pixfirewall#show run
# e7 [: g8 _+ b( g+ J! {9 g: Saved
: M$ F* ?" ]9 s/ `; x1 x:( t" P5 g/ Y" B7 Q
PIX Version 6.3(3)+ Y5 O) A' c& B P% l1 C
interface ethernet0 100full0 L" v, j# p5 ^! _# C+ s1 w( p
interface ethernet1 100full
$ h: ]- M* C( p: w& s8 gnameif ethernet0 outside security0
/ T0 c/ t. c9 O; \nameif ethernet1 inside security100
! }# |4 E- Z0 h" jenable password 8Ry2YjIyt7RRXU24 encrypted
' O" ~* w( L4 t% C3 a1 }. ^9 x" vpasswd 2KFQnbNIdI.2KYOU encrypted& }8 K9 i7 d, q2 K' M* _7 ]9 D: z
hostname pixfirewall' Q+ c8 d, x5 z4 @6 \" s
fixup protocol dns maximum-length 512
1 l2 |1 b3 _1 ~fixup protocol ftp 217 n% t! H# e; [% w! ? e ^
fixup protocol h323 h225 17203 i( z/ W7 o- _+ [5 W& w
fixup protocol h323 ras 1718-1719) u1 ^7 l; G0 Y i
fixup protocol http 80, h9 t$ x! c$ c- m
fixup protocol rsh 514' w: O1 R0 z. A* F0 [1 Z8 \
fixup protocol rtsp 554$ `; |. g, S6 ]% q2 g& O, J. _% }
fixup protocol sip 5060/ _# j' R/ F* J u3 G
fixup protocol sip udp 5060
% R3 y0 y8 c3 w: i- ffixup protocol skinny 2000
9 W/ Q& R }2 p0 Gfixup protocol smtp 25
1 T6 E, l3 H Q. ]fixup protocol sqlnet 1521; B" j; T% c; g5 f# B4 [- s2 P
fixup protocol tftp 69
. e5 a7 U( g" e0 fnames& U( z: B) ^2 v; x
- F/ I0 u# U; s. H/ t!--- Do not use Network Address Translation (NAT) for inside-to-pool
! @ n7 F: c l!--- traffic. This should not go through NAT.! }: h! _) e1 F. m" x9 `
0 L; f: e' |3 j7 ]- N+ g \' w
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.2407 y6 R0 C$ d( |! Q
* T( \. l! q: I$ {
!--- Permits Internet Control Message Protocol (ICMP)- Q# A: s. s( h0 M: {
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)2 b; L+ V0 A% `
!--- traffic from any host on the Internet (non-VPN) to the web server.$ \% s/ a) a' z/ \5 z/ y7 _0 V
! ~; ]8 O- F' Q8 Uaccess-list 120 permit icmp any host 10.89.129.131( D! K/ M2 Z x; m% P3 u) V- f* \
access-list 120 permit tcp any host 10.89.129.1310 M, m9 N7 F6 ?6 }2 \
access-list 120 permit udp any host 10.89.129.131# w& m- Y0 G$ q
, _; N- `* m: s) M% h7 h6 K" Zpager lines 24" }5 J% w$ N) A
mtu outside 1500# ?+ G! G4 S& x6 J" a& G, i1 G/ D
mtu inside 15000 _' ? I: Y7 y" d7 W
ip address outside 192.168.1.1 255.255.255.0
8 v5 {1 @6 x9 q$ F$ Z/ _ip address inside 10.89.129.194 255.255.255.240, Y0 h! z) R( t; u$ u
ip audit info action alarm
. Y- w* F" E% E6 x: E. u( Dip audit attack action alarm
. V/ f# o0 [0 ^4 Y7 E7 K$ q' J+ L6 e, C6 k6 } F! f' s
!--- Specifies the inside IP address range to be assigned
' r U" G) V) b! a$ X* q!--- to the VPN Clients.9 D- u: l2 x4 X8 I
3 t+ s" U4 n; {+ Y- }ip local pool VPNpool 10.89.129.200-10.89.129.204' z$ a) G9 U, N |1 d; \( u
no failover
% k2 \4 l) ?, G) G' e5 g gfailover timeout 0:00:00
8 l. t4 k9 T& s% ]failover poll 15
0 ^ v# c& L9 @( X6 f9 S Eno failover ip address outside
7 p. x, X8 O A9 tno failover ip address inside$ n/ n) _) v3 w! w, a
pdm history enable$ ]6 L4 y7 Z i4 B( u
arp timeout 14400) A# M1 o% K8 c4 {8 i
d- C- R' C: m' t# i n; K!--- Defines a pool of global addresses to be used by NAT.
