pixfirewall#show run
( b+ M) y3 i4 v: Saved' a2 n& w( O& r6 |6 o
:) y4 R, l& }' T9 m @* q4 y5 H. B8 J
PIX Version 6.3(3)3 l. J# Z1 z" O& b, K9 ]+ x* ~
interface ethernet0 100full
+ x* x. u. s* finterface ethernet1 100full
; w! E( M5 t9 w0 y% {" I$ ]nameif ethernet0 outside security0
0 G1 }2 N: Z1 k, ^nameif ethernet1 inside security100
* ?( d- ~' k" t8 ^) venable password 8Ry2YjIyt7RRXU24 encrypted) e. ~) L- s! F* B& _) u0 f
passwd 2KFQnbNIdI.2KYOU encrypted, y) T. m" `* }% l6 M4 R4 x+ T
hostname pixfirewall
$ d i; b; U/ S8 l" n* ]/ pfixup protocol dns maximum-length 512
& |; C! n6 `1 B) A2 N! ]fixup protocol ftp 214 R; j. \" r& H! R
fixup protocol h323 h225 17207 b9 @& i8 e. P# E- d
fixup protocol h323 ras 1718-1719, @- C6 e- H% s) V
fixup protocol http 80" }6 J0 W6 g8 N/ S5 _
fixup protocol rsh 5145 l s8 h# B) w8 [- g: ]2 N2 w
fixup protocol rtsp 554
& L' ]3 @: I, I% Wfixup protocol sip 5060
w) X8 U* L! i! O7 ~' e) \fixup protocol sip udp 5060 a1 y( I/ U8 U! {" v
fixup protocol skinny 2000
# E/ U' \1 X2 H' s+ D) ?- d: B, lfixup protocol smtp 25& A, `' V# B& h0 G+ Y4 w& @
fixup protocol sqlnet 15212 p4 A8 \; V: G
fixup protocol tftp 69
; o1 l" U$ @. `. d5 q2 ~0 g3 S2 Ynames
& l! i0 N- s$ Z8 ~$ o: |" v* U( o! A2 X6 n9 [8 w
!--- Do not use Network Address Translation (NAT) for inside-to-pool
1 K+ S* l, w3 Z!--- traffic. This should not go through NAT.5 l; F% [9 [! P' I* n
" U& K+ C- v k( K% ^1 C7 }
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240% ?1 N: L$ F; j6 O% a% w) s* g
s# j$ E, n( K% U2 r: f) m+ d7 U9 Q
!--- Permits Internet Control Message Protocol (ICMP)
8 C6 Y$ o" w' X" B7 u/ M3 N!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)! C3 Z8 ?7 B9 m0 H4 M* g( s
!--- traffic from any host on the Internet (non-VPN) to the web server.
) b0 f; Y" |3 u+ @$ s* a& V* H# F; D: C9 q. v6 z( s* B$ j
access-list 120 permit icmp any host 10.89.129.1314 P+ Q$ x# @% r) X5 N3 M
access-list 120 permit tcp any host 10.89.129.131
: z! E0 R2 I# p; w+ B0 y, jaccess-list 120 permit udp any host 10.89.129.131
8 x% f% q! V! k. B: v+ t3 v" C" H7 W7 o7 |" V# x' g0 b) s5 o+ x+ Y: v
pager lines 24
3 T0 h+ e# q9 ?mtu outside 15007 x9 t6 B( `! a1 v0 F. t
mtu inside 1500; U' l6 x/ [ F9 `" T* E) O5 j+ Z
ip address outside 192.168.1.1 255.255.255.0
& K6 I6 h( K2 @0 ^9 W+ Fip address inside 10.89.129.194 255.255.255.240
- a; A* f5 e7 [' w ~ip audit info action alarm
6 W& H' G) h# M7 \# |ip audit attack action alarm
9 \( U& ?3 J" c- |5 r9 R* ^$ ^, X" B; Z! Y( t7 l' R
!--- Specifies the inside IP address range to be assigned
. C. u* s9 U4 l E1 S8 W!--- to the VPN Clients.# x1 x2 o+ C M2 V, b
# ^! M6 I1 g* g6 T% R4 ]
ip local pool VPNpool 10.89.129.200-10.89.129.204
/ B V' z3 [- T% X- Bno failover3 b3 ]& e$ Z: K% I9 m9 x
failover timeout 0:00:00( L ^5 T, t. B9 V8 |, ?- @" [# K
failover poll 15
2 g$ F$ }% `1 j: xno failover ip address outside
% x7 G5 D' |4 N3 wno failover ip address inside
& w/ }( Z& E! tpdm history enable
% @0 g* m/ H8 L j1 _% garp timeout 144003 D' \3 L7 d" t: K
, U+ T6 c4 X, C% R% z!--- Defines a pool of global addresses to be used by NAT.
