pixfirewall#show run
0 `* z6 L7 s8 u6 b4 ^9 S: Saved
& c% I" H$ z8 u:( K2 V( v$ n, ^: A* W2 S9 P
PIX Version 6.3(3)
* J! C+ S+ p4 N3 Finterface ethernet0 100full
8 H6 }4 |! y" c6 G- |interface ethernet1 100full
# P7 s. \: |) u! Q, ~/ A- b! N! L Jnameif ethernet0 outside security00 ], f7 d( F1 u5 k1 f& q6 N$ ]
nameif ethernet1 inside security100 T0 C( O+ J. l. Z
enable password 8Ry2YjIyt7RRXU24 encrypted) a% O) A" }; x4 ^/ N
passwd 2KFQnbNIdI.2KYOU encrypted
% s4 e% f) J2 q/ o* Qhostname pixfirewall
$ q" b3 @' R, y0 W8 D" E, Z6 Jfixup protocol dns maximum-length 512
+ i1 J7 r! a, @8 c7 h# s8 G& {fixup protocol ftp 21; m3 F7 I: E1 s0 t% n
fixup protocol h323 h225 17204 o3 A8 \/ O* T7 L
fixup protocol h323 ras 1718-17191 A7 D( R. k2 j( L* d0 c7 B
fixup protocol http 809 s: c: |5 {5 k2 z5 H
fixup protocol rsh 514! C' |8 O9 p% w2 B# u$ v8 z
fixup protocol rtsp 554
( }" X, U- P qfixup protocol sip 5060
& p2 R' s9 c# I; Ifixup protocol sip udp 5060# v: I% D6 V9 A
fixup protocol skinny 2000! G0 G+ L. P, x/ d' D7 F2 a; R4 }
fixup protocol smtp 253 P; X/ G2 m) ^* W
fixup protocol sqlnet 1521
: W. W0 I+ e! d7 I( w0 N$ V; Xfixup protocol tftp 69& N' o0 `& |4 C' n/ }# {
names
) o; N" |: }1 ^& ?6 }& C! m: j3 u! n/ X4 D7 l
!--- Do not use Network Address Translation (NAT) for inside-to-pool
2 C; Z' y4 ^% G" F% S1 Y! M q, G!--- traffic. This should not go through NAT.
* x; t T; k$ |8 s
! E# P! T# E2 O1 ] ^! U: n6 T* s- Vaccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240' u+ E% e. e6 t/ o9 _: x
( h, j9 l" K& d! U!--- Permits Internet Control Message Protocol (ICMP)9 i7 U* Y p" J4 U, q# G
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP); @3 T: B# d9 [7 U. A
!--- traffic from any host on the Internet (non-VPN) to the web server.
9 Q* \. ~& q! x" M5 K$ [
7 a6 h0 D5 j7 R! R) S. w6 [8 raccess-list 120 permit icmp any host 10.89.129.1315 Y9 ]- K5 j: c% z+ Y7 S1 `( @
access-list 120 permit tcp any host 10.89.129.1315 z7 B+ o5 w5 h J7 v
access-list 120 permit udp any host 10.89.129.1317 R% K; H) a$ c8 F$ |
; U, I7 y& m0 V$ s
pager lines 24
8 i7 W; t& O: y$ lmtu outside 15002 a0 n3 W1 K, O$ Y. w4 ]
mtu inside 1500( G0 `! H" N7 Z: a1 W- @
ip address outside 192.168.1.1 255.255.255.02 O- x3 W! `- X; g- p# p& R3 Z
ip address inside 10.89.129.194 255.255.255.240
7 Q- B$ m- k/ ?: F9 w# x+ \ip audit info action alarm8 O9 H/ R, t- q1 \" k/ |
ip audit attack action alarm
' ]/ u0 p4 P' s' V& ^! t p B2 p) F- [9 g* A- N g. p
!--- Specifies the inside IP address range to be assigned
. s% u& D$ c$ W; B!--- to the VPN Clients.! j0 e( U9 u" h2 f* S, z; a! `
