pixfirewall#show run
4 {( ^4 ]; n& t1 C: Saved1 i; y( [; Q/ J$ u* D' u
:
' I. e% e& d1 Y% T- l+ O& fPIX Version 6.3(3)
8 P- M5 ]7 i) e) _4 c1 }/ z, ~2 Pinterface ethernet0 100full& Q0 m+ o; M5 A& r( C% ?* \: l
interface ethernet1 100full7 j3 d1 a9 K( d
nameif ethernet0 outside security0
) C x5 K; h! j9 unameif ethernet1 inside security100
" U( U/ G) ?4 h0 Y% ~/ N0 N! X& |enable password 8Ry2YjIyt7RRXU24 encrypted N& v, [9 P: j# }( o: @. m
passwd 2KFQnbNIdI.2KYOU encrypted
- c5 m7 ~- B% ]/ P4 u+ uhostname pixfirewall
3 V6 D- f7 H( Cfixup protocol dns maximum-length 512* H6 z K. `# {: A2 ?
fixup protocol ftp 21
, r9 N1 X J( r0 bfixup protocol h323 h225 17204 ]4 g- e3 `( W) n- h
fixup protocol h323 ras 1718-1719/ Z4 A; E0 u. w
fixup protocol http 80 E$ T/ J4 @- K- g$ H2 e" u( d
fixup protocol rsh 514" {7 o9 Y7 N) h: N2 }0 ^% |, d) u
fixup protocol rtsp 554
" D& [ x2 Z" B8 ~: y) [6 H0 @* afixup protocol sip 5060; a( U3 w0 Y. t v# r7 f# S
fixup protocol sip udp 5060
1 W- b' x. l; u! y. _# i# `9 wfixup protocol skinny 20001 L5 p- ~% D. o \* p; w
fixup protocol smtp 25
: A% \0 \, u" Y: k6 M6 y# z6 cfixup protocol sqlnet 1521
3 r9 \, M0 a# Wfixup protocol tftp 69- H. Z; g9 F4 e" K, W: `
names$ F! g3 _/ G3 T1 j9 N. {
% F+ Q# X2 ]( T* ^, ?7 y: c) _!--- Do not use Network Address Translation (NAT) for inside-to-pool
* ?( A+ j4 K& I( ~2 M9 m" l0 V!--- traffic. This should not go through NAT.0 c4 N. F/ [& q8 Q3 ]/ c
: J; |: Z* z6 C; uaccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240: ^& Q7 d- T" k& J$ S
$ {9 G" |, s; i9 V- ]! f
!--- Permits Internet Control Message Protocol (ICMP): U9 }; M* A" _3 Y$ v
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
2 x, K! B L/ w2 p& K!--- traffic from any host on the Internet (non-VPN) to the web server.