4 m% y. N/ z. i0 H, T
$ @7 ^3 ~( p) o! nglobal (outside) 1 192.168.1.6-192.168.1.109 C) z/ Z6 |* ?1 f# V2 Y8 j& K9 a
% e6 o3 x; r8 E
nat (inside) 0 access-list 101. C: j/ {3 {' \% ~
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
% V l% c# G A6 {/ T3 O; b
i9 b- l' v2 @# r" E9 c* g: q!--- Specifies which outside IP address to apply to the web server.5 h8 Q8 p4 ]$ `. t( V
' l) h) z7 b2 U% C! ?5 V' ] C6 N) R
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
i: a* i# Q/ d: w+ L+ Z1 a: ]4 s/ K2 ?% m) y. R y
!--- Apply ACL 120 to the outside interface in the inbound direction.
" q/ r( i" d7 A6 `8 d* P! T4 A+ N! b& J
access-group 120 in interface outside
5 ]# ?9 n) s2 P3 R; e: J. j2 T6 Y. t# M6 l1 Z |
!--- Defines a default route for the PIX.& S# r( a) {2 U3 h
+ d/ e I7 `8 G) `% \( s5 L3 P/ Broute outside 0.0.0.0 0.0.0.0 192.168.1.3 1" f0 v6 J# \& S/ Y! d) r8 `
+ \0 M: n3 L ~6 w!--- Defines a route for traffic within the PIX's
$ E# l# r* L% H5 y9 O!--- subnet to reach other inside hosts.2 g9 e3 {% w6 V) T1 Q3 u9 l
: Q0 E- M! I/ T* }
route inside 10.89.129.128 255.255.255.128 10.89.129.193 1. \7 a) i" r* \$ y9 k4 v* c
2 D5 j! U8 a5 a$ x, Otimeout xlate 3:00:00
" \. L/ g6 N) X& p: u6 mtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
" j5 i+ ]9 i8 M4 a Htimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
" g4 s4 w2 @# [- etimeout uauth 0:05:00 absolute
- a2 s- d ^9 H1 S8 Uaaa-server TACACS+ protocol tacacs+
, E- i3 k6 v' Q+ J- d Eaaa-server RADIUS protocol radius# o2 c! d$ a8 x) S" e
aaa-server LOCAL protocol local0 j% d3 ]" t1 E- z
, b/ {2 [) p; m. e1 b3 e
!--- Authentication, authorization, and accounting (AAA)
/ u4 W. F8 }# H: F0 O: ~!--- statements for authentication. Method AuthInbound uses TACACS+.
, N7 w' O# Z/ z4 v2 I2 d. b: L0 ^, S0 b
aaa-server AuthInbound protocol tacacs+5 h! K9 s7 P% ]8 @- K
! ?1 L! I. b$ D+ O+ `/ G' o- t!--- Specify the TACACS+ server and key./ {0 I m. M l( ]( ^/ u6 K' q* `
+ C$ I0 H, [' U O
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 106 {* x' W8 q! b+ l6 T
2 Z/ f: Y: J5 x% g$ W+ K
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
/ v9 M+ w& [! y+ O) V. i$ O2 @1 |( B8 \, ]5 U: I$ Q/ y. g
aaa authentication include http outside
" H9 F4 q& v, a; s G' I& a* P10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound. n; ~, |1 W& y' R" `
% |% {. S) g! T
aaa authentication include ftp outside
+ r3 p- O; w$ Y& p& A 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
4 c) a( ~" W- f3 t
5 X# F! p1 N- T' \5 p" kaaa authentication include telnet outside
% }/ m$ k1 ?0 x: n, ?# e10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound2 [1 I9 Y7 p& B B
+ l7 V. g1 ]( [5 Tno snmp-server location' C3 y; |! ^. [) N: M1 e6 }* j
no snmp-server contact6 s P; b4 G2 W/ }) J- C. d1 B( F
snmp-server community public
8 e! F6 B. c% Q4 x" ino snmp-server enable traps( F! V0 i) `( C2 h
floodguard enable5 t; v8 {; {8 d
y: U+ d9 ?. j" b6 m! \
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
! l- Z0 L, X0 g1 k1 x( v+ L
3 p R% i7 W) wsysopt connection permit-ipsec+ W1 k8 Q' t. {( Z% T
- Z* R" ^4 f, @0 v: R!--- IPSec and dynamic map configuration.
