pixfirewall#show run
4 e$ {' D% d! W0 a! P: Saved' B ?7 L! M! H, a8 I! x
:, ^: K# N2 r2 n( y
PIX Version 6.3(3)& W0 S* L3 O- n# J9 t( g
interface ethernet0 100full
. f( `# p3 Z# R4 R( R8 j. kinterface ethernet1 100full& F/ z1 N4 q0 v0 \
nameif ethernet0 outside security0- B+ i8 H |8 S; A. ^$ n& Z& N
nameif ethernet1 inside security100
* e% S5 {' g, w% |0 |enable password 8Ry2YjIyt7RRXU24 encrypted
6 ~4 U6 i+ [: c& e0 f! Hpasswd 2KFQnbNIdI.2KYOU encrypted; x" ]9 S, v) q, q+ _ G3 L
hostname pixfirewall
) Y. x- {: ^2 ^$ l- |fixup protocol dns maximum-length 512
. n) b* i' G+ x, o5 Sfixup protocol ftp 21
" R* b- M2 e ?5 y- `, v+ I8 V2 Gfixup protocol h323 h225 1720( Y; ]" }# v! E1 `5 F
fixup protocol h323 ras 1718-1719! A& n4 i6 ]- Q: F
fixup protocol http 80
9 d0 C7 B% d( N4 B2 E. a% L+ Bfixup protocol rsh 5149 m" N2 o& B' D4 j, j- S, r# q
fixup protocol rtsp 554
( F1 Q& Y9 e" ]5 ^6 X6 S* i: {fixup protocol sip 50601 S9 s/ F, {3 u ]7 l! m
fixup protocol sip udp 5060
T9 ~9 b( x @; x- Xfixup protocol skinny 2000
$ K3 T' n! K! d4 e$ ^) R6 U9 }fixup protocol smtp 25, ]2 Z; m& v* x" K$ x# F8 z, s
fixup protocol sqlnet 1521% O( C* `# K% ^- I, ?9 S: t
fixup protocol tftp 69- [( v: z6 {# L- W1 ~( }' ]
names
/ k* ?& F# ]5 X3 ^ E
5 p I: d. f, j8 V+ w!--- Do not use Network Address Translation (NAT) for inside-to-pool' _! i: x' t6 V u4 Y
!--- traffic. This should not go through NAT. l7 g8 \8 d# o) w3 q9 y1 F
) c- x0 M0 {# [% _9 l9 Laccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.2406 t- e& V+ i7 n/ X4 e
1 Z5 L$ t! ^" n0 Z
!--- Permits Internet Control Message Protocol (ICMP)
" {1 {# U3 @- n5 r7 t* J( g" F!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
2 C, ^+ W! m9 a# x!--- traffic from any host on the Internet (non-VPN) to the web server.
/ l- p5 D( A$ J1 r6 G+ f, r8 J* p
) m# E* b9 V5 y2 w* Xaccess-list 120 permit icmp any host 10.89.129.1319 k: r1 H; l! f) w
access-list 120 permit tcp any host 10.89.129.1310 U9 J% S5 { G
access-list 120 permit udp any host 10.89.129.131
9 Z: t* g# i9 H/ H
% p5 X- Y. V/ S9 C3 bpager lines 24
1 }- x8 _+ P X0 \mtu outside 1500 ?/ p# H; Y- o; i8 V
mtu inside 1500 K! b6 h% \! c: P' F. W0 u* x
ip address outside 192.168.1.1 255.255.255.0
/ v* {. z+ r" ~, W& Nip address inside 10.89.129.194 255.255.255.2404 `4 x/ w/ g, B! s5 K k1 o" B
ip audit info action alarm, m% @. K# d; O
ip audit attack action alarm
' ~+ @( g0 A$ j% M
U, w+ E8 u% ]4 L f!--- Specifies the inside IP address range to be assigned9 F6 u* r7 J; O. e* y
!--- to the VPN Clients.. u$ X+ g: G/ y9 t) ^" q/ ?3 ?' e
% A/ \" e* a; q1 g3 p3 ?4 x
ip local pool VPNpool 10.89.129.200-10.89.129.204
. E: m" O9 e3 K; |" ?2 p# L2 Eno failover7 U7 D9 D V) @3 k
failover timeout 0:00:00
; M" Y* X+ U+ K+ f; W1 s( ufailover poll 153 Z% T0 x) ?+ {4 h: m
no failover ip address outside3 u! A& e# w0 i; S
no failover ip address inside% r6 ?. |$ I0 I( i. z+ j) V9 I- J
pdm history enable# N) g" A& I, G& Q
arp timeout 14400) N: E' d4 h, J) f
8 `( }8 e+ Z! f* {$ `) j8 r
!--- Defines a pool of global addresses to be used by NAT.8 s& z6 C# i w: ^4 C q
! H) @- s" P; ^0 x6 }- L' Gglobal (outside) 1 192.168.1.6-192.168.1.10
: W! K4 H: w* c
2 B! r/ h" q2 o2 X+ i9 v0 d' S Fnat (inside) 0 access-list 101
! g9 V& Q/ c0 Q3 Xnat (inside) 1 0.0.0.0 0.0.0.0 0 0; [) A( R, m7 b7 I* H
2 E+ d8 U! W) v' R+ P: M' v8 I f
!--- Specifies which outside IP address to apply to the web server.
