pixfirewall#show run+ O$ {8 W2 K: c/ j
: Saved! p8 l: ^. M: V& |
:# p* I4 j/ V6 T$ z2 c
PIX Version 6.3(3)
( O0 {& p4 w8 ^" Q* Ainterface ethernet0 100full2 m1 s& _8 U4 z6 y* x' S
interface ethernet1 100full- |5 s& y$ w+ p5 P/ O2 b2 [
nameif ethernet0 outside security0
0 p8 q: y" S n7 P: bnameif ethernet1 inside security100
( R9 ^: \9 o2 [, y# }" Zenable password 8Ry2YjIyt7RRXU24 encrypted
2 g9 A; B, B2 ~passwd 2KFQnbNIdI.2KYOU encrypted4 v' Y& H5 j4 A8 V- B0 Z8 ]
hostname pixfirewall
0 X. E2 v- G2 B( \( f; A2 mfixup protocol dns maximum-length 512
. b3 N; U, g% P' N5 k% L1 H- Hfixup protocol ftp 21) H; e" F3 P5 r6 K0 O/ j
fixup protocol h323 h225 17207 U, {6 L+ E9 Y( @
fixup protocol h323 ras 1718-1719
7 w4 s0 e4 d4 Q' B' U+ K) ifixup protocol http 80: h9 v, W6 l" I4 e. [ F
fixup protocol rsh 5146 m7 C4 I, U" i, n
fixup protocol rtsp 554& f. j( E- A+ N
fixup protocol sip 50605 c7 a2 g$ X: @1 B0 x$ B1 o% R7 v6 |
fixup protocol sip udp 5060( K3 K- n* a5 j+ M) E2 q
fixup protocol skinny 2000
: n8 l$ T+ Q. c4 [fixup protocol smtp 25
5 \" Y5 u* ^9 X) q. d r! ofixup protocol sqlnet 1521$ a' }: W7 l# \
fixup protocol tftp 69 h7 h# L8 t$ o8 X) x! P
names
; G1 K7 }1 C d/ `" _2 G2 g- D9 ^3 E
!--- Do not use Network Address Translation (NAT) for inside-to-pool( D8 \7 T4 P# |5 S* q
!--- traffic. This should not go through NAT.- M4 `7 I; ^' F. U% M. I# g
( H) W* l9 p) Q. @# S' maccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.2402 x& Y5 `- S$ ^# }9 z- ]; I: G1 G
& w/ p% r _- A5 e4 _- z!--- Permits Internet Control Message Protocol (ICMP)" K7 e& P) s( ]' b2 W
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)' {$ w. h' l* ?% R5 S7 ?( }
!--- traffic from any host on the Internet (non-VPN) to the web server.) k8 T" @# O! x b1 r
3 _! S1 M4 x7 K3 N- z
access-list 120 permit icmp any host 10.89.129.131& L. z* }8 A$ Y7 v, ]# i* T: Z
access-list 120 permit tcp any host 10.89.129.131
0 ^+ N H$ \4 J1 N# [& e5 L! Daccess-list 120 permit udp any host 10.89.129.131
( Y+ J1 |/ z8 \. a, Y
2 ]0 ?+ G5 F1 L- `* o5 |/ zpager lines 24
% W, Y) e' x6 m) ~) c4 cmtu outside 1500
, Y9 U4 E4 N5 U9 X/ fmtu inside 15006 N% g( P7 w1 @2 X% V- U
ip address outside 192.168.1.1 255.255.255.0
! w/ l4 f& i- Fip address inside 10.89.129.194 255.255.255.240
3 F* C, F: F( H( \* \ip audit info action alarm6 N4 D+ v& o5 J- i- x: {
ip audit attack action alarm3 [# d9 x- {6 h+ o5 D# g: V
, Z* g- h$ E* y: S9 a!--- Specifies the inside IP address range to be assigned
; q: _/ u& F1 m3 L: R4 r# }: b6 r/ m; _!--- to the VPN Clients.9 q' A) G! f( S
2 ^/ K% _: L' u: F, H
ip local pool VPNpool 10.89.129.200-10.89.129.2045 H# H6 }3 y' r/ r' C6 k) ^$ y
no failover
3 C+ A2 A& J/ v! mfailover timeout 0:00:005 S4 K) r9 O$ m3 E
failover poll 15
8 S* a7 l/ @' N. z3 Lno failover ip address outside
0 }6 z8 z, s! ?5 [7 a/ xno failover ip address inside
/ ~" q" w3 v3 e c8 c' n/ f* J$ vpdm history enable1 X8 f% }* C1 z* `3 M$ \
arp timeout 14400
! Q5 c# C, N1 x) c9 C
: n8 Y7 T& v& J!--- Defines a pool of global addresses to be used by NAT.& B& K0 z0 ~) ]5 E
& o3 i1 A( H$ J5 ~+ y. t% _$ [9 qglobal (outside) 1 192.168.1.6-192.168.1.10
' W2 ~; C' T$ l* n) Z1 A, x `% n( x' {: s! W; i3 Z
nat (inside) 0 access-list 101
`# U* o- h7 p' M0 enat (inside) 1 0.0.0.0 0.0.0.0 0 0. {/ b+ _0 Z+ j
( h5 H& G: M- p5 {0 e
!--- Specifies which outside IP address to apply to the web server.
