pixfirewall#show run4 y/ I- c, V1 [7 j; p t
: Saved
5 I8 { M2 s' I" n:
9 b3 l% u! r! f2 tPIX Version 6.3(3)$ R: i, z' c$ R/ n1 a8 J* f; r3 }
interface ethernet0 100full7 A# F: Q4 F9 h* W% z$ n
interface ethernet1 100full
8 e# E+ V* r% j7 f# I) k; bnameif ethernet0 outside security0
3 c- D" m/ M4 u( E5 Anameif ethernet1 inside security100/ m( J5 o* Q. x' s" i' w* y
enable password 8Ry2YjIyt7RRXU24 encrypted6 y2 a# C% w, V7 w
passwd 2KFQnbNIdI.2KYOU encrypted- y) Y3 ]7 w5 s+ P; q/ |' Y
hostname pixfirewall; J3 x0 K3 y) f2 m2 Q
fixup protocol dns maximum-length 512
; a$ S6 |$ E7 l9 w& {fixup protocol ftp 21$ j5 \6 `) c6 Y6 A; T0 `, l/ ?
fixup protocol h323 h225 17209 Q$ X- q% m; C4 I8 W
fixup protocol h323 ras 1718-1719
# A% V2 f4 K y; `; m+ Ffixup protocol http 809 g+ D1 Z1 R9 n
fixup protocol rsh 5143 _* @1 q; u1 F( J5 a
fixup protocol rtsp 5545 ]- {7 V- K; k7 s. g6 _( P
fixup protocol sip 50601 i4 ]9 S7 L* C
fixup protocol sip udp 50606 l; z# x# C/ |" `2 I k3 q
fixup protocol skinny 2000) G3 s4 N1 b. ]7 O; x
fixup protocol smtp 25
0 T/ W* Y0 j4 A @fixup protocol sqlnet 1521) X- \/ E# r* o& s# Y8 R; s
fixup protocol tftp 69/ ?1 s. Y- F' t% w4 f2 E
names* A. V9 `8 W6 m) r
- Z6 h2 s; V6 _) T* [' {! R!--- Do not use Network Address Translation (NAT) for inside-to-pool1 a; q( {$ L6 T- B+ J# l2 t. h
!--- traffic. This should not go through NAT.
( l: A3 E7 A& z# e4 [5 @
6 u* G) x: h: F7 aaccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
7 t0 S( e0 T5 D
1 z. \9 O+ H/ j; U Z' U!--- Permits Internet Control Message Protocol (ICMP)3 V2 M! [, ~* [* i& w3 R
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
6 T# \& h' M3 h! X7 p1 {!--- traffic from any host on the Internet (non-VPN) to the web server.& J2 p' Z- V) p! P7 e6 z' X
4 q5 s, {, z9 P7 i9 q1 e' F5 J; [
access-list 120 permit icmp any host 10.89.129.131
: o$ r/ ~, d* ^( Taccess-list 120 permit tcp any host 10.89.129.1316 c& C9 }* E1 M: c5 c6 ]* `
access-list 120 permit udp any host 10.89.129.131
+ S* n+ \7 X, a. W: ~! T }6 Y
5 L+ E9 r& I/ qpager lines 24
, Y5 d9 j" ]0 P; Omtu outside 15009 G$ y$ q8 V8 B
mtu inside 1500
' t9 H2 N) n9 |7 S' s9 |ip address outside 192.168.1.1 255.255.255.0
, y+ n% U2 \: N q3 {+ oip address inside 10.89.129.194 255.255.255.240
, S. p7 }; c! gip audit info action alarm4 L. {5 y7 I7 G; q V9 H% q5 Z$ a
ip audit attack action alarm
1 V8 T; P7 g7 [( a2 Z# n
/ E: s2 y/ P2 t$ e d!--- Specifies the inside IP address range to be assigned7 g6 N9 q# c5 n) M& o
!--- to the VPN Clients.
