pixfirewall#show run
- R( e+ }" }2 d2 `7 s1 a: Saved @; N+ l6 f/ K
:
( x) M% T# I3 P" g) iPIX Version 6.3(3)
0 S: G9 N8 ~5 n' minterface ethernet0 100full0 r9 p9 N5 }' E$ \( [$ I9 j
interface ethernet1 100full
5 L9 b/ N7 m3 v+ z3 E% @nameif ethernet0 outside security0
3 d7 a( R8 y4 |9 Mnameif ethernet1 inside security100) A( y g4 }( P: i* p
enable password 8Ry2YjIyt7RRXU24 encrypted
# S) K- H J. ?% s4 l2 Zpasswd 2KFQnbNIdI.2KYOU encrypted1 o: `: ~6 F9 @
hostname pixfirewall
, {/ k; Q# P- D# }fixup protocol dns maximum-length 512
2 o4 m J# A5 z& Hfixup protocol ftp 21
, X6 X1 u& F( {8 g4 xfixup protocol h323 h225 1720
: _; @- r4 s M( F0 T( i; cfixup protocol h323 ras 1718-17194 t# a/ X" y; h# r6 L
fixup protocol http 805 A1 _3 J6 H( B& D9 Y* f/ C: f5 [' t
fixup protocol rsh 514
. y) X* h; @/ J4 R# {6 l% |fixup protocol rtsp 5544 u4 O# g0 A: j8 u5 V s6 ?; p _" W
fixup protocol sip 5060. w: r% H m! s. U0 U
fixup protocol sip udp 5060, s U5 k$ F: p0 J
fixup protocol skinny 2000" ~, Z- [2 ?" w- u7 p1 F, z
fixup protocol smtp 257 s7 M2 q9 h! f. u! U9 s- S4 s: C
fixup protocol sqlnet 15215 H' H5 o% O5 z5 g/ ?! s- H9 S
fixup protocol tftp 69! `# P$ n# J6 g! n/ T
names
* A1 [" E4 ^6 y9 Q! r* _: H) y! F6 `& G9 @1 |$ q) A7 N
!--- Do not use Network Address Translation (NAT) for inside-to-pool
# I* T# n- D0 f7 ~$ x!--- traffic. This should not go through NAT.
$ q+ I+ |5 L7 a& t
Z7 \ L% W: z& f: Q( oaccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
" b/ w9 ^2 T5 M6 H6 o/ c- x
# F3 u# m/ F1 @- I; l8 w!--- Permits Internet Control Message Protocol (ICMP)9 ^. H0 z& }1 K5 G
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), y, V% Z F3 d! C( M
!--- traffic from any host on the Internet (non-VPN) to the web server.
5 _, G! a, x1 E1 C G' O) ?2 O0 C
8 I# }: \9 `# E" I3 baccess-list 120 permit icmp any host 10.89.129.131
( n5 m6 M+ `- ]2 paccess-list 120 permit tcp any host 10.89.129.131
$ h, V' X2 @; B8 zaccess-list 120 permit udp any host 10.89.129.131
& w: _5 ]7 `# F; b4 s& P% S/ _7 d1 u1 g% w( p; S8 _
pager lines 24
* }1 j1 y' u7 I$ \) O/ V" w' zmtu outside 1500. g$ B' m7 O* {/ U) {6 `
mtu inside 15001 M4 d" F2 k; l& [9 m2 B5 \
ip address outside 192.168.1.1 255.255.255.0' y8 O3 I- I$ N; v" {
ip address inside 10.89.129.194 255.255.255.240, U0 B( E: o0 ^6 n* q
ip audit info action alarm, N) _! [! w8 b* A
ip audit attack action alarm
1 R7 a. y+ t8 A5 M& Z: P) z
: z9 ?3 |3 o) n+ Z# z1 r+ T5 x!--- Specifies the inside IP address range to be assigned
8 d/ v e3 |- J' E7 a. N!--- to the VPN Clients., _5 ~: p+ N" k3 W1 _ A' g! |
, W; n3 O, V) y7 B/ i0 z! oip local pool VPNpool 10.89.129.200-10.89.129.204! x" h. S( I+ Z
no failover$ @: i$ _, D i% |
failover timeout 0:00:004 G0 \; C5 t7 q. Z' ~9 m
failover poll 15
; G( T7 V- Q) s0 M) u! y& r; hno failover ip address outside) K" |+ u6 Q8 p8 }6 X
no failover ip address inside3 Y! ?, J+ j# X! P8 E8 a
pdm history enable
. X3 w& X9 s% }% i Earp timeout 14400
- E# w# X A- @) C9 u6 y/ `% n% ^
!--- Defines a pool of global addresses to be used by NAT. h1 a: [& A6 Z* A& C0 Y, j
, `9 X3 {# }$ S+ _global (outside) 1 192.168.1.6-192.168.1.10" ~2 \9 w9 K5 j D/ r5 O0 a
' F, g/ `5 D) a
nat (inside) 0 access-list 101
3 q$ {3 R- g" x l; S; @! m$ Tnat (inside) 1 0.0.0.0 0.0.0.0 0 0
! u( f% J9 @: ^- J9 ^; X" V
; p1 V3 r# x* X5 v9 {! c: c!--- Specifies which outside IP address to apply to the web server.9 ]. p) n4 m. ]7 n$ [
: c% k, w* F+ T2 M! _" {+ jstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
& \6 W4 s+ R5 V7 D9 x9 |
F" m, E4 H* R% q* f+ `!--- Apply ACL 120 to the outside interface in the inbound direction.! x- Y! d5 ?0 C( Q3 A3 U
. M0 D; p6 O; V) Uaccess-group 120 in interface outside
2 s- N! ]$ s( n/ g. y) m% V3 `3 O( o
!--- Defines a default route for the PIX.