6 ^5 J0 t* O7 S( ?% N+ M
" s" ?2 N! m2 ^crypto ipsec transform-set myset esp-des esp-md5-hmac
* I, F( N! j& A- k; e( I. U# Lcrypto dynamic-map dynmap 10 set transform-set myset/ _3 h# D* v: k7 E! j2 w6 a( _
crypto map mymap 10 ipsec-isakmp dynamic dynmap! Y c1 j5 V5 A9 }1 z' y
2 D7 N: h- k5 }!--- Assign IP address for VPN 1.1 Clients.
# B% e* X$ D) `) z, V$ F, a
+ A. Y+ ~, l% t; Ucrypto map mymap client configuration address initiate
! a& m8 s0 ^( L. V3 dcrypto map mymap client configuration address respond2 l: u, K' T! T7 z" Z d
0 q1 \2 R1 h" g: d
!--- Use the AAA server for authentication (AuthInbound).
* i: U# ~% B- z* d' S) z) w6 I
' L+ r3 a) @0 Gcrypto map mymap client authentication AuthInbound
( f" q1 P9 P) z, ^) O# F
' Y* b, }% s1 D# J5 W!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
6 b/ v) `3 j }$ a* K; d# L7 T
8 Y* [$ {- o# N6 l/ ?+ R. Ucrypto map mymap interface outside6 d, Y& {% o0 c& E+ n4 a$ L9 y) l
isakmp enable outside0 `/ G. c: d8 ]9 N, o2 b: x
+ E( m6 e, f+ q* v
!--- Pre-shared key for VPN 1.1 Clients.' G3 r0 I; P% Z
' U5 j. J+ z5 Z5 i/ N9 }2 D
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
; j0 @2 R/ \* T# m- {isakmp identity address- B" N) G& ]' H; G, Y T
3 q' w$ [$ v. Q( Q" g9 M!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.% w. b' }) L' ]% w9 f! O
4 _' L2 F0 f; G \' q: B7 T8 Sisakmp client configuration address-pool local VPNpool outside( Y- X1 Y. e6 G# m* |) \0 S
% \: v/ C+ Q; h* V- b0 ~
!--- ISAKMP configuration for VPN Client 3.x/4.x.5 h9 d6 b/ J S- [2 w" |" ?4 x: O
: c/ v" M _& {) G% [4 B; |* K2 G6 j
isakmp policy 10 authentication pre-share' c x* r" z. X% p" H( }
isakmp policy 10 encryption des
! x* n% o8 x6 [ m* h, Misakmp policy 10 hash md5
. L4 A' q4 g- risakmp policy 10 group 2# k d9 b2 o) o4 P
isakmp policy 10 lifetime 86400. Y0 G+ \. |) o. P
* }1 ]( g# V& b$ C; v!--- ISAKMP configuration for VPN Client 1.x.
$ h& y1 G& l; |' A5 [4 D, h. t7 B8 g5 ~7 g" d' |$ e. w
isakmp policy 20 authentication pre-share
# i6 C" c' W) ]2 r$ Visakmp policy 20 encryption des
( o9 }/ l) w, U7 eisakmp policy 20 hash md5
* y: g8 c* ]1 [6 |( ^isakmp policy 20 group 1
- O5 R4 g' J* m0 q" Aisakmp policy 20 lifetime 86400/ @" l8 G" ?4 K
9 T" a( {6 _0 m9 p. K1 N9 b
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.9 J2 `9 {! Z! l3 S7 \+ j
* g; Y+ C+ n/ L1 E4 H
vpngroup vpn3000 address-pool VPNpool
0 \- V/ {' p. m+ _ H* H
# g, e" _4 @2 A D* U! Y% kvpngroup vpn3000 idle-time 1800; }" }0 q: }: ]1 |0 Q* K5 U( m2 H
9 a/ o3 {& z% J% q
6 r5 k, o/ i+ ~9 r9 ?: ?!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
( p, t9 h7 r, w7 c, U& P
( B% u2 @" f E$ m/ z; {8 Wvpngroup vpn3000 password ********
. b6 G- F* `' b* G5 z0 btelnet timeout 5' i: U/ k/ M4 t
ssh timeout 5
; ]9 n; Y9 `: b( u! S* q: ]* U. dconsole timeout 07 B5 z/ u+ ?. \5 i$ i
terminal width 80- E3 H' `1 ]' {1 }8 n- H0 c
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc
# m+ R$ Z. y; p' `/ S, a: end
. U4 Y2 } F, P0 S Qpixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
