新公司是用adsl上的网,想配置一台可以从外网访问的服务器,端口是18000.因为不经常断网,所以分配到的动态ip基本上不会改变。研究了很长时间也没搞定,哎~~, ^5 O2 w8 @9 F0 S9 J
网络布局:modem连到pix506e上(inside ip设置为192.168.0.1),然后pix连到有三个网卡的网关主机(linux主机),网关都连接到一个交换机上。现在客户端机器的ip地址都是由这台网关主机分配的,客户端网关地址是这台linux主机中的一个,客户端IP基本上是是192.168.20.0网段,dns设置为8.8.8.8。
_" d" h; G4 Q4 R3 `7 y现在网关主机不能ping通pix的outside,可以ping通inside。不知道哪个地方还需要设置一下啊,最终我需要能配置一台可以从外网访问的内网机器,可现在网关都ping不通outside+ j9 a1 r& @. b8 K
& [2 I5 h: v8 A0 E% V1 {" P; V
pix 配置:: j. w' ?* M# t
PIX Version 6.3(5)- G4 E5 \% [1 Z- d3 V0 v% X/ G
interface ethernet0 auto
5 Q# T$ n* q$ x& j2 h. ^interface ethernet1 100full# n0 u7 H: Y8 w- p5 I
nameif ethernet0 outside security0
, e1 Q: f3 g+ A* Knameif ethernet1 inside security100
* X3 z0 \: X1 k Ienable password 8Ry2YjIyt7RRXU24 encrypted
6 N% W9 ^8 g+ r+ _/ e2 vpasswd EOE.0mKduqS7lCkI encrypted
J8 Z6 _0 h3 ~% w: shostname pix-**
7 G1 C( ~+ U$ @domain-name info**/ f5 C% J, l4 D) O0 O4 Z4 l
fixup protocol dns maximum-length 512# d3 A; f7 n6 n0 P
fixup protocol ftp 21
) C9 Q4 G" g5 }8 xfixup protocol h323 h225 1720
1 m% H* {! l* H k5 Kfixup protocol h323 ras 1718-17190 y8 u% U& e( I$ u3 l
fixup protocol http 80! c; r8 R9 {2 E0 v; V
fixup protocol rsh 514+ |" z* G0 w `) q' |' l: d7 G
fixup protocol rtsp 554, F5 Z/ ?! \3 w- T( Q- n2 M
fixup protocol sip 5060
8 n) k% d/ C+ m4 \4 t6 e6 rfixup protocol sip udp 50607 @3 h$ x- n2 W2 |9 u3 i# h
fixup protocol skinny 2000
& `* { A# y/ S3 h$ Ffixup protocol smtp 257 S) o) _/ ~" R+ B5 P/ m3 }
fixup protocol sqlnet 1521
, d) E, j3 C2 z+ _fixup protocol tftp 69- w S( T( H7 j( `2 ~3 b, C
names
# g5 @6 D- C, Zname 87.224.22.** london-vpn-target
, K! ^: r4 R( q: _% \. a# dname 10.8.0.0 london-private-net
0 N5 W( }* D+ @name 192.168.20.0 shanghai-private-net
$ X1 T4 L3 F; @access-list no_nat permit ip shanghai-private-net 255.255.255.0 london-private-' ~& Z7 |4 S1 R2 }0 y: R. {5 H g# L! V
access-list vpn permit ip shanghai-private-net 255.255.255.0 london-private-net# C8 l9 ~7 ^1 R1 {
access-list telnet permit ip any any$ N3 I D! S6 E+ m1 d. S- I
access-list telnet permit icmp any any& y! r3 v7 K6 `) B; V: s
access-list 120 permit icmp any any
' T, K& f1 o) ~" ^! yaccess-list 120 permit ip any any$ u7 T" C9 x" E1 j" T
access-list 120 permit tcp any interface outside eq 18000
! _4 l# t1 r6 |$ v- T! kaccess-list acl_out permit tcp any host 210.13.85.176 eq ftp
( n2 g1 D3 u ^9 w' ~pager lines 24
" E& r- m$ P1 b U/ C) N# E/ zicmp permit any outside
7 j- g# e6 _* O$ ~icmp permit any echo-reply outside
; Q! H8 w2 C. [0 `7 eicmp permit any inside6 J' r$ V! c6 p6 S _3 |
mtu outside 15003 F+ y* q) G3 n5 v/ W
mtu inside 15007 ? a! K: Z! ?& T7 [; z
ip address outside pppoe setroute
* w- L! j7 B$ S& a7 n( fip address inside 192.168.0.1 255.255.255.08 o0 P4 J8 V: }# J/ {$ x: y O3 Z
ip audit info action alarm
$ `! C' ]+ z1 F# `; K1 y# P: Rip audit attack action alarm
/ g4 O1 u3 }9 V! }' x4 l$ Cpdm location 192.168.20.125 255.255.255.255 inside
3 c8 G8 S* g' |& g% T7 Hpdm history enable! G! l9 q/ t3 V _3 [7 k
arp timeout 14400
G$ d5 l4 w& L( J0 n ?global (outside) 1 interface* ^/ V$ P( I+ J; U# Z
nat (inside) 0 access-list no_nat% |3 g9 ~6 Z9 A; Z4 P
nat (inside) 1 192.168.0.0 255.255.255.0 0 09 j+ v3 p# s( |7 S% Z
nat (inside) 1 shanghai-private-net 255.255.255.0 0 0
6 M- I6 |2 e G1 V+ rnat (inside) 1 0.0.0.0 0.0.0.0 0 0
4 F, u5 s4 g2 T6 ]0 c7 ystatic (inside,outside) tcp interface 18000 192.168.20.253 18000 netmask 255.255.255.255 0 0 , G- j) Y5 c, P" K8 u7 r
access-group 120 in interface outside
$ {" |; e# P( t+ n h; n1 r7 e9 Faccess-group 120 in interface inside
$ x$ H2 r$ ?. v2 [# x3 vconduit permit icmp any any