. C$ G* C2 W& D0 H( B. l5 U* m3 Y$ [
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
0 u( R' T6 ^/ [% f8 H
) \+ ?& \' ], U% x4 U! U# N!--- Defines a route for traffic within the PIX's
. V7 K8 {/ J7 E!--- subnet to reach other inside hosts.
' x' {" {6 o: L- B! p; Y
2 L- ]4 l m( _4 b$ groute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
4 G8 D9 q6 |3 v3 F& q
3 V' [5 @$ l1 ?' e9 e7 V% qtimeout xlate 3:00:00
% [. `3 j+ w5 @8 z" [timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00: T$ Y _1 h" a
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:000 e! p$ k( C$ t8 s% k
timeout uauth 0:05:00 absolute
" q, F9 j! D$ F4 M7 Eaaa-server TACACS+ protocol tacacs+
5 O6 t9 S# j( v* H4 A. T' Raaa-server RADIUS protocol radius- i4 D, X: @: [- T+ s
aaa-server LOCAL protocol local2 s; @6 ~& d, M1 b1 n' Z
" _4 i+ y- ?. H1 j9 Y
!--- Authentication, authorization, and accounting (AAA) w% r$ X4 y' T5 N# [% X9 i
!--- statements for authentication. Method AuthInbound uses TACACS+.
% w5 s) h- _3 |) l( j% a. t1 U7 a2 _. P
aaa-server AuthInbound protocol tacacs+
3 @9 w& u1 @9 k: P8 d
2 u4 Z0 T) G# C!--- Specify the TACACS+ server and key.: U# f( P# h2 X# i
8 }; w9 R, U6 S" s0 g
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10
$ n/ O+ D1 h, Y. J$ y' b! N9 j
+ B# ?3 f9 u0 l4 L9 c7 r; ]!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.6 z' x e. ?( S& e0 S7 q
# G/ B! [: C8 v) kaaa authentication include http outside
" W; d+ H9 w: \' @# ?5 Q10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
6 \# L( j' [1 o0 o
% O: x# J) i5 {* V. L8 raaa authentication include ftp outside
0 d9 h2 p$ p' Z# L( K- B4 r 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound: Z( }) W& L0 D6 T3 e5 j
( P% a6 O0 }) A0 C) |3 M/ T3 Laaa authentication include telnet outside ) [8 Z7 u/ M: j: k: L
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound( f5 p. v6 q( b% H. a5 e) o
; z0 j7 D; W* c: S
no snmp-server location. L3 l5 j9 j* Z+ B. t
no snmp-server contact% `* o/ r, G$ O
snmp-server community public
, ^) J! V* A% P9 {no snmp-server enable traps( e+ O* m& a2 k+ C5 l$ h
floodguard enable( b+ ~& e) o& z& |* b
% v) Y& x' t. G! S
!--- Trust IPSec traffic and avoid going through ACLs/NAT.) a7 X3 @/ k" R+ d+ K
% A. q$ b/ B7 jsysopt connection permit-ipsec0 p9 S5 A L$ P/ ?2 E1 X% M
$ w/ ^5 O. [% q* A!--- IPSec and dynamic map configuration.