% c+ W8 v: p1 ]% H& O- y6 i3 i. f. Q7 j2 H F _2 E: P
access-list 120 permit icmp any host 10.89.129.131! }2 C P4 Z# z; r" h5 W6 L
access-list 120 permit tcp any host 10.89.129.131" Q- Z! M' h5 V1 n
access-list 120 permit udp any host 10.89.129.131
* e2 m( ~- ]6 |/ j6 J$ O
; y" ^( s& `& N5 m6 kpager lines 24
1 m* M1 g1 d* k$ K. o7 Ymtu outside 1500: K- m! c' P2 ^7 F/ P n& ^
mtu inside 15006 ^8 K8 ?/ E0 `% }, }& T a
ip address outside 192.168.1.1 255.255.255.0* c1 i+ x' t* k8 C& j) j
ip address inside 10.89.129.194 255.255.255.240+ a. S0 H( g! W; c0 x' K- r2 [
ip audit info action alarm5 \- [/ J0 U' u' c! p9 I
ip audit attack action alarm
7 `; x- V8 n& B/ `- l/ {. n: r# y% u1 T# [
!--- Specifies the inside IP address range to be assigned
8 X8 b: e! _! R5 B; ^5 l!--- to the VPN Clients.
# H- p( b9 z6 k" J
3 k0 m: A5 |9 ^2 h# ?! o! Xip local pool VPNpool 10.89.129.200-10.89.129.204
! a/ U" X4 q$ ?3 I Ino failover
+ X3 g" J l" U# x# ifailover timeout 0:00:00! Y6 i% {4 m5 q6 I9 y
failover poll 15; a$ Y- W5 k+ D
no failover ip address outside9 k; h- `/ {$ I) F @% ^; ^
no failover ip address inside
: U, ~1 C) p9 l+ o2 S& ^pdm history enable
2 q# B, x# ]5 Y) Yarp timeout 14400& o4 L3 e" z7 _8 v1 E, P8 s
2 w1 z- A# |* }* `8 w6 q!--- Defines a pool of global addresses to be used by NAT.; M j! X, w9 a7 _
/ U. b& j& t/ p" I' o& o8 }# y3 Gglobal (outside) 1 192.168.1.6-192.168.1.10: E8 N' i W$ l! B
+ t/ t% V. S1 g5 t& o; P o/ U: Q/ \
nat (inside) 0 access-list 101
: q$ y% Q: U" ~3 @1 A, Vnat (inside) 1 0.0.0.0 0.0.0.0 0 0
- R( ^2 u" i A1 J; _
4 c) P. O9 x/ d( G8 z3 k1 o5 s+ ]!--- Specifies which outside IP address to apply to the web server.
0 M8 t/ f! ^1 C" ^! ^
) q8 g3 r5 R, I$ ^static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
. i; R$ g7 I7 K W4 Y
( i% l& z5 d7 I8 N; {5 I2 c!--- Apply ACL 120 to the outside interface in the inbound direction.
/ |# m! C4 y* v5 p" b# g& \) M# [) b
0 C/ G2 p) E6 d, E& paccess-group 120 in interface outside
8 |* l/ K' L$ H% E- e& s' X: J1 [+ c& [/ B$ p7 ~) s8 c8 u
!--- Defines a default route for the PIX.
6 m% T9 X' l+ c" ]
! Q! a7 `3 y* D/ \: c7 Z8 _route outside 0.0.0.0 0.0.0.0 192.168.1.3 17 h( V$ A3 G8 v0 X4 }( d
/ @$ [, O4 ]% r# ]5 u1 M!--- Defines a route for traffic within the PIX's
! n3 r; `9 k. w/ T& |# |# _!--- subnet to reach other inside hosts.- P. L& {, ]1 M' h% T$ i; d
) T% Y, N- H7 N; w5 nroute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
5 b2 q# y: u3 t6 a0 Q
8 M1 p$ `2 s/ W" n$ B+ Ztimeout xlate 3:00:006 @" ~! s3 J' L( a, R
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
+ V) e: \$ b3 Ttimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00% I/ D7 p( a( E5 q# |
timeout uauth 0:05:00 absolute9 K# W/ n; Z. y$ t. }
aaa-server TACACS+ protocol tacacs+6 G- r4 J4 W. s4 Y3 a$ N0 C
aaa-server RADIUS protocol radius
+ a, T* [6 [; \aaa-server LOCAL protocol local d) ^/ R" \! v8 _( d) q# C
/ C* p2 Q; } T! z4 \; }5 c!--- Authentication, authorization, and accounting (AAA)
0 \0 h( y$ z% C2 C/ F) U7 p4 h!--- statements for authentication. Method AuthInbound uses TACACS+.( f( D& R5 X- m
6 r# L' ^! [1 P7 a1 Qaaa-server AuthInbound protocol tacacs+
8 u9 W: }. j! f) A+ V$ ~' J# E3 d: G4 p" q& o% K: L
!--- Specify the TACACS+ server and key.
@. v$ U* Q0 o% p! m
; b7 n1 o9 V Xaaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10
% T1 h1 C! f9 r7 f- V" ^: K; A
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
% D: k3 Q8 a1 E% x2 j$ g$ d4 T$ T, e3 a2 _2 F
aaa authentication include http outside
# R- O* u5 P; M: G1 |* L10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound! i- X- Q. @% y) H) h5 d8 [9 p
: Y$ R, F1 n z) m J
aaa authentication include ftp outside: b: @* x( t0 r% ~& Y" R0 F
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
# {- Y; y8 O$ C$ ~0 P5 O" k4 W7 M$ z7 x% ^
aaa authentication include telnet outside * ~6 `5 u* v- j o# H9 o/ S1 d% P, }' }
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
7 s9 _4 l8 L$ m" |3 F
) B$ E- ^& k9 u. h: o1 C( Tno snmp-server location
/ F$ J! ?3 y/ v) R* ono snmp-server contact
+ f i5 [, S* T- r0 Z& @snmp-server community public( Y' u2 T* e0 x# l8 U% N' N+ E
no snmp-server enable traps
! V3 o7 \1 J% F3 sfloodguard enable9 A# s- F* w8 Q6 _2 K9 N
8 l; g$ X, ~6 M8 M& d3 P
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
! c, M4 d# `9 T( [# K: I I. [3 N/ @0 u+ c2 M) d
sysopt connection permit-ipsec
) E1 w5 M# K5 Z/ A8 A) F, O1 L$ L
!--- IPSec and dynamic map configuration.
