
环境: pix515e下接3560g下接2960' `$ `2 H) Z, L5 i
8 a" }3 E" w. C% k0 W2 ?目前在3560上划分了一个vlan 172.16.1.1,但其下面的主机无法上网,希望大家帮助!!!
) J+ ]/ }% A5 L5 C1 S
" \+ e* a# k# l; A* V7 O. S目前网关路由在pix上作的,3560上没有起三层接口,就划分了一个vlan 172.16.1.1
4 P5 a* ~- E7 t! _, L. T0 E
) s# O& {! y q7 }8 y. f% k( `pix配置如下:PIX Version 7.2(2)0 L1 R4 w+ z: z0 W" M7 g% ]
!
7 E" C# `6 A7 I/ u, Ehostname pixfirewall
* `7 g5 m, Y2 Z; S7 q2 oenable password PLBb27eKLE1o9FTB encrypted
% I' g6 z& |9 B! bnames
% v6 w1 Z! }8 l: k$ \!
+ C# @+ m+ Z8 t4 c* ainterface Ethernet03 ~; ^9 ~& x( y
speed 10
( E6 Z n& w. n* Yduplex full
/ Q! l% M/ N& k; ^ n5 Mnameif outside; c; E* [: u$ N) N
security-level 0
5 r1 A! ~1 r1 }ip address 61.50.220.51 255.255.255.05 I$ C3 w1 Z0 L* m+ w
!0 o. F7 M! b- l* r+ ?
interface Ethernet1
, n7 v5 z( S/ E9 |9 Z( v/ snameif inside3 z* @% t+ {& n7 ~" I' `
security-level 105 _: K& m6 ? m% J
ip address 192.168.1.1 255.255.255.0
4 D/ S# [& ]- b8 V!9 [: o5 d1 b& b. m; W6 E
passwd 2KFQnbNIdI.2KYOU encrypted+ R% K8 T+ n! [3 R% h
ftp mode passive7 f3 j: \0 l- _% [
access-list 101 extended permit tcp any host 123.124.10.33 eq smtp
! l4 y' v* m. C" ^access-list 101 extended permit tcp any host 123.124.10.33 eq pop3- E& a" Y/ q. B0 T) C2 t! k! U( ?2 W" J
access-list 101 extended permit ip any host 123.124.10.334 U* W: }6 y" C
access-list 101 extended permit icmp any any* j- i/ ]( u5 ]
access-list 101 extended permit tcp any host 61.50.220.50 eq telnet
9 X5 J! b8 D( a: x$ Saccess-list 102 extended permit ip any any
* r3 K) o; g8 E" c' Qpager lines 246 X9 a1 T+ W( r% u* g
mtu outside 1500
0 f" c/ r: ?& Gmtu inside 1500- `$ L5 @9 ^* R" \! A
no failover
, w: n2 I" R1 |% S3 p, hicmp unreachable rate-limit 1 burst-size 1$ V. h0 m9 z; Q- o4 a
asdm image flash:/asdm
! ?+ d" v1 {; y" o" Xno asdm history enable2 x5 `3 A* ?8 f: j" m# L& ^: F
arp timeout 14400
" J$ u3 |! E# o4 |& E% k0 A9 kglobal (outside) 10 interface, \$ U! N0 r. T8 G- o \0 i. D/ S
nat (inside) 10 172.16.1.0 255.255.255.0
7 b5 ]7 f+ _6 ]# {* L1 p; hnat (inside) 10 192.168.1.0 255.255.255.00 d) r% C* P0 ]# [5 P
static (inside,outside) tcp interface telnet 192.168.1.2 telnet netmask 255.255.) G: u3 _% X4 i
255.255
9 ^$ f# v# n1 w& C2 ?4 y7 Vstatic (inside,outside) 123.124.10.33 192.168.1.13 netmask 255.255.255.255 dns
- \$ K3 H! v/ |& xaccess-group 101 in interface outside% ?9 t: e& ~# z
route outside 0.0.0.0 0.0.0.0 61.50.220.50 1/ g" l- W( J7 n" m5 ~4 R
timeout xlate 3:00:007 x" J' g3 w! @" N
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02$ S) k! x* }$ u4 {7 Z) N9 v
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
! E3 |8 a- V$ y0 ztimeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00' y( a, [* X, X9 S9 S4 I: P5 z
timeout uauth 0:05:00 absolute
% i* I* x6 @6 C* gusername cisco password 3USUcOPFUiMCO4Jk encrypted" z+ ^8 Q# @% D" O( J s# w3 H
aaa authentication ssh console LOCAL( o, @' \5 f8 K Q- l4 f8 m
no snmp-server location
6 R0 N$ w/ Z& Lno snmp-server contact( A t+ b; g z) w% z7 t- n2 c
snmp-server enable traps snmp authentication linkup linkdown coldstart* `2 A) G c6 J" C
telnet 0.0.0.0 0.0.0.0 inside, D0 R+ A2 j% \% t
telnet timeout 57 e3 T. e- ]1 o. y' I, e* d
ssh 0.0.0.0 0.0.0.0 outside- t* f* ~9 k. q: C
ssh timeout 5
2 H/ A3 O1 T: F$ xconsole timeout 0
& i; E/ ^5 H( c" C!