! g# L* F/ _4 D( X" C! o
. m* H7 S+ \& A% p; e Mcrypto ipsec transform-set myset esp-des esp-md5-hmac1 J' }6 p% [3 x& h* h
crypto dynamic-map dynmap 10 set transform-set myset( }2 w$ ^. J, R% T
crypto map mymap 10 ipsec-isakmp dynamic dynmap" @2 I ^: ?4 w) q! \( u
/ c5 B3 L2 J$ M, z
!--- Assign IP address for VPN 1.1 Clients.
9 e$ k6 a1 R7 _# n! Q! l* N
0 ?! ~3 L s8 c1 f* U. rcrypto map mymap client configuration address initiate
! }' P6 J( A& }* n! y- R% Wcrypto map mymap client configuration address respond
+ A5 O/ a, H% {7 {1 v- H" Q5 [0 p
/ H# K; U. k/ U!--- Use the AAA server for authentication (AuthInbound).
# E; a! ]; K% D$ l+ l W' Q
) g! A# Z6 `) F0 N* q- h3 ?6 _5 c6 Jcrypto map mymap client authentication AuthInbound
- f: A( f6 v; j2 t$ h- }+ M7 S3 J) p! d
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.7 v6 I2 q2 r# g9 a( d
# e# D# F; _% I2 i! jcrypto map mymap interface outside! Z7 X# V! |1 g: Q" B' w
isakmp enable outside# n: m+ H9 W- G4 p2 M/ N% i
+ J0 E& h3 k7 D6 b6 J( l- ^. l!--- Pre-shared key for VPN 1.1 Clients.# k7 v# ^* }6 N1 X, T5 n
' n/ T3 k% h& s1 r: _
isakmp key ******** address 0.0.0.0 netmask 0.0.0.01 o, q4 L# G3 N% M
isakmp identity address" u4 O* D# W: a5 O* {& u! e
! ]& R/ s5 W7 M9 M: R0 ?9 ?
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.3 ]' K; |, E! Y- Q! u" Y- _ b
% S {6 y& A7 T/ Q
isakmp client configuration address-pool local VPNpool outside' T- n/ j: Q( ~
" Y2 Y" ?7 z x, }& K* T!--- ISAKMP configuration for VPN Client 3.x/4.x.
/ I0 C' C3 _* f8 ?0 I. J% C: ]6 J. K5 H' J& V: V7 m
isakmp policy 10 authentication pre-share
2 q5 {6 U4 c3 ^# O$ r# K9 risakmp policy 10 encryption des3 g0 a' o- Y. h
isakmp policy 10 hash md5
& T2 @& m$ o; nisakmp policy 10 group 2
- ~" G& R6 |4 s6 ?0 d- l6 {! @isakmp policy 10 lifetime 86400# Q8 ^$ D) k+ s n. A" s
+ T' F1 h; t0 a6 @( D! m
!--- ISAKMP configuration for VPN Client 1.x.
: A8 m: a# E0 O7 J" H1 D* l1 N8 u
. H; \. l) h" J. V1 m6 Misakmp policy 20 authentication pre-share
: y- q! }! v: w5 |3 R4 Yisakmp policy 20 encryption des5 @/ x. W, K) C9 ?. w7 N3 R, W
isakmp policy 20 hash md5
) i& F/ l. ]- j4 Z# Jisakmp policy 20 group 16 `+ k* y$ H- D
isakmp policy 20 lifetime 86400# v; U+ M* K9 l& e' w, n' E: u, G
! K( M$ `$ M! I/ C+ V6 T
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.2 Z6 C l9 f$ `( m9 I' Y8 ]
0 O& X* q/ u8 _9 ~& Xvpngroup vpn3000 address-pool VPNpool' T: D. _; J; h: b2 Z1 w, H
7 l0 c& I; e# Q. z. Dvpngroup vpn3000 idle-time 1800 }. w; t$ _4 o+ P; _: ^/ i Z
& b* @+ N6 w1 H3 \% o7 P: \8 y
0 u, O* y" @/ M3 |" u/ }!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
3 L6 j W, I( n, F0 @
+ F$ ^+ L% [/ V" {: h: G" Fvpngroup vpn3000 password ********2 R+ U, r5 J3 e9 \5 V/ |
telnet timeout 5 x- e5 g4 G7 M5 A& b* U% ]
ssh timeout 5
- X4 m( Z% p! \ O* W. D# _console timeout 0. `. G4 z! a/ h3 y) P
terminal width 80 I: S" ^0 w3 m! D1 b
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc3 ^6 g0 t' T0 a2 a+ B% n3 s
: end
% H! n j k( Y8 `pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