; q; [; e4 u" h- }' d/ c
/ g: I& E5 U- f3 i0 qstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 05 |- {6 X2 L" f2 L* [- T
5 M; `! z% S% N* [' [8 c. v!--- Apply ACL 120 to the outside interface in the inbound direction.
3 _, c' t' H1 r1 f& h& u, f& E# `7 Q) m6 f
access-group 120 in interface outside
* }% R0 s# I2 t
( {5 S! i! P# R! T/ O!--- Defines a default route for the PIX.
, N/ I" v3 X' p# F: w* h; J& @4 r# b# U
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
. c; B0 D" a3 ^4 _: ~. T2 `! g" K$ ]$ k/ g$ q% `
!--- Defines a route for traffic within the PIX's
/ r6 l) _: N [1 W' [6 N!--- subnet to reach other inside hosts.! H2 e( | D8 o2 V9 f
8 o0 h7 Y4 ~+ `. x! k6 r3 `; w
route inside 10.89.129.128 255.255.255.128 10.89.129.193 13 B" ]% ]# F1 D- m J
% Y7 N/ M& @) o) c* p: C
timeout xlate 3:00:00
; D5 Z9 J/ m6 M0 N4 xtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
# }3 e% M( \+ G3 n0 jtimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
2 V: D3 b% W# B, P0 ztimeout uauth 0:05:00 absolute
# I/ v' g" O4 S2 }. ]* |; R& Iaaa-server TACACS+ protocol tacacs+5 D5 W6 g7 [0 v0 ~
aaa-server RADIUS protocol radius
. \) l \+ B2 m9 c- i4 S5 ?aaa-server LOCAL protocol local7 F) W6 \* i2 i; R' N1 k B
3 F$ k x' W% Z! t: S6 L) J
!--- Authentication, authorization, and accounting (AAA)
$ D3 H7 T& g$ J$ U$ I, D+ F!--- statements for authentication. Method AuthInbound uses TACACS+.& z; C; {# b; k7 S* u, M* }' w
7 G' Q* k/ N; v# O' e/ j
aaa-server AuthInbound protocol tacacs+
4 ~7 F! u3 r, g Y' l5 t" m
/ J [* U3 ^' N) t- F!--- Specify the TACACS+ server and key.( f6 w8 H j+ J3 ^5 L. Y
9 p, C+ G/ U+ J M1 ]3 y; J! Uaaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 105 W# ~. }8 h$ Q9 W- c
3 w) ~3 O4 L' w
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.8 Q" U4 k5 W+ G r2 }% l, m
* j1 Y A( }% D" uaaa authentication include http outside
, ~5 x, f' z3 g# t9 o# D10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound) g6 a9 L9 ~! k+ b% a0 \1 t0 J
, w g& }- ^+ T k: J6 W
aaa authentication include ftp outside
3 x3 A. j6 a( h 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound7 T) D" e4 j" j
0 [5 I2 ^1 E5 k$ O# \0 e- K! {- K
aaa authentication include telnet outside
* D: }9 {2 p; D2 o% o& R2 m10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound# q0 g S3 e, j; H
1 m6 A( z8 f% o; X
no snmp-server location' d! ?" b. u# h* L- U# {; Q
no snmp-server contact
# g; x. G* C- X5 h; usnmp-server community public" b4 k' H1 h8 ?9 D9 q6 K
no snmp-server enable traps6 U# t# M/ H# Z* t. d
floodguard enable
& z; D* ]% D& k8 R. k/ G; q9 ]: X$ m$ `2 \' `8 h7 W' {7 f8 ]( h
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
2 D7 }; s' d* z& }( j1 M# k* m% A, B2 K0 ^( ?9 G2 {
sysopt connection permit-ipsec
- b! }7 T" Q; ^. L5 O; \
5 x# c4 r& k$ o6 U9 ^' x7 B!--- IPSec and dynamic map configuration.