9 ^6 ~; R. p! J& c
) m8 V: P* e9 N/ R7 u) pcrypto ipsec transform-set myset esp-des esp-md5-hmac
0 s7 n8 W7 u4 P+ zcrypto dynamic-map dynmap 10 set transform-set myset. m9 n5 E' ~$ T; w" Y) D4 w
crypto map mymap 10 ipsec-isakmp dynamic dynmap
4 r, F/ V* k0 X; q1 ]# {: P* f/ ^& h5 U' Q( }8 O3 h1 C4 O9 S
!--- Assign IP address for VPN 1.1 Clients.- X: b$ W6 @# s6 g
) ]& v j+ n+ D! W3 U
crypto map mymap client configuration address initiate
$ ]" Z) `" X! J0 tcrypto map mymap client configuration address respond
' ~0 A4 T9 u5 H+ N4 V. s: N$ {! o1 Z/ j
/ c6 S6 ?5 `. k- k!--- Use the AAA server for authentication (AuthInbound).
' x6 I* R, l V8 F9 R: ^
! v+ N/ I4 ^8 W! ]* u, O: s- Zcrypto map mymap client authentication AuthInbound
2 I: Q( r" G0 s3 L2 V+ n
; D) l+ x8 {/ i, G!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.4 ]6 _$ j2 D4 I8 L9 c% A& u
1 }! ?9 J0 X. x8 ~crypto map mymap interface outside
" ?: S: X" |9 O- ^ R# V1 u" w* l! visakmp enable outside2 e( k2 N" ~, @1 R5 @! X( u. \
4 w2 N ]4 T& M8 b8 l
!--- Pre-shared key for VPN 1.1 Clients.
; `+ I3 v( ]6 D% @( [& `& d( o" ]8 B6 z
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
' g% S" D! t( H! jisakmp identity address
8 u% q4 z0 ]) N9 }( O. x3 w: N$ @4 v- Y9 u( Z3 r# C/ M: k
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.# }4 w! ]- g6 n% Z' g
& }; c6 W% ?3 q; Jisakmp client configuration address-pool local VPNpool outside- w8 c/ \7 Q6 m2 W' M5 r$ _
8 t5 F) }1 A! }1 g" R# S7 J!--- ISAKMP configuration for VPN Client 3.x/4.x.- U9 T# m8 X# a" ^
) {% K& p) @3 M0 A
isakmp policy 10 authentication pre-share. q/ G& f' T1 n- _ |6 e0 d
isakmp policy 10 encryption des d4 C6 @) P* U+ _+ R$ R8 Z2 ]' o
isakmp policy 10 hash md50 c, }2 j# N8 [
isakmp policy 10 group 2' h0 j8 C& L. V0 H
isakmp policy 10 lifetime 86400+ I2 U2 c) \9 x
. X$ M) n6 c2 g+ y!--- ISAKMP configuration for VPN Client 1.x.9 y0 M' Z) P% t: X4 H* Y% i
+ N! l6 [; a( C9 H5 E+ _
isakmp policy 20 authentication pre-share
5 R3 j" g& h4 g; r4 f9 ^ U, \5 Gisakmp policy 20 encryption des n. d0 M; U3 Z) e! g; e2 t
isakmp policy 20 hash md5
9 o' c) p$ E' Jisakmp policy 20 group 1
9 B; P( r6 W' ^8 J/ Lisakmp policy 20 lifetime 86400$ R( \8 [1 n5 m- B
. p. n% O5 t+ u, B$ }!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.2 V2 g) x# ]" L
7 c/ h: W6 M9 k. D
vpngroup vpn3000 address-pool VPNpool% _0 M6 y: G. n! r8 D6 o2 M0 b
2 Z. k* T" {* o/ l+ m8 Rvpngroup vpn3000 idle-time 1800
/ t3 s& |! a8 o! k& B& J6 n- o2 I! |9 g0 t6 J
* L4 q" ~, z" A; ~) U
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
0 u/ q9 v9 s. E6 J$ C3 j Y8 V+ B8 @% h4 |4 a/ [2 \
vpngroup vpn3000 password ********! T& q ^. b! b* |# A/ Z
telnet timeout 5
2 j5 q. ]- h/ B4 Essh timeout 5
6 l0 a$ F) s) z( \ O# wconsole timeout 0
& G7 P# f6 x$ M: jterminal width 803 H0 {, C. t0 r$ _: T8 x$ E! r
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc |1 w& X0 ~% C& P7 V3 p5 [
: end8 C# V! q' K0 m+ s% v: j2 ^
pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