, R/ H+ ^% y6 Y2 u. s. F& _class-map inspection_default
0 [, W+ h0 r1 X% P/ m7 n* Vmatch default-inspection-traffic
2 K* K. H. X! \. U1 |& `!2 S5 o% P6 Z8 M, ~- q
!
: X W) I D; }& A3 Cpolicy-map type inspect dns preset_dns_map
1 c: C- z% X9 J9 ^- o, y8 l) @parameters8 i) X9 Q7 u( l8 y" N+ G
message-length maximum 512
T4 \* e. P- y- I2 s& Mpolicy-map global_policy
& v: c! e3 k( ~class inspection_default
4 O, v) ]8 @2 G; v J inspect dns preset_dns_map9 b6 v+ ^2 v) n. m5 F. l8 L# k) a3 m
inspect ftp
; F! d9 N/ R; \% `. ^; i* y inspect h323 h225/ ?% ~. o: q- k& d1 t3 W
inspect h323 ras3 C+ g6 ]8 y1 j2 N# E* ]: o4 S9 T3 H: z1 Z
inspect netbios, ^! }' L" I; e8 c5 \' z- M' f3 c
inspect rsh
' S, Y; J* z+ W/ S, ?" ^* ] inspect rtsp
, {0 k9 z! d% x9 H inspect skinny
* Y0 @$ @0 y& k+ c6 R4 I inspect esmtp
2 B" C# G/ t4 o( {( [ inspect sqlnet
" l# e$ H1 H- O: F inspect sunrpc
( y: e2 G# f. }7 [; E inspect tftp
' B$ b6 B- |; s: G7 G% T inspect sip
+ O* }3 `9 v+ a- q) \, u$ W inspect xdmcp
2 H5 A& P! @% F!
6 e: G; u9 {- v) G: F- W" xservice-policy global_policy global/ M; D5 k4 x4 c, V$ @' O
prompt hostname context( k- O+ P) Y9 Q4 t. P) r' O) t
Cryptochecksum:8d068ef288ac87a931be0633f63c429c
' N+ L5 v5 C( }. m3 j0 Y3 K: end2 m: n; M) {) T, U
' t* A9 d" `/ i) t2 C+ b
' a' e( l: `4 j1 y8 v3 P, w8 i5 X
. t1 s i6 A3 `) u, C2 \' X u$ Z7 D+ K3 r/ v+ i; U: H
% h5 p& w3 b4 Y4 j$ O# }: g* ~: d' g
2 l! N t5 V$ C
& l7 a1 s$ l! V7 w7 X
, ~- c; u2 R) ?, q9 x
; S; b N$ J) l" X
交换机配置:
0 V2 X8 N3 Z6 ^/ {+ o/ {8 s( M( N- V% A) E6 X! X4 b0 i
version 12.2
; P3 `& W# F+ k! Yno service pad
% o( X" w, s) E: a6 j$ P9 b% B& V% Jservice timestamps debug uptime
2 t% a. ?; A/ f0 D/ J$ T' W% Cservice timestamps log uptime8 ]: c7 Q$ l" u0 z w; m+ P; S
no service password-encryption
: H4 h' z/ V8 t, M8 f) f k" l/ d1 J!* Y( U. O* _( z" E1 s- p. P
hostname masterswitch
* a, L; z2 U. ~ T6 r!- ~7 d; U K% l( T1 |$ |
enable secret 5 $1$G4g3$e/d6Co33we5VtbUqKwQSo.1 z% I# I Y& K) k# G, Z0 j( ?
!
! c: Q* a* S# c$ `" g/ rno aaa new-model( v8 r- K" C5 [4 u W/ s. H- L
system mtu routing 1500
8 M8 Y# v9 e/ o! p# X% d+ fip subnet-zero$ c6 ?: f* a$ g4 a
ip routing& o k G# d( L8 h0 c7 t: C
!/ T. j% d- c# B3 u: f9 p+ I# M" G3 g0 D
!
, d' ~* W7 p6 H$ }+ N3 K3 G4 B# R!) F& W3 c v5 |; n% F( Z
!
, ^4 t4 l J; ]* cno file verify auto
/ O8 h7 D' ]- h' V, T2 hspanning-tree mode pvst; p3 }! E, ~: s/ M5 x" `: H; Y
spanning-tree extend system-id! x. R/ y$ I6 q; x& Y& O
!
8 \. \' p3 C* H! _+ ~vlan internal allocation policy ascending
8 @7 d( C* X1 @4 e7 C!
3 L) f; o t7 u( p!, N/ P' L( O" v0 X
interface GigabitEthernet0/14 B7 e8 X* a9 m' q
!
8 x& v$ m& n4 ?- l( Finterface GigabitEthernet0/27 \$ v: q ^- P1 D# m! l- H
! v O' }2 u$ ]' J
interface GigabitEthernet0/3 `7 T& L4 @% x3 g: y/ X
!
