pixfirewall#show run
! L7 U2 g0 A1 X1 u( i) [: Saved
5 c, ^6 v- O% ?- g: d, g, ~- n8 j
PIX Version 6.3(3)
9 K8 S+ K$ L) V: P3 linterface ethernet0 100full4 f! Q5 e' y3 T' @2 R' s: n+ c* V
interface ethernet1 100full
5 ^$ C. Q, C$ j2 rnameif ethernet0 outside security0
* f j( J' I) w/ B8 Ynameif ethernet1 inside security100
; d" K+ V4 u T0 F0 _enable password 8Ry2YjIyt7RRXU24 encrypted
; Q! q+ C5 w; Fpasswd 2KFQnbNIdI.2KYOU encrypted
! ^. Y& } O% X7 Ihostname pixfirewall
5 P1 C" ?# ~3 sfixup protocol dns maximum-length 512
: J& W# y: g+ J' u- h+ m5 l( `) Ofixup protocol ftp 21
' X U: O! T$ M) B" N- ]% e: G/ cfixup protocol h323 h225 1720* f7 [/ X7 f8 h
fixup protocol h323 ras 1718-1719" Y1 T! w: Q$ P3 @. [# l& }
fixup protocol http 80; a; x) c! R2 q2 P/ Z
fixup protocol rsh 514
! S6 n- w% W7 g: qfixup protocol rtsp 554* G, J+ A8 P4 c, K) E7 L) r, ~
fixup protocol sip 5060, x% r# ]0 d( v& n4 v/ m+ P9 T
fixup protocol sip udp 5060
+ C: t4 X2 h. @8 |fixup protocol skinny 2000
" ^! C* i$ [: @* _. w; @fixup protocol smtp 25% I# E6 E6 U" z4 y4 v
fixup protocol sqlnet 1521
0 v, @, f K( tfixup protocol tftp 69$ ~8 H1 n' ^$ j$ T
names/ A2 F1 ^; x, r, B' i9 `2 r
7 E7 P+ Q0 F9 W1 O. \ S/ I, w# H!--- Do not use Network Address Translation (NAT) for inside-to-pool
! @+ z9 A' F9 y+ [2 F( A!--- traffic. This should not go through NAT.
5 U" A6 K. M: P
3 i5 W: h$ Y4 A2 G5 _, |access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
3 x2 d9 T4 K1 S% v4 a9 Z" A7 f4 Q9 X$ g( }$ D4 R
!--- Permits Internet Control Message Protocol (ICMP)3 z4 z$ v) _# l; Z6 [
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
$ J6 G0 L- n" ~!--- traffic from any host on the Internet (non-VPN) to the web server.1 `! j6 |1 z, l: V$ [
$ O% l8 W+ v4 k7 a
access-list 120 permit icmp any host 10.89.129.131
4 \( j5 ?$ Z9 e* `! E4 \* `" paccess-list 120 permit tcp any host 10.89.129.131
+ T! i& j' `6 Z2 h) _- raccess-list 120 permit udp any host 10.89.129.131
' o( D: h7 e2 v- k2 R2 b( X3 f2 J* V+ s' G8 ^- _3 q! e
pager lines 24# z5 }" U* b( l. j4 F. I. k" c
mtu outside 1500$ I4 H6 ^+ d( y k" [8 P2 M
mtu inside 1500
. o% c' L6 q; b4 O* U: @ip address outside 192.168.1.1 255.255.255.0% \( L( @% T9 c# i
ip address inside 10.89.129.194 255.255.255.240
~# A0 |* I' b% \ip audit info action alarm) R6 ?" S) b% E" z* H. v8 u8 X& L6 W
ip audit attack action alarm4 Q# y/ O2 o' r& g& _$ K# t+ K
Z* d) E+ m( U; [$ [!--- Specifies the inside IP address range to be assigned( P- o' i5 C: t) H9 l
!--- to the VPN Clients.5 p4 K2 @3 s6 I: d( U3 e
$ W6 c9 G8 u0 C5 U2 t; p
ip local pool VPNpool 10.89.129.200-10.89.129.204
: ?7 j% k" I$ Y3 h7 qno failover
7 m5 t- s+ U: afailover timeout 0:00:00
& V) W$ @# f2 t$ o; ~failover poll 159 M& @: W% I; q2 i: f# l$ G% ^6 u
no failover ip address outside
6 y _" z8 x- L& Hno failover ip address inside5 M& e5 j( J* `: e `. j
pdm history enable) F8 l6 H4 W5 ^& n* T; A& O6 k2 ~' C; G
arp timeout 14400
4 O( C7 x4 e2 Q0 u& o i- p8 J6 v6 [+ O$ @ H6 r8 R6 D
!--- Defines a pool of global addresses to be used by NAT." L _' n1 Z$ ^; \+ Z
9 l5 R, _9 H' B+ s! [3 {4 U- ~global (outside) 1 192.168.1.6-192.168.1.10
2 v2 w9 q# g. }) C/ v3 }9 J2 g# Y
0 {& g. B2 {8 {/ g4 q5 J9 E# y; f+ wnat (inside) 0 access-list 101/ k4 ?: C+ g0 p, ]
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
1 r( l8 B4 S' ^6 u- Z$ [: G
% Q y/ L, l) v$ l8 ]( i!--- Specifies which outside IP address to apply to the web server.& j$ A3 k- ^9 J9 T
' z. c8 Q6 z; {) R& x1 u7 \
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0/ B; V$ d( B* H
$ d* P( l$ l( g. S- ^5 w) V+ H
!--- Apply ACL 120 to the outside interface in the inbound direction.( ~- j( a+ E# j
8 W& M6 S% M9 ]access-group 120 in interface outside
; P. u9 D6 _8 X0 i% G9 [1 r% ?% V5 o
+ s: v1 f# h' e' `( d!--- Defines a default route for the PIX.