9 a W5 p1 t: |" R1 z1 } g1 Y3 c% n
ip local pool VPNpool 10.89.129.200-10.89.129.204
3 X. [: A) \+ _7 a5 jno failover4 m9 [0 o- A' j/ e0 Z3 |9 t) o
failover timeout 0:00:00
& k- I6 Y. k/ R; s# Y1 j; b, Afailover poll 15; _# [0 v: V4 `! C
no failover ip address outside @: a) U4 ? q8 N M( i A9 i
no failover ip address inside: X- ~8 {9 X, u0 |0 z" x5 ?% e
pdm history enable7 _$ d, Q1 g& k C7 j2 k# F7 X9 e C
arp timeout 14400
. d8 w+ N0 T7 R2 L6 f
, f- ^- u7 j9 n6 {; q!--- Defines a pool of global addresses to be used by NAT.% V# `: \+ p5 t4 Z
0 b+ f. v- T# ?global (outside) 1 192.168.1.6-192.168.1.102 I7 g9 ^4 `) w/ [
. R+ j0 D3 z6 N/ [8 T: n5 t3 c! Rnat (inside) 0 access-list 101
3 y$ r9 J5 O6 B0 Knat (inside) 1 0.0.0.0 0.0.0.0 0 09 ^: V* `6 A8 z* O
& O/ j9 V: l7 t0 e
!--- Specifies which outside IP address to apply to the web server. u8 v% U" o2 q5 ~) S4 O7 A
! x5 ? m' u3 O# Y* D: t4 d, qstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
; N3 e% i) R7 w u
& f( s) k9 Y& ?8 K!--- Apply ACL 120 to the outside interface in the inbound direction.
% F; |% e' g9 X! }
, k& [% w6 t# K1 W9 |5 L0 z4 \) Taccess-group 120 in interface outside' g* R1 _- b& J) n- _ V. O- q" ]
0 k2 Q% ]% i0 I( U!--- Defines a default route for the PIX.; T9 W6 N$ N$ [( U
% m3 @1 X0 k4 K4 ?( \# Z, b) V# d
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1' h- _/ ~" U# x9 [: ^/ P
: w( t# j9 U% y u5 N5 e
!--- Defines a route for traffic within the PIX's
; ?; t, X: Q& l2 i- ?!--- subnet to reach other inside hosts.
T5 X) u7 j7 j8 O% y
' { ?) H6 a# K) [) X* Froute inside 10.89.129.128 255.255.255.128 10.89.129.193 12 P9 G: r% X& U+ h
$ A4 q- ], f1 e3 _, P) i
timeout xlate 3:00:00
- W- z& W5 m( q4 F+ E" X; htimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00; d9 v$ p% F- ^8 ]
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
8 d) T# y" _" T2 Ntimeout uauth 0:05:00 absolute
0 I' B7 h& U* F# b0 A" maaa-server TACACS+ protocol tacacs+4 U& c! B$ w7 r- _, N
aaa-server RADIUS protocol radius
/ K' D, W, n% R' @7 \ saaa-server LOCAL protocol local
8 f3 E' M) Z4 [9 |% K2 L( `, g+ |: N* q
!--- Authentication, authorization, and accounting (AAA)- y& H" C: I1 |# ^+ F% p
!--- statements for authentication. Method AuthInbound uses TACACS+.* j0 P7 ]4 Z- T' s s
# b1 h8 P1 f0 L/ q
aaa-server AuthInbound protocol tacacs+1 y, q" _8 a) w, b
1 h8 ]) w2 }* Y
!--- Specify the TACACS+ server and key.) j6 {0 e1 t9 F3 x9 J$ r2 P! R5 @
6 t% B# ?7 [- ~7 M
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 106 {2 ]" y5 Q0 N
" v) x9 i/ t+ f" E. ?