2 S; T. N- ?! Z3 o! ?interface GigabitEthernet0/4
. W+ W5 l7 \7 Z* {+ A8 c!
& I7 I3 T9 M: I1 r& |- j. ginterface GigabitEthernet0/5
& r" S7 w) M3 t5 s!5 A. ]( C6 r' m# I" w
interface GigabitEthernet0/6
4 Y, r0 T* \4 @0 g) w. x!
7 Z& c9 w$ S Q5 c$ E7 P8 ~1 binterface GigabitEthernet0/7/ W" q ?# i/ \+ ~0 \: y
!
3 J. n1 ]8 Y- x8 n0 f7 Ointerface GigabitEthernet0/8
. O" }- ]8 u5 `3 d!/ A0 @" I$ O4 j. p& P
interface GigabitEthernet0/96 M3 m, X/ Q- \( \: R0 g
!
/ O6 S" R8 S5 y! ?, a5 e( o- c: ^interface GigabitEthernet0/103 h! g2 }$ `( b
!
0 v. p, W8 i' }6 L" Z3 Yinterface GigabitEthernet0/11
9 B6 H: E, W- P" Yswitchport access vlan 2$ {* e) o' R( j5 R* S2 @3 h' V
switchport mode access
0 O: S0 A1 {% O% n% B D/ X. _!. d) G/ E* }4 U! j+ {, q
interface GigabitEthernet0/12- r$ B' H7 x6 ]" N
!
5 X0 x0 N: a/ Yinterface GigabitEthernet0/13
6 L. v {" f% F _+ v!8 K" `; l) W0 D% C! N
interface GigabitEthernet0/14
/ O; v9 T; t' t T3 s!) q. R( {0 ^# B
interface GigabitEthernet0/15
0 A# V* J5 x( z6 R. j!
1 ?1 C. U7 u6 Q& j3 I- ^, }interface GigabitEthernet0/165 g6 X/ h) h' `- @! O
!
2 w1 d1 f; m' v- D0 D0 y( `. {interface GigabitEthernet0/17
: U% @ A0 [& f: |!: Z1 Z4 h+ _6 s$ i4 @8 q
interface GigabitEthernet0/18: |$ C. ]6 r- u& d
!
! L" }- h4 `# Y1 N& }; linterface GigabitEthernet0/19! e# g$ W$ h; _1 S
! k8 V) r( D5 U7 @8 q" A
interface GigabitEthernet0/201 i% d; G4 w0 u; ?
!
?. g' h% ?1 ]. i* Q9 ]& `% Y7 yinterface GigabitEthernet0/21
8 r* E8 Y) h" S! i!) p9 u; T2 F5 O
interface GigabitEthernet0/227 T3 A0 b2 A/ ?* @ D5 H! [
!
- J7 s7 _8 m" K5 E! l" z# r/ R! hinterface GigabitEthernet0/239 ~/ L6 `; o$ B4 j1 x+ v, ^
!
6 O' z6 |7 i) H3 j& S: S/ Hinterface GigabitEthernet0/24! M% k- C6 D* j/ ~- t* |- Y
!
% I6 U, C# x7 @interface GigabitEthernet0/25: g* y2 d7 M, V- c/ M% d! i
!
! m" V) c- f4 S2 ]0 J' kinterface GigabitEthernet0/26) N; B- ^* }' v! i) b) ]
!% e4 m3 i6 h9 x& p1 @5 U
interface GigabitEthernet0/277 f6 r( i. [ M& H
!& V1 }0 M& O, r, i! A
interface GigabitEthernet0/28# g# W& K) N" r4 Q% O" s
!: n. P7 R) }6 M+ i( g' b5 C/ A
interface Vlan1
3 y+ l4 O, h9 H) g8 _ip address 192.168.1.2 255.255.255.0
4 \" W/ C. T- B" s8 E; e0 e! L!5 j4 P3 v# o& z; g; g0 B, G
interface Vlan203 V7 p& K' m4 o9 o# C; z& g' p6 B
ip address 172.16.1.1 255.255.255.0- P- Q' V( m8 M0 P
!5 R. r g( p# x2 G% T
ip classless
0 a: e0 B$ j# S' G, U3 cip http server
) \) B' I. V! Z) R!
" ~: Z! O( |& |9 U- f' c!0 p# w# c3 h1 J9 Z5 J
!: i% R6 d: B V; Z
control-plane$ g0 i5 a2 a% }0 X. C' E
!
# w8 s3 j% M6 j, i* F5 u1 {!
! s* j1 A4 P }0 B. R. pline con 0
2 S: ]) F* ]) ^5 [2 V$ Ypassword 123% w# x: f& w6 [$ |- ]% v T6 s- F- t
login
* O4 c' v& v7 Q5 H% Iline vty 0 41 ]- s, }- l% B) H# s: v% ~8 v4 W7 h
password 123456. ?. v. }$ x, W$ n. F
login2 Y" Q0 d3 B) X
line vty 5 15$ i! C! |& Y( O' l" E2 l4 Z
login0 M9 N7 I' Q$ k) u. X
!
' D2 J3 y2 y3 L- \" gend |
|