; o; v- F- @* i/ O+ x, S" \
) H' H' a* z9 e$ N8 Y0 ^) @global (outside) 1 192.168.1.6-192.168.1.10. b- X2 y+ |/ V( x
; d* }7 O3 d& C3 q# c
nat (inside) 0 access-list 101
1 b( W$ \5 W! p; unat (inside) 1 0.0.0.0 0.0.0.0 0 0
1 U n- X. w3 z+ |0 O" {% w2 l. V+ M( V. `
!--- Specifies which outside IP address to apply to the web server.
# u" D7 I, [: B" y7 \+ l) g# v' n7 K
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 04 c, y8 `/ h+ Y' M5 t
. r( B* m; R: e, G4 {7 N: q!--- Apply ACL 120 to the outside interface in the inbound direction.3 u: `+ T" @8 P& e
2 t+ e$ j$ h' a* O2 ~ B+ Aaccess-group 120 in interface outside, F( u5 B/ W* V9 d- g4 ~! H; k- g
) J' h0 I8 R+ c( D2 ?8 ~1 E2 b/ Q!--- Defines a default route for the PIX.
0 m% ?! Z5 d" u' b! T$ X7 a- K/ ]- e* i: E6 N% ?
route outside 0.0.0.0 0.0.0.0 192.168.1.3 12 h, ?/ G; @1 V$ ~9 A- T( i1 e y
+ `" i2 ]( Z' M3 ]! W!--- Defines a route for traffic within the PIX's
/ e9 m9 @1 ?( C1 \' x!--- subnet to reach other inside hosts.! X( _5 w ~( h7 d3 m, [
- L3 j" G6 \4 j
route inside 10.89.129.128 255.255.255.128 10.89.129.193 1
& |1 X$ @ L' u& I0 f8 ~
, Q; k1 E2 x( \8 [1 Htimeout xlate 3:00:00 X7 b @. E+ \& o
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
, w& p1 c5 m2 e5 [" H! D. etimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00- L! i6 n) \# _% ?' m; B
timeout uauth 0:05:00 absolute( T9 v* ~- }0 I G
aaa-server TACACS+ protocol tacacs+
0 ^5 v* u6 k0 C1 [/ M! U4 }' oaaa-server RADIUS protocol radius8 I s3 M7 e. H9 ^
aaa-server LOCAL protocol local
6 _5 z! S$ f% |6 z2 v5 o. l
1 v; t& d/ ~# L. K' B5 E!--- Authentication, authorization, and accounting (AAA)
3 N( B; D, P9 u- ^9 R!--- statements for authentication. Method AuthInbound uses TACACS+.* O1 l% a o" J" K
2 m6 u+ v5 G7 d' Z* ~4 E
aaa-server AuthInbound protocol tacacs+
7 `/ ^+ B( v1 S4 ?6 L% e5 r. i8 L
+ |1 w2 j6 C: ~ V- f!--- Specify the TACACS+ server and key.
`2 r" z$ J' r2 @) [7 q* |5 z! t- \: b! K, V
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10
: D& @& _9 u9 Z: g: y
7 k2 _1 p, s# f5 w1 d! H9 e!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
8 K; f, `5 `* v: L. D$ W- Z& \( ^: y7 x
aaa authentication include http outside W! j! X' d6 N, P3 k. y
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
$ \+ [# D7 w( R1 p9 m
" ], c; z& q F* [' x( I/ jaaa authentication include ftp outside
a1 U( T. c1 I) S# x 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound8 N. v9 k. q9 c6 J# j. |/ Z
0 M( k+ ^1 {) n4 ^
aaa authentication include telnet outside ! p' I5 o4 U. A b" y! z" {
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound6 H& |! E9 o; ^ z8 y1 N! j0 U
* e P# o# g3 `8 g: yno snmp-server location; i% J% h( i3 |& T& }, { X' Y
no snmp-server contact
4 D2 K* g) Y( X4 c/ \snmp-server community public; E) w1 G( t2 I( w6 c- n* o
no snmp-server enable traps& c- H: }# B: W, C4 y" V
floodguard enable& _" `1 s8 P+ D, V# e: A5 j' H
! |) j4 {& u1 O# V
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
7 x3 e4 N, V: N$ Z6 m; e* Z- X/ g- X$ g! W/ @# ]6 F- {/ q J% ~
sysopt connection permit-ipsec
9 D$ R- j- ]4 a
& W- t5 S/ s o( T8 ^!--- IPSec and dynamic map configuration.