8 A4 }, P; j" D* V% m% z3 ^
6 [! z3 T( q' F! q1 Nstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
! b2 g( ^# E; o* m2 Q! w$ t3 T) D! o9 L( O/ x) }6 H' A
!--- Apply ACL 120 to the outside interface in the inbound direction.
' ]( w# a0 v! f5 n2 z s: ~6 a: v' v! q3 d9 P2 }6 N* ^$ o. h( g
access-group 120 in interface outside; J. j2 u4 q, X* V G0 g
) D1 y( f1 H% T0 e) n!--- Defines a default route for the PIX.
) S" v! G# {* b4 b( |: `! M; E; c# j+ v3 {) ?# J8 d2 t
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
7 l: p p, N$ B6 [+ _- D0 A
- P( |/ f0 a/ m7 ]; \- }7 }+ Y!--- Defines a route for traffic within the PIX's, o) O K8 C2 g0 Y
!--- subnet to reach other inside hosts.' t+ O9 w1 p- s# C* K
1 e. R: O' W2 [+ [2 }( g: h) |route inside 10.89.129.128 255.255.255.128 10.89.129.193 1
' w% J# X3 g' j; e; e% x: S/ T# |% \' O$ k* T1 i% O5 y; R0 @
timeout xlate 3:00:00
$ U* D: O% U* b. y5 stimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
- ]+ K) H' n+ stimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00$ }' A; D* O& K6 k( ]/ a
timeout uauth 0:05:00 absolute
, V+ X1 {- B% a" X% [8 y/ }. i0 q8 G1 Gaaa-server TACACS+ protocol tacacs+
' A- J$ d( K7 K& e( [. \- aaaa-server RADIUS protocol radius
4 T9 k1 `( w, q' Haaa-server LOCAL protocol local
" d9 M2 E. r" u& v: s" f. W# g8 \
8 S) G/ w1 ?) E!--- Authentication, authorization, and accounting (AAA)
. A( x9 b: S7 {% j( u& }" H5 L7 {!--- statements for authentication. Method AuthInbound uses TACACS+.1 k% M1 N( ?! G5 I
5 [* T# T; d* x! K# oaaa-server AuthInbound protocol tacacs+
7 n f# W# ]9 N6 ^; l8 z! R1 N U( p6 Q. q6 w R
!--- Specify the TACACS+ server and key.. D2 ^9 G4 A- b% z
7 N1 l4 S( M5 L+ T
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10, g4 e8 h' n& D0 c( V0 J4 i
$ L5 h2 a" _; f) z/ K4 o) M
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
1 n! ^3 W2 P0 v) Q1 o5 q5 I' ]% \% [# i2 q! q4 `
aaa authentication include http outside * o$ c9 ?# a, V! Z
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
3 |" z# \& E4 ~& |$ L% y1 u/ Z
aaa authentication include ftp outside9 B% a2 [. B( b6 b7 _
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
/ B D7 H( V+ l4 v0 ~. v ^7 e5 C6 v, e" z
aaa authentication include telnet outside
Z2 b- P4 k) ?" ~ p10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound p- R: g) A; B6 ?
4 [. H/ n7 _% _% Z/ o+ `: h
no snmp-server location
, P1 Q& H+ M7 `; @7 [& q+ qno snmp-server contact
) Y& E" K3 Y( o, q1 _7 D7 P- E0 e3 j% fsnmp-server community public8 |- m5 c$ C; [% b
no snmp-server enable traps( E; R/ x/ ]7 h( Z: j1 P# M
floodguard enable; k5 z) _/ Q" x2 r1 h! _+ e
% ?, T" a S; n7 e
!--- Trust IPSec traffic and avoid going through ACLs/NAT.6 w$ w. e( F# {/ P- ^/ b- @
% g! g' _" v# j' o6 `$ ~
sysopt connection permit-ipsec
- o: e) y8 I0 F7 J; y
, x# h3 N8 d- X0 l!--- IPSec and dynamic map configuration.5 x/ ?, I1 w1 X/ W, j
& }" i# L# z) T9 j: o
crypto ipsec transform-set myset esp-des esp-md5-hmac: u. D4 d- v( P. I
crypto dynamic-map dynmap 10 set transform-set myset$ b2 W8 T- h' j! V P; e' B" Q% |, f
crypto map mymap 10 ipsec-isakmp dynamic dynmap
' L4 f# a$ K. ?; F! J! g6 l9 c- n( R9 m3 v
!--- Assign IP address for VPN 1.1 Clients.
