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!- Define a Network Address Translation (NAT) pool that!- internal hosts use when going out to the Internet.global (outside) 1 10.1.1.15-204.69.198.253!- Define a Port Address Translation (PA

25、T) address that !- is used once the NAT pool is exhausted.global (outside) 1 10.1.1.254!- !- Allow all internal hosts to use !- the NAT or PAT addresses specified previously.nat (inside) 1 0.0.0.0 0.0.0.0!- Define a static translation for the internal !- web server to be accessible from the Internet

26、.static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255!- Define a static translation for the internal !- mail server to be accessible from the Internet.static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255!- Define a static translation for the internal !- FTP server to

27、 be accessible from the Internet.static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255!- Apply access list 100 to the outside interface.access-group 100 in interface outside!- !- Define a default route to the ISP router.route outside 0.0.0.0 0.0.0.0 204.69.198.1 1!- Output Suppressed!- Allow the host 192.168.1.254 to be able to !- Telnet to the inside of the PIX. telnet 192.168.1.254 255.255.255.255 insidetelnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-list!: end!- Output Suppressed