/ T; j" L" a; Y6 c
) f8 b1 f( s; z+ ~7 ]8 a& |route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
+ M/ T2 V" {2 q
! _" O4 R3 o; m% J% D) k, p!--- Defines a route for traffic within the PIX's
2 M2 O+ b5 {% ]1 e6 n% {& y!--- subnet to reach other inside hosts.
5 L) Y# V8 d3 j3 |. N9 u
6 I# y/ g7 \; j- q. Vroute inside 10.89.129.128 255.255.255.128 10.89.129.193 1 u; ?' V; G& `: I/ }+ W
d/ p/ w t+ m
timeout xlate 3:00:00, m: i, v5 b# |# _; l* \
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00) S$ u; B" u8 `1 o- K% w
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:007 A) K1 N$ c! H8 G- C( I
timeout uauth 0:05:00 absolute/ \' J. L7 b0 X. _! b0 R
aaa-server TACACS+ protocol tacacs+7 S, v) {/ m' B. G- ?
aaa-server RADIUS protocol radius- K* _7 m" E$ F, F! @5 o
aaa-server LOCAL protocol local
8 K+ U* ~3 u1 Z' e# j7 ~1 G+ J4 S& l
!--- Authentication, authorization, and accounting (AAA)
0 `) T- a$ K' u2 Q" c!--- statements for authentication. Method AuthInbound uses TACACS+.: O' n2 O7 |5 p
6 `$ r' W2 u5 p9 I" R" F
aaa-server AuthInbound protocol tacacs+
6 G/ E( m5 V9 O& D" e. |5 h$ }( C* b, }
!--- Specify the TACACS+ server and key.* x1 P& T+ d- _. z; t
5 }! M, z# K k% }aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10
4 L3 n: S' C9 J3 P/ v6 [4 c) E' j/ R+ I( M+ f5 ~
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.) ]2 n! ?) X0 {5 U* q6 r5 K" Y
; Z: a# P+ D8 c8 f1 X7 [" W5 }aaa authentication include http outside 6 z5 P# d7 S- X4 u7 c6 k
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
) q- t. I: B; D8 {0 e
* N a$ N. }! v' }: n+ R0 kaaa authentication include ftp outside
* x3 f: ?# Q* Y. }7 I 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound5 v" B/ Q: i4 k: r1 h