! z* s! Y1 D. L- U3 e; Y' U' S7 ]5 G) L, k' n+ S& U: h
crypto ipsec transform-set myset esp-des esp-md5-hmac" j( \! R, ?& Q% I& {( U
crypto dynamic-map dynmap 10 set transform-set myset
8 d C' ~. s. T# O) tcrypto map mymap 10 ipsec-isakmp dynamic dynmap
7 L( N: }7 w7 z$ `9 ~/ A4 |' J3 ~4 x, Q/ C) S
!--- Assign IP address for VPN 1.1 Clients.0 Z/ P0 O5 M. H" O1 x& j
5 F9 }8 L8 z! _- m$ S( w) G$ `& p
crypto map mymap client configuration address initiate
9 r0 A a5 }. ]3 {$ Acrypto map mymap client configuration address respond! _% W2 K; k$ J* b0 k" Z
: A: ^' D1 W/ y
!--- Use the AAA server for authentication (AuthInbound)." N/ S4 P( n( ?: a
: O2 s b0 Q' e: V/ Dcrypto map mymap client authentication AuthInbound `' q3 B: o, n( } u
{5 _) m' C, R, e# T6 ]. g% G
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
- H5 I2 H: L. M+ m! u5 d$ ^
" R0 R2 P H% g8 O' `3 Bcrypto map mymap interface outside
$ g/ h: Y3 X7 |- Uisakmp enable outside
, Z- c0 M* l, E) c
9 G' j0 N% f5 A% e3 g7 ^. L!--- Pre-shared key for VPN 1.1 Clients.
& c8 x& s( z' S5 X' G6 j# W( \3 [/ C$ U. V& _
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0, w7 s6 b' M9 o) k6 t R: t
isakmp identity address
2 C3 @) t4 h/ q# |/ x6 g5 p: `: v6 O; X4 [6 P$ ^4 w
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.: |7 c* q4 ^* s, o- M k, e; \
- h( Z& ^0 A* I" q$ e; C$ m
isakmp client configuration address-pool local VPNpool outside
. m# J& G, W0 G8 T% A3 i- U: N# V& B3 W, l$ f2 i8 S* d
!--- ISAKMP configuration for VPN Client 3.x/4.x.
/ s; j! d( \. |$ d5 ]2 f8 A5 X: @9 ]. o, g! i. W, R/ D
isakmp policy 10 authentication pre-share. L3 d6 e+ _# I5 p# M. G* F
isakmp policy 10 encryption des
# e' g9 M) l7 g |4 `isakmp policy 10 hash md5 K" ^1 I: t, e1 [$ k, h
isakmp policy 10 group 2* o! s+ E# s- c6 I+ D
isakmp policy 10 lifetime 86400; s# a' v7 G) T7 `! n$ ?: a
- @0 G F1 ^! S0 y!--- ISAKMP configuration for VPN Client 1.x.4 b5 I7 W0 R+ ?! w$ w
& Y6 N; x) w% fisakmp policy 20 authentication pre-share1 U- H: \4 r2 Y; F& G6 R5 Y
isakmp policy 20 encryption des; z/ E* ^2 N6 W( t) ~9 U
isakmp policy 20 hash md5
5 E1 u4 L; r# ]! aisakmp policy 20 group 1$ i- O; G K* O7 }: {
isakmp policy 20 lifetime 86400# d; T1 P+ j5 k' X
% X2 p- a, E7 _, I& M, r; y
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
) d& m Y; D2 O; q z, N
% ~: Y% q: [% }4 g. E wvpngroup vpn3000 address-pool VPNpool% h; K7 M# V- h2 r' A+ \* j
1 y4 {! {8 ~% Q% t& J
vpngroup vpn3000 idle-time 1800! A W c2 k* o0 R8 E" V# t' m
5 p4 x$ L/ t, Z: O
) q. Y, d# X& }3 ]/ U!--- Group password for VPN Client 3.x/4.x (not shown in configuration).$ p8 t1 `0 W+ M: v" N
' x4 P' Q) T+ m; \# d
vpngroup vpn3000 password ********. \& }9 M8 Y" a% t3 i' e z
telnet timeout 5
Y5 D' V( a2 d1 Fssh timeout 5
, D" |/ s( P& Z/ L& v. Xconsole timeout 0
; C9 A0 X: j- u8 Rterminal width 80
m0 k& S; L: W0 o6 }: I- \& _, ~* RCryptochecksum:ba54c063d94989cbd79076955dbfeefc* \# w6 }# j# o2 i0 U0 H+ S
: end
$ z! C$ i* k: ^+ u+ x2 O! \pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
