pixfirewall#show run5 b& ~0 \; x* a# ]+ ]) D8 j
: Saved
* Q: e- m5 T# @, G# Z:
5 x9 f/ q- \8 y5 I& H, pPIX Version 6.3(3)
6 F+ w8 D" j, p0 i+ ^3 uinterface ethernet0 100full
7 y* l }; Y6 k# I$ xinterface ethernet1 100full8 V2 H& G3 D) i6 ]7 k$ a, W
nameif ethernet0 outside security0
8 t1 a/ I0 s& y7 @nameif ethernet1 inside security100
( H/ O) q& f# s: M, venable password 8Ry2YjIyt7RRXU24 encrypted
. }+ G/ \: v8 ]passwd 2KFQnbNIdI.2KYOU encrypted
" Y% I4 A$ W! f8 V) B. a: D! C' Ahostname pixfirewall
" v A4 B, ]2 ^fixup protocol dns maximum-length 512# a" \/ U. T$ @0 ^
fixup protocol ftp 21; e: X8 ]! i6 K+ y; t J
fixup protocol h323 h225 1720
4 R* m! ]9 }' o* Z& Q3 Nfixup protocol h323 ras 1718-1719% p# c* y" V) b' V+ Z7 t
fixup protocol http 80
+ w# X' J' O1 z3 V* pfixup protocol rsh 514
; G7 w) G3 r. X$ wfixup protocol rtsp 554) M6 a# p" d! n- [8 F0 [) S6 S
fixup protocol sip 5060
7 V) @( W1 m1 N/ F4 F) N! |) \# f3 v8 sfixup protocol sip udp 5060+ R1 f& K( w, @, Y, W1 S4 I: `
fixup protocol skinny 2000 y4 T8 {0 A5 V" T8 u
fixup protocol smtp 25
6 M6 B* S$ w) Y& N; V7 tfixup protocol sqlnet 1521
. f6 P% a p6 T, c$ [3 Jfixup protocol tftp 69 f+ m* j3 f/ m) |: l# Z0 g! \$ {
names' S3 i8 O, r7 b* i0 p
. Q' Y+ S) Z, F7 ]! ~6 o
!--- Do not use Network Address Translation (NAT) for inside-to-pool
: {: m1 M0 L" g5 f* l!--- traffic. This should not go through NAT.
! ~ D# @' w f. [7 c" C# f/ a. o% y6 w/ F; x( ?$ C o
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240 E% L5 y. H) f2 v1 h* b
4 n* g" l# k3 G+ E9 t5 M1 y
!--- Permits Internet Control Message Protocol (ICMP)
" }+ `; |" a! c+ L0 y5 ?$ s!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
- m7 W8 V k- @# c$ _!--- traffic from any host on the Internet (non-VPN) to the web server.; ?! e) }/ Y; o4 R4 T9 F
9 V/ }+ s7 h+ n, o
access-list 120 permit icmp any host 10.89.129.131
+ O: r, n. b* s4 yaccess-list 120 permit tcp any host 10.89.129.131' v: ]- d) h( K1 M
access-list 120 permit udp any host 10.89.129.131
+ d, m7 G1 ]. C, V
; _* K0 G! G0 _9 h- tpager lines 24
& V- ^6 M5 B) mmtu outside 1500- Q8 A$ v% k8 n$ y0 [/ `; K+ l
mtu inside 1500. X; J+ a: E% Q8 {) O X5 R
ip address outside 192.168.1.1 255.255.255.0
" n' M. R/ x- P# aip address inside 10.89.129.194 255.255.255.240
7 Y3 u, i# h* z7 hip audit info action alarm
6 O4 l2 [9 P$ a( J0 ?ip audit attack action alarm
& `/ ]+ I( ^# e* j8 ~1 s% V: L0 F( m5 \& \
!--- Specifies the inside IP address range to be assigned! ~7 Z$ k6 B% ]- v
!--- to the VPN Clients./ v- |- y" Y) k t* Q& D
! Y+ \6 \3 J9 ?: [ip local pool VPNpool 10.89.129.200-10.89.129.204
$ k" T/ l9 G, M& o. t% J1 U6 B, r7 Hno failover. E% ]) o7 W" |1 @' ?) k- I( h
failover timeout 0:00:000 D% l x6 ?) E7 S* C' u) w6 q
failover poll 15
, p3 Q& b) |$ c8 ]( M4 K! ?no failover ip address outside3 j: h+ x. P# m6 v2 {/ q6 y }
no failover ip address inside
4 n! s, ?& A" ~8 W7 Q- c% c( }pdm history enable
3 x$ x- D4 f3 E& darp timeout 14400
1 S- S7 r6 ?; D' E) L. u8 J: v( ?: a! ^' l- R
!--- Defines a pool of global addresses to be used by NAT.: a0 `4 L, k: B2 Z% j0 j* \. \' `
% n5 U. E+ N7 ~8 D5 R( j* c, z
global (outside) 1 192.168.1.6-192.168.1.108 j2 Z% N+ i! A
1 Q) w( m4 h: Z8 v3 y
nat (inside) 0 access-list 101
2 j; ~- D9 d0 y7 E; D" @4 \nat (inside) 1 0.0.0.0 0.0.0.0 0 0
& ?9 f. i! h5 s) S ]8 [! |
# M- B$ K- e! e$ {# S X!--- Specifies which outside IP address to apply to the web server.* b3 R. E' T1 P+ V7 e' C
$ X8 U* a1 G9 \9 G* g* a# dstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0$ H# H& R7 w! d: I
+ Y* ~4 s' ?3 c" f( K!--- Apply ACL 120 to the outside interface in the inbound direction.