6 M0 Z/ d2 D2 U& S
& l4 r3 l; W& `crypto ipsec transform-set myset esp-des esp-md5-hmac
' f/ [/ G( \; L$ H Scrypto dynamic-map dynmap 10 set transform-set myset' q. ~6 S# M+ M5 S- W$ G
crypto map mymap 10 ipsec-isakmp dynamic dynmap, e6 Z6 }' [; Y% _) Z$ ^6 c
2 A% u/ [8 N* E: {$ N1 c
!--- Assign IP address for VPN 1.1 Clients.
7 I+ F& x V3 p
3 F9 u" I# I P3 ^crypto map mymap client configuration address initiate9 o' S/ `% G, c5 m2 v' V' N2 G
crypto map mymap client configuration address respond
8 O( {3 | m% q& V# Z/ a
2 n" {. K* u% h6 ]5 R!--- Use the AAA server for authentication (AuthInbound).
% P; {3 v) n! }0 _, M; N1 U
3 [7 J) S; Q8 f7 M. S- s" W+ wcrypto map mymap client authentication AuthInbound
" X: R8 q8 `, R5 c% C$ @1 L* w8 P) h4 ]
5 B: ]& X0 t* {) f0 ?!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.8 m r) h6 |) W
' m( w: C6 i4 j6 [) y
crypto map mymap interface outside
# D+ L# J# }- Y; V E6 y0 ^: c, wisakmp enable outside9 C. e" r* f: o9 {
7 N2 O) D6 E% n( Q* M3 C
!--- Pre-shared key for VPN 1.1 Clients.
" F$ s ~' h# j8 v' T) s4 ~% k7 a) h" ?- Q3 ?
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0; M% t$ u6 V2 G- Y2 X4 F
isakmp identity address! m1 n5 h k. b: f, ]
% m0 j$ p4 T' v [!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.& n4 B6 g9 c% ~) x9 B
3 Y6 \! H8 K+ W! V. k
isakmp client configuration address-pool local VPNpool outside
7 x t, s1 O/ W! G* D8 t& G# D/ k9 g1 c a3 f! E1 C; b7 W
!--- ISAKMP configuration for VPN Client 3.x/4.x.' G. w& J0 G1 O3 E) d* s
7 q6 m) ^3 y/ l+ {+ f; M$ {. r, Xisakmp policy 10 authentication pre-share
: J6 T5 ^" `+ y5 Qisakmp policy 10 encryption des2 z$ T! J2 L q7 f5 m% S
isakmp policy 10 hash md5" V: [0 F6 K3 H5 [3 r
isakmp policy 10 group 26 f5 g' _. N2 S+ {) P& C/ Z0 j
isakmp policy 10 lifetime 86400
, m! V! w8 ?, H/ Z! p7 [
$ r/ p4 W$ ?' D }5 {9 Q$ Q3 f!--- ISAKMP configuration for VPN Client 1.x.
- U: r9 x2 j' O+ {% I9 f5 o4 M; v: W- b& [3 \
isakmp policy 20 authentication pre-share
$ _/ f* k0 {% @& G( ]: wisakmp policy 20 encryption des$ \) i9 c! Q- E$ ~( z/ y" z: s
isakmp policy 20 hash md5
& J) R2 z$ ^9 G2 p( ]* C5 I& d9 oisakmp policy 20 group 17 B* s' Q9 n9 d/ i' U6 A* Y
isakmp policy 20 lifetime 86400
5 B& i3 `4 f1 r' A9 m U
& n& D8 G9 {. |3 d+ `8 X!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
# s5 r' I: y/ ^7 t- a+ T- D: ?
" G* u/ i1 ]$ N) { ]vpngroup vpn3000 address-pool VPNpool0 ^9 e, a J! t% F4 O6 K2 N
, d! p$ X+ ]2 N* f Fvpngroup vpn3000 idle-time 1800
" ?1 ]1 R, p) B3 j. @2 x' |% F, h5 P3 S
; u. r2 F# x9 P4 t) E6 x!--- Group password for VPN Client 3.x/4.x (not shown in configuration).* F- a0 @, j* O
: h% E7 q: b& j8 u+ }% r Y
vpngroup vpn3000 password ********
3 t/ j- \; N' m/ ] ~" d0 I- T- Rtelnet timeout 5
5 q A- F+ r g" ~) c) vssh timeout 5
$ U1 {. C7 o6 zconsole timeout 0
* d& a% n7 J0 H% y* s# yterminal width 80
+ M2 k( e- f) k# hCryptochecksum:ba54c063d94989cbd79076955dbfeefc
3 z. P: } S& v3 B: end
' _/ a; S9 Q* M/ _) }pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