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
+ x$ T% O% N& \5 E
, W' W' a2 ~2 h \aaa authentication include http outside
# _- |9 X+ c5 w: D+ I10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound5 S+ [# G0 _ ?3 G
+ ~1 S, s% O, v: J
aaa authentication include ftp outside# z2 I* W6 ~+ l$ S3 k4 a9 s) P( T
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
! P' J- s0 J% p4 p; T
6 v" e9 ?: h- a/ p2 @& ~& \9 S* yaaa authentication include telnet outside ( B- `- a% N8 h' B2 s9 V. c
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound$ C; @9 q6 V. ~) }$ u; n3 ? U
0 u2 X' m5 J9 S% F4 ^
no snmp-server location
1 [* e5 e, O7 Ono snmp-server contact
: s$ r" Q3 { Q, w1 |$ ]snmp-server community public
: n8 |5 P1 P2 H' ?3 L, o1 i8 V; {no snmp-server enable traps
8 P' H# v. f; _+ z3 Zfloodguard enable; d8 k4 G8 z1 @
( W4 A1 y) u F' z E
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
$ h- |3 F/ u* z3 k
7 A n: q9 y4 b: O$ Jsysopt connection permit-ipsec
+ |2 r1 p7 B% Q) ]( t0 Q+ |' z1 y! @$ Q: {
!--- IPSec and dynamic map configuration.
0 ?% {* p1 a0 K. W9 I9 G
& h b f9 k9 ocrypto ipsec transform-set myset esp-des esp-md5-hmac
2 [3 J! ]2 d/ bcrypto dynamic-map dynmap 10 set transform-set myset
b/ \( m* D% A' vcrypto map mymap 10 ipsec-isakmp dynamic dynmap3 o) V8 m3 D6 c. i8 U% M; v# K# P
0 E( p" \ {5 ?. q$ P ~( j( L
!--- Assign IP address for VPN 1.1 Clients.7 j0 V) T$ J1 W; n. X
0 w( c" X6 I$ l% a8 }. {+ O% {9 ccrypto map mymap client configuration address initiate
+ T9 Y" @3 g$ ~' wcrypto map mymap client configuration address respond7 v8 o- N' i z
! ?! Y6 O$ K5 w!--- Use the AAA server for authentication (AuthInbound).* r5 P0 e% K: `, I9 r$ K
: r; z( O& O H$ t1 I; \+ |crypto map mymap client authentication AuthInbound
0 A+ J& K8 l+ W% J, `. [6 k) ^# R, _: V3 X' @' g6 A6 ^9 d% v
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
4 j3 Z. E8 ~) c. S. O4 o" o1 N$ t2 J2 X$ K4 h
crypto map mymap interface outside
3 K9 G/ h' k& R( q" }0 fisakmp enable outside
. g3 i) ?- C, ~! N8 j) L7 E, j3 B
; c+ F* K: [6 u3 i4 ?" M!--- Pre-shared key for VPN 1.1 Clients.7 ^, d+ K7 k+ \+ n
+ a% V1 Q" t9 g: Oisakmp key ******** address 0.0.0.0 netmask 0.0.0.0$ z9 U7 X7 b" `, x" L
isakmp identity address2 y. T( b. R: H, |/ O6 l: K
& x! a% @2 T% Y/ |+ M7 m( A/ {
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.7 V% b! d/ K9 M, L
) v0 A1 F3 {3 x; Zisakmp client configuration address-pool local VPNpool outside$ `2 @! d' Q! u; e: \& P! l3 k
T0 j9 P1 A% ~! v4 z0 r& D
!--- ISAKMP configuration for VPN Client 3.x/4.x.
, i. {' m O, R, x V* q$ s/ b+ L6 S$ c; L
isakmp policy 10 authentication pre-share
! z, `' c6 b1 C, Uisakmp policy 10 encryption des
! ^2 A: w' j7 @$ v6 B" Aisakmp policy 10 hash md5' c* d2 ~6 J6 M. d4 ~- i4 S0 J
isakmp policy 10 group 2
9 j# }: A' e- Q fisakmp policy 10 lifetime 86400
6 Q+ n6 B! j7 ] H: Z
8 ^" M# Z( [5 z0 |!--- ISAKMP configuration for VPN Client 1.x.
6 a! `# ~- a* I& F, u
$ a. r& p* }" r6 s. v1 |8 _isakmp policy 20 authentication pre-share0 E3 }2 S+ E. Z+ n
isakmp policy 20 encryption