, M8 L9 M$ p- T9 \' c+ q+ T: _, Q& l, y& {8 F$ V. @
access-group 120 in interface outside# f! V: Y& _( C' ^' z' P( h1 G
! z9 B; K" l) |( I: E+ }5 }!--- Defines a default route for the PIX.' C+ O. S/ ^5 G) l6 V3 ?/ l' ?
, u0 z7 w" U0 u/ e
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
2 V! c0 _. \+ }& X# t3 O( s; i0 N$ s3 C( h9 y' E" D4 L7 O* C
!--- Defines a route for traffic within the PIX's
' K2 j& j( o# m% g! f!--- subnet to reach other inside hosts.
& s4 G/ x- u2 ?; ]( e+ @. v5 e7 l- @# U6 R- ?
route inside 10.89.129.128 255.255.255.128 10.89.129.193 12 x9 j! d* a& \8 i4 h/ P
& F! a0 L% M3 [6 ]5 \7 R5 }timeout xlate 3:00:00" b5 M1 R' f9 d# a, I
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
) k, l9 _! a( ?, q- D9 F$ R# Gtimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
: n# x: W9 `/ a5 c% y; e7 i) _timeout uauth 0:05:00 absolute% L1 G* |/ S) t, w) m$ a
aaa-server TACACS+ protocol tacacs+8 v2 b% a/ I* M4 W" f+ O) }
aaa-server RADIUS protocol radius
) N& H* Y( L' F& `/ u: R+ z* ]aaa-server LOCAL protocol local* Q) J* L7 P9 E' }1 G
, |5 n0 v. v4 ^' V* z
!--- Authentication, authorization, and accounting (AAA)
7 ]( k" @& a; p!--- statements for authentication. Method AuthInbound uses TACACS+.
1 Q2 r+ g- S' V9 g5 o4 \/ C) i2 f& v- n4 n0 X% Q# }3 J
aaa-server AuthInbound protocol tacacs+
8 w0 K$ z) B6 g' C! ^8 F) \- B) S: Z
6 w6 E) x9 |' \3 G2 V |!--- Specify the TACACS+ server and key.2 t) s- X* W- D2 C, n$ U! E
3 x1 M6 a& e& f' Caaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10. M! A) J9 A4 E. {$ V" Q# w1 t
4 Y7 T) A7 A& F$ [2 Q W: i4 q# R) O0 z!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.1 M2 `' ~+ h+ F* Y3 ^7 i
8 r: i0 R( k6 @* t* U
aaa authentication include http outside # D L! i. r$ E! W( T& I
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
: K+ H" O V- K8 ~( ^
6 [* N' w" C1 k& ]' Waaa authentication include ftp outside8 P4 Y1 E% Y! D
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound6 d: c+ Z: i5 ?' _0 b& L
' q+ \% z0 ^2 Q4 o: e4 [- Q! ? x
aaa authentication include telnet outside / H( Z0 u0 j" H" x" d* ^* v* W
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
0 a/ P: E8 d8 t9 u
. v% T+ Y- O# d+ w$ }9 fno snmp-server location# P9 \+ n' h6 n( ]. j
no snmp-server contact, S4 X' e% v5 _+ m9 @
snmp-server community public
3 f9 u8 n# w0 c, ~5 a6 ^, p/ T$ y/ \no snmp-server enable traps1 U6 }1 @. x7 L$ F% d( X/ k
floodguard enable* G" \( }0 K$ U/ A
% v6 B, t0 A* ~# F: H
!--- Trust IPSec traffic and avoid going through ACLs/NAT.4 ^7 ~+ }3 ?- K! R1 X8 t
C* J, k5 E. Y/ V" R9 msysopt connection permit-ipsec
5 V1 }0 _" R3 M# T
/ v, Q& X: F( | Q, V4 t v!--- IPSec and dynamic map configuration.. E# P3 W+ C5 w$ n; Q& }- n5 i4 e
% y+ Q6 b3 Y9 p! T$ |6 o( {crypto ipsec transform-set myset esp-des esp-md5-hmac- C) F" H( y' ]- w! V( G1 s% Y
crypto dynamic-map dynmap 10 set transform-set myset
7 _$ r: }) C# V2 G7 Acrypto map mymap 10 ipsec-isakmp dynamic dynmap( P3 N) `" ~6 I" c
# n+ [9 T* ~0 A2 D; h* A+ {2 ~& h!--- Assign IP address for VPN 1.1 Clients.2 U9 G9 a' ^- Q- T
5 H: A9 i3 A: Q. |0 @3 N
crypto map mymap client configuration address initiate9 F- e6 D4 u( r8 p& E" q
crypto map mymap client configuration address respond; x% C! a1 U$ j' S: M( p; j9 v; S# d