2 s3 n; {4 K0 d3 Nconduit permit tcp any any
, l1 b; C4 I8 r. o. Qconduit permit ip any any4 j9 F4 v [4 Q- t6 b& z+ P/ b$ W
timeout xlate 3:00:00% x2 F! l7 s% f. O3 ^ r
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 L8 h. s! U' D! e0 ?0 K
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
( L: \6 g# m* I- b- z1 r7 [timeout sip-disconnect 0:02:00 sip-invite 0:03:00
M9 e- m% y+ `& x$ q0 _) ztimeout uauth 0:05:00 absolute1 B; r* @- ^2 A- y/ p s7 a4 J
aaa-server TACACS+ protocol tacacs+
/ d9 d' m, p8 M) I- Maaa-server TACACS+ max-failed-attempts 3
) ~4 S- i# j6 w3 v3 J+ taaa-server TACACS+ deadtime 10
1 N4 l* | q/ ]7 M$ v9 h- xaaa-server RADIUS protocol radius
; C" V$ G( I+ s) q: Jaaa-server RADIUS max-failed-attempts 3' {) j* s& _$ \8 s+ F" c: n
aaa-server RADIUS deadtime 10# Q3 a0 h5 ^6 M! P7 D `
aaa-server LOCAL protocol local2 e6 d: ]4 ]5 H" `# _! @) L
http server enable
& L' H8 ]4 J6 c1 \! f/ P9 Whttp shanghai-private-net 255.255.255.0 inside- D0 m8 b+ O* P, x0 `
no snmp-server location# h+ k* p8 ]* T% A3 c+ |
no snmp-server contact% K9 W2 m/ f% o. K V7 {( F$ C8 j4 ?4 `
snmp-server community public4 @, S7 W- f% i
no snmp-server enable traps- R% X @( C( n* @5 Q
floodguard enable
' @: o& O5 g3 {" V$ }* Z9 |8 K, wsysopt connection permit-ipsec+ O% W' ]- ~; p
crypto ipsec transform-set strong esp-3des esp-sha-hmac2 E* v1 U; a8 _3 r1 H! h8 H3 e
crypto map vpn 20 ipsec-isakmp
/ c a6 @" L% l- vcrypto map vpn 20 match address vpn+ i, b1 V* z$ [& x! p
crypto map vpn 20 set peer london-vpn-target
( p; {+ q: C9 g1 e+ v2 Pcrypto map vpn 20 set transform-set strong# f" L# B s$ J1 z6 o D: |' [
crypto map vpn client configuration address initiate) ]4 x( ]' e3 }- F! w7 b. K) y5 S. N
crypto map vpn client configuration address respond+ c7 r. z6 r! n s* g
crypto map vpn interface outside! X" g3 F' E& V% M
isakmp enable outside* N0 t1 E% ~, k; D* e: c: {& F
isakmp key ******** address london-vpn-target netmask 255.255.255.255
) w0 F! r) r1 S) P7 Pisakmp nat-traversal 20' Q* Z' O3 I/ }4 J# q8 B* W* \; K
isakmp policy 20 authentication pre-share
' Q: q& w$ |# `7 A, Hisakmp policy 20 encryption 3des/ u, Y( ~4 [# q* m
isakmp policy 20 hash md5/ H$ M/ m! J9 u
isakmp policy 20 group 2
7 h5 V, r% X: }$ n: } ]" disakmp policy 20 lifetime 86400, l, ~# h+ {% ^* Q9 O
isakmp policy 30 authentication pre-share
: x/ y" L1 ?" A! k6 qisakmp policy 30 encryption 3des0 @+ N& T E- @: M3 h
isakmp policy 30 hash md5( O& l7 i3 I0 M9 p
isakmp policy 30 group 1
; @: _+ t, Z. t" O1 _( m4 aisakmp policy 30 lifetime 86400. l4 ^6 I+ Q0 u2 M
isakmp policy 40 authentication pre-share
4 f( V, g4 z) S. d9 l9 `" aisakmp policy 40 encryption 3des
0 w, _" s! @3 Xisakmp policy 40 hash sha/ A& X" p7 ]7 t
isakmp policy 40 group 2
. n. v. S( T4 r2 r& n+ hisakmp policy 40 lifetime 86400* z( n! i, F6 r, o- ~9 m/ F
telnet shanghai-private-net 255.255.255.0 inside
/ |/ ?2 M r& d% m/ Atelnet timeout 5
% v' |: ^: A; V1 }' rssh 87.224.112.57 255.255.255.255 outside
! C$ v7 O/ ~. F' u) U; M; fssh london-vpn-target 255.255.255.255 outside5 Y* C8 Q1 Q" |; {
ssh shanghai-private-net 255.255.255.0 inside
5 c. V; [3 T7 a, ~9 Y- }7 Rssh london-vpn-target 255.255.255.255 inside
( K$ ?( I" ]: b8 }6 ~+ ]ssh timeout 60
3 Q2 t0 D+ ]1 T w; _! T: I4 f. Iconsole timeout 05 g4 P. j: `: t$ X$ s9 {! K
vpdn group idbs request dialout pppoe4 z6 W" i+ x# P+ A, t) e* h ~1 }
vpdn group idbs localname ad662857**
3 k0 P w/ d7 L& D1 }vpdn group idbs ppp authentication pap/ ?. m7 X* c2 W$ e9 P' x/ D
vpdn username ad6628573** password ***** |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