# \: J2 w6 j9 C1 T. Z2 \: j( U+ h( I4 A0 `
ip local pool VPNpool 10.89.129.200-10.89.129.204 I8 k' Q! i4 t8 o! J
no failover/ J- \9 y# z6 C
failover timeout 0:00:00) `6 [7 G' A7 E7 k; r
failover poll 15
3 h/ `1 j" {/ E7 S, Nno failover ip address outside
/ _% I q6 N% t6 E/ sno failover ip address inside2 i5 N5 a/ e" ?" h1 Y4 U
pdm history enable
' \% K, a- b3 h$ Y! N* e i7 Narp timeout 144001 X" E3 U4 w6 K1 F
4 G6 e& J+ F( H. g& a' {# ^( I!--- Defines a pool of global addresses to be used by NAT.9 g1 Q6 w8 }' Q: x8 {) T
' I& b; ]+ r# g+ U( Hglobal (outside) 1 192.168.1.6-192.168.1.109 R7 C. f- d" o+ Z+ B+ H
. C1 [/ }% A. Qnat (inside) 0 access-list 101
/ z" L8 t1 w* ~1 p+ l7 ^& }" xnat (inside) 1 0.0.0.0 0.0.0.0 0 0# S: x0 C2 r4 x* }
! O+ G: o% B, t1 \/ T" d
!--- Specifies which outside IP address to apply to the web server.* y, o$ E! o) D9 C1 K y
+ N& x9 b+ E# o4 {' [2 \8 U
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0* H8 |% L$ z3 q/ a$ H5 |# `+ _
& l5 G" n5 h) w& c& Y
!--- Apply ACL 120 to the outside interface in the inbound direction.
3 j" x3 I) B7 i8 N6 B
6 t2 ^& d$ q4 Y) L* oaccess-group 120 in interface outside
; `) L, o' p+ B, ]0 W- ?
/ X. Q- {8 n% q!--- Defines a default route for the PIX.0 k8 Q ~5 W d) f: o- e! R
+ h8 b2 v# P( N0 d
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1) s8 M% j2 |# K' i. _: D3 `
7 L) c% s8 I8 E0 H" Z
!--- Defines a route for traffic within the PIX's
+ l- r( K6 E5 ~" ?" ?!--- subnet to reach other inside hosts.8 V) i+ Z0 c% B" {
; f z' ~: j2 B" b! Broute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
- h7 Z/ b' G0 t# O" S+ N6 T r3 N% s$ T7 u2 D+ }" w* j
timeout xlate 3:00:00
3 h1 L4 T @0 x$ }2 S2 B2 \1 dtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00: [- A# A1 w* M( ^" J3 [, t0 y! o
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00' z) @) b6 x: \$ j" A# y8 h! l. T
timeout uauth 0:05:00 absolute" f- V: V/ N4 E; u6 K+ @
aaa-server TACACS+ protocol tacacs+
8 q- d6 ]. I% [aaa-server RADIUS protocol radius
! ] O, ~8 ~3 Paaa-server LOCAL protocol local
( i6 D B. G3 d0 I$ U1 o l8 l9 X; G
!--- Authentication, authorization, and accounting (AAA)
2 Y% B* H [1 R& i) b4 B!--- statements for authentication. Method AuthInbound uses TACACS+.
- Y# u# j: x$ z! c. [. D1 Z7 x+ K( m. u2 z% i1 ~) l
aaa-server AuthInbound protocol tacacs+
: _ g. A; c6 ], i) d
2 S3 B) A0 F! s' a8 h# Z( q!--- Specify the TACACS+ server and key.
' Y9 K0 d! b8 K. N" Y$ d9 R0 B+ e9 o
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10
7 r5 r. X9 Z" t; o( ]
$ ]# S' n# L9 n4 z* }" Y!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.; W9 t. c) z3 V% D5 R1 c
4 D) i/ T: l( L. ]4 D. z" d
aaa authentication include http outside . G3 x- O7 l1 ]7 W- g
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
5 y6 `5 f, {4 n8 L b. e0 M5 m% l& v
aaa authentication include ftp outside9 L- P3 r7 z; h+ G$ ^8 V
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
% I5 m* ], A' }+ b/ P+ f) C! n! P% S8 p
aaa authentication include telnet outside + u( l) U) H' { z8 @ ~3 ^
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
6 g! B7 ^! e# d6 d
8 z: {# E& l# u6 f. N7 |( P/ Pno snmp-server location6 ~5 A) Y7 d" C. N. J o3 ~
no snmp-server contact ^6 r8 _% }* R9 q/ }, i+ M* c
snmp-server community public% ~; c6 n' q8 x0 y: b* }1 b
no snmp-server enable traps
' P Y' h7 F( S) [( F! mfloodguard enable
( X6 E* o1 X' y$ U: Z$ x: S M. i+ }6 B. ]$ K; F* f0 {6 n) Z7 I
!--- Trust IPSec traffic and avoid going through ACLs/NAT.3 W5 _7 Y. R, H
J+ T g5 ]4 L" p
sysopt connection permit-ipsec
3 O! }# P5 D- P) q+ f: @, P/ K* J5 s" b' n" m1 P: }
!--- IPSec and dynamic map configuration.$ z+ R) F* Z; o0 X$ o' o0 N F
9 F4 A' Y* q; l7 Gcrypto ipsec transform-set myset esp-des esp-md5-hmac5 a' y* v8 |) a& o' ~1 L4 i& I- |. ]
crypto dynamic-map dynmap 10 set transform-set myset% o1 w* l2 \; h }6 c. q! F
crypto map mymap 10 ipsec-isakmp dynamic dynmap9 z* H- x% J l, l
+ K7 g* h4 J8 b1 [/ j' Q
!--- Assign IP address for VPN 1.1 Clients.3 h _+ {7 p5 b! c1 H. ~. L/ y
5 n* i5 u1 I8 o) _crypto map mymap client configuration address initiate
9 B* k9 Y" A4 `9 Y8 @; _crypto map mymap client configuration address respond0 K6 h V3 t0 P* X, u( X
# H! N; J! i: c
!--- Use the AAA server for authentication (AuthInbound).