# ^5 Z9 ?: O2 ]3 T0 K) w!--- Use the AAA server for authentication (AuthInbound).
0 V: q6 X, O5 n t; U3 }/ K* Z) V. y3 F1 B" l5 A) [# I
crypto map mymap client authentication AuthInbound
( j- c* E5 ?8 I- T' {) ]% u/ _/ g7 K4 k5 S5 \
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
g# E( [8 x8 R5 U2 l3 c3 h! h7 W0 E/ L3 T8 W6 W
crypto map mymap interface outside% k5 @) H! h, N# y4 S6 X
isakmp enable outside
& c$ d7 T& p! K. \& w, O" d8 k' u3 i+ Y' b' S( A2 \6 Q" A
!--- Pre-shared key for VPN 1.1 Clients.
6 [$ Z8 C3 ^- d8 H' ~# X6 a" H
& i! I* q, x# O2 w2 Pisakmp key ******** address 0.0.0.0 netmask 0.0.0.0
1 M q! E7 Q. E% Y9 g3 p5 `isakmp identity address) x/ }4 k2 D' R" s
" [( D6 R6 S* _+ z1 M; f
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
2 i% W0 s1 Y7 b
( ?) H( o: w3 M# U- r: uisakmp client configuration address-pool local VPNpool outside
- D8 a2 ]. g/ ~# R2 w. W/ j, y& [2 J+ q) C: z5 V
!--- ISAKMP configuration for VPN Client 3.x/4.x.
( {) A* L o; E: T* l l
1 Y& ~3 m0 n) lisakmp policy 10 authentication pre-share
& C% y3 Z0 b6 misakmp policy 10 encryption des4 g3 `, i; Y! r# F3 E& n
isakmp policy 10 hash md5
' M! F) r9 \# uisakmp policy 10 group 2
# W% Z ~5 U# E; x9 z+ kisakmp policy 10 lifetime 86400
4 s' d/ d! G0 a% ?5 Y" B9 U. ^+ g9 i
!--- ISAKMP configuration for VPN Client 1.x.
' j: }. n# _4 f4 s/ U7 N* v
. `! m. v9 L9 o) Yisakmp policy 20 authentication pre-share
$ N1 f# r) P% ~0 uisakmp policy 20 encryption des" w- y" J4 f% e5 C3 l( [* v
isakmp policy 20 hash md5
& M7 d: F5 H% M+ n* D4 Lisakmp policy 20 group 1
. I' H d% [. f9 e9 kisakmp policy 20 lifetime 864007 b3 Q" e) r* ]. H
' Y* F& O% z) C" F
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
1 S4 w* z1 Y& P- k
3 X& \* u9 C! M4 gvpngroup vpn3000 address-pool VPNpool
2 z4 E$ a) }2 d7 [; v' z, W/ M% m$ n9 X4 M0 {2 x* F
vpngroup vpn3000 idle-time 1800. d9 ]0 K, i! k& r# I2 s
4 G# g: y s3 u# o. ~, C
) z& s1 c$ V) x1 w" [& x
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).& f0 W5 |: l# W6 [- s. X
) ^/ q2 y" t! e' ^! i1 }vpngroup vpn3000 password ********* n8 N- C, ~3 D% c% C
telnet timeout 5
6 W8 O- ]# Q9 }3 [+ P6 essh timeout 57 a8 r0 T/ b! M4 ?: d9 c' n5 ~
console timeout 0! c& N4 a7 d, P" f% ^3 ]
terminal width 809 e9 O9 B5 D2 r) Q" o+ i. }
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc
5 ]1 P' ?3 W6 [ `. S1 v: end/ P1 R0 s5 W2 A# \8 z6 v
pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