! W; [& I1 G/ \- D" E3 C& H
aaa authentication include telnet outside ) j+ h! E/ U# O
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
; z: J" b$ j0 d; ~5 v
, A% D0 P G8 s. ?no snmp-server location
) t7 t- V. Z6 W: Dno snmp-server contact
7 ?# n9 `: r" O" t& F4 f4 k8 Isnmp-server community public
$ @) U, X" i/ S0 F9 G |no snmp-server enable traps
! R; i1 v- [6 g. l! g6 ^( [floodguard enable7 f- ^# v$ t; x6 G6 C& I- L0 R
7 N/ E3 c& C, l- J) u: \0 e: }!--- Trust IPSec traffic and avoid going through ACLs/NAT.
5 w0 T4 |5 _4 j- r7 i; l# \
6 w. w# a/ R+ {4 asysopt connection permit-ipsec4 J/ p( v( J7 y" m# d
$ S) t& g1 J6 c' g/ W!--- IPSec and dynamic map configuration.: f; z( w& y: C
2 }0 _; Q+ U+ P/ r% t9 q. ]
crypto ipsec transform-set myset esp-des esp-md5-hmac$ N6 F/ @9 G9 f: T
crypto dynamic-map dynmap 10 set transform-set myset9 O8 C' o. h5 i$ m) L- Z" }! v+ Y
crypto map mymap 10 ipsec-isakmp dynamic dynmap# p! e O+ S1 O% Q9 _' r* H
L& ]* O2 z, ]6 m!--- Assign IP address for VPN 1.1 Clients.6 J! m; s' ^ H$ n3 D
/ W% L* V; H5 y. a* T9 X/ s; a" A5 t mcrypto map mymap client configuration address initiate
T& K5 b( r2 Lcrypto map mymap client configuration address respond/ R- a: I: I4 G3 }
. w8 b8 A! F0 ^. |! a$ H!--- Use the AAA server for authentication (AuthInbound)./ O7 G! }& q5 p
1 U" R* a% Q& Z3 mcrypto map mymap client authentication AuthInbound
' I: @* S$ Z* l& E
* A6 D I3 u2 J% o$ k$ v1 v* V!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
1 Z( c u p) D) k7 ]
6 `$ Q' j# E, H8 v2 _' X2 Q7 Fcrypto map mymap interface outside
( U0 n2 n' ?) F7 Qisakmp enable outside' N' G+ v/ @. z& i% A' @
( i5 I# b, }, i9 y) o! q" F
!--- Pre-shared key for VPN 1.1 Clients.
7 m( e4 f, o3 d, y% L: t' n F# X l/ N- m4 Q, [
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0; H* L; e$ @: E. y$ a4 ^: L
isakmp identity address& M5 U7 A2 }# [# v
1 K6 |, |2 b; ?: r+ V. w" b
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.( b) Z; ^% g7 r+ v3 f' }
& |' r8 N( d7 ?9 i- {$ J; E) Sisakmp client configuration address-pool local VPNpool outside2 r4 B* E* r6 r. v3 s+ y/ I
; q' f. f, y; E& j( j!--- ISAKMP configuration for VPN Client 3.x/4.x.( Q0 T4 R9 {8 S7 a
- k" V" _! H* [! `; L6 c3 A; o; ~( R$ F
isakmp policy 10 authentication pre-share8 u9 \8 U: Q7 E! o
isakmp policy 10 encryption des
+ d) C6 g5 \, Q9 u6 ]; n1 B! w/ Eisakmp policy 10 hash md52 i5 D6 \; G2 G' G
isakmp policy 10 group 2
' N1 ]+ M2 m0 Zisakmp policy 10 lifetime 86400
) N0 z* l- r' u+ ?' p8 c+ p9 r4 @6 D( J" I4 `9 s2 L8 f
!--- ISAKMP configuration for VPN Client 1.x.
. \/ V; h8 _2 C2 H
H: g5 C, J$ c1 K% i7 misakmp policy 20 authentication pre-share
" R) e: L3 U+ O0 i/ Disakmp policy 20 encryption des5 `5 Y0 n+ p, Q5 _* m: J: Y
isakmp policy 20 hash md54 @& @, x' b6 r/ k% a" I2 M
isakmp policy 20 group 1& G) L$ H! R: t9 J* J) N5 k8 z
isakmp policy 20 lifetime 86400' f4 X( @# a0 P! O6 A# J6 q; Q, W6 I
- Y$ P, n; u3 i
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
' v) E, ^+ k* c0 |% p" k. A8 V1 ?" j2 Q! D2 H3 H: q
vpngroup vpn3000 address-pool VPNpool
7 U, Y: e, A3 {# P0 E8 E! U, @, a6 i; v# @: I
vpngroup vpn3000 idle-time 1800
. E T- O) |* `5 v c3 U) W% w2 F G0 b' k0 b
! w, \ s7 E& D9 @4 d" l# Y!--- Group password for VPN Client 3.x/4.x (not shown in configuration).4 c# v, m" k+ q- d
: @" c$ m" R5 M9 K A- k4 D3 f
vpngroup vpn3000 password ********
) X3 T3 _& |: j q) u, \4 ~% Gtelnet timeout 5; Q# \1 w T! A x5 m. q
ssh timeout 53 X) }) o( @3 _# y7 Q! H$ E( a# E
console timeout 0
X# j4 B; A- B( J' ~5 Y. F( }terminal width 80
5 [2 x& v8 b% k" | N+ l9 lCryptochecksum:ba54c063d94989cbd79076955dbfeefc
6 i# b$ ~8 c" Z$ r: end
9 u: y. _! v! p1 l; spixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