* \9 W4 n7 p7 ^2 o3 E1 t9 Q( o9 s& T$ e% D; m5 o i
crypto map mymap client authentication AuthInbound
9 @0 Q! T9 q( [' g1 O
& T. H7 V* E% D- i0 V, d. m0 ]!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
/ ?0 O& D+ Y! l# }1 L7 p" o G, M: n E- F7 y$ X c
crypto map mymap interface outside
, I4 X; `, \7 t+ k3 gisakmp enable outside& h- d7 C& l! c6 ^2 @6 Z
1 @. r0 p' v' i- Q( K
!--- Pre-shared key for VPN 1.1 Clients.
% k- s- c5 k4 I0 @6 \! \# o
( e% c+ H, Q$ lisakmp key ******** address 0.0.0.0 netmask 0.0.0.0
. x* b$ {/ e0 u8 S/ h* q# Oisakmp identity address
% O4 V3 S" ^5 \- Y6 h( F# R, n( t# W
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients., L, W6 n |; }8 }% z& L- l
- [: `3 w9 l4 w) X4 `; ?; `7 r" O
isakmp client configuration address-pool local VPNpool outside8 ]9 r: ?" Z2 L/ k" u4 F
$ R! C8 O5 U$ E* u! `
!--- ISAKMP configuration for VPN Client 3.x/4.x.
, l7 X, t) x$ }- `
/ t: t* A1 W3 g* q4 qisakmp policy 10 authentication pre-share
3 ]$ _1 N3 K4 Y2 b" I8 p! Nisakmp policy 10 encryption des/ x2 [6 U+ G" c' l. w
isakmp policy 10 hash md5* \+ a% n) f9 x& B
isakmp policy 10 group 2- m* J, O, t& X; b" |- k; d
isakmp policy 10 lifetime 86400* X4 j5 {% A* T# f9 J. W
) k# n) q7 e4 X8 Y4 @1 [$ F1 `7 N7 M!--- ISAKMP configuration for VPN Client 1.x./ @' z1 G7 ^) N/ K4 V
* O, ?0 M$ W& c% B
isakmp policy 20 authentication pre-share
1 m% {% \: ?% O. {5 Xisakmp policy 20 encryption des! w" J! Y: D7 v
isakmp policy 20 hash md5# d S' y% P+ ]4 V4 A! p0 v' x" E6 V
isakmp policy 20 group 12 T- x* P, x( e
isakmp policy 20 lifetime 86400
2 R' T+ O' i: L' L7 }8 _4 M$ M1 N# T# R/ }5 }3 \
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
) U. N2 o4 v8 H/ A2 x& P1 h5 x- l# ~7 ` Q2 x
vpngroup vpn3000 address-pool VPNpool
5 |( d9 [4 O- J+ L4 y$ ~
$ _, J% ?* X( f' R$ I5 f: Tvpngroup vpn3000 idle-time 1800, O0 a# |4 k! O8 |; N% z; @, U0 H
8 g1 i8 L" \9 s- T4 \( g! n
j$ e+ n s4 ~" s/ i, P& I3 f
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
0 D. @. f4 ~) V+ j% n7 j$ {2 N6 j) ]$ Q) W6 q
vpngroup vpn3000 password ********+ h$ E9 W- g2 }: u' F7 w* O
telnet timeout 5/ }& N& z% g- p0 V, Z0 Y
ssh timeout 59 F0 R0 c0 n3 E, y- c) I. i ^$ O
console timeout 0. ~% Y( v1 W& y2 u7 L6 E: `& U
terminal width 80
( p( L. U$ F P* Z; @- uCryptochecksum:ba54c063d94989cbd79076955dbfeefc
2 Y- ^# L4 q4 U8 p* {: end
% Q2 S4 u1 Q- u& v7 x# s, l% \) Tpixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