. M9 [* a- `9 t) i/ p( \5 P. A3 e9 z
" C; ]3 w+ [- Fcrypto map mymap client configuration address initiate
! O, Y, g8 n# Q; Dcrypto map mymap client configuration address respond# L6 \/ g( m; C2 L% J
2 b* ~( m, ~5 W |! j1 o
!--- Use the AAA server for authentication (AuthInbound).
4 b) y8 t ^$ g
' X+ \& |: s" V' ^8 w; U4 \crypto map mymap client authentication AuthInbound$ ]2 y- e# z: U) Q0 p
$ C+ ?" L% N8 [+ }+ n, c( @9 F. [
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
/ v2 ?" K" ~5 j: q
}0 e/ f. @+ a% n: G9 D9 i u) Fcrypto map mymap interface outside& Z0 Z: g+ S& a3 t( a) m
isakmp enable outside
$ S! f/ ^( Y4 j7 W1 W
8 c" V* ^6 h" A) \6 P( T; k7 l! e!--- Pre-shared key for VPN 1.1 Clients.
1 k% c1 i# P5 ~! [0 B; b R" [9 f7 T# ~0 b3 e( o' K
isakmp key ******** address 0.0.0.0 netmask 0.0.0.01 j& ~% A/ @. m! j0 D4 A6 X5 |
isakmp identity address
3 O" X: Y. M: g: N9 Y% X
9 q* K0 J% ~ Y" j1 k- q!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.; T+ K' d4 U* k
9 V! ~/ W! U+ @6 A' b
isakmp client configuration address-pool local VPNpool outside
, r& e* \5 q" P- d( J7 N Z& q8 J+ K/ z' X4 j+ f; H
!--- ISAKMP configuration for VPN Client 3.x/4.x.
# ?9 F5 M3 @$ c/ J9 f
/ a. c0 {$ f& R: m( F# Iisakmp policy 10 authentication pre-share
, X! @" i! }. \8 _6 pisakmp policy 10 encryption des
Z" Z; m$ ?$ P$ R: C3 h7 }/ Wisakmp policy 10 hash md5
8 O. W$ }5 q: d% ]& U4 C9 hisakmp policy 10 group 26 S0 w& L( T8 P) k2 u; Y, _0 z: X
isakmp policy 10 lifetime 86400
1 s) U6 I8 B; h; E" F3 o" ^; S
0 k1 {1 Y. z$ ?, N' G!--- ISAKMP configuration for VPN Client 1.x.
( a Q. G+ C Z
/ t# y" |- G$ l8 V4 j" Y- uisakmp policy 20 authentication pre-share
( g& y/ b/ X$ H: S+ {2 ]isakmp policy 20 encryption des
% F% |! O. n, p0 _" @6 c! b9 i, misakmp policy 20 hash md5/ N6 @$ Q8 d# ?
isakmp policy 20 group 1
1 v" ~2 c a* v! y# _9 yisakmp policy 20 lifetime 86400/ h2 c7 c2 T* k0 v( F2 ]/ k6 b
+ [, n4 m0 c9 _2 z; f) m$ v5 U
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.$ C# i/ m) M0 K1 `( d3 q
6 r& Z: k4 B# vvpngroup vpn3000 address-pool VPNpool' H+ x) L- J6 K* N( v7 i `. `
, k, s9 g' P$ U* y |! |vpngroup vpn3000 idle-time 18002 l- Z, j: H5 y4 Z! f; Z
, _& Y; l _: B: y% P
) ]: d1 y% c, }!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
0 u- M6 l: f! O
) G$ b: k: |- U- Ivpngroup vpn3000 password ********9 c( A; J7 M# [+ Q% p, j. T3 U
telnet timeout 5
; e, a0 j. G8 v! `1 U/ Xssh timeout 5) x7 ~! x' [; ^' ^0 F, _
console timeout 0
. Q2 k1 \, R9 H6 E' K& a& Iterminal width 80
' J, V$ S8 _7 g% \9 z0 _* dCryptochecksum:ba54c063d94989cbd79076955dbfeefc
' v1 Y* g5 w0 a2 g9 u: end; B; P. w7 R4 A" D% n% ^; _/ a2 H( E
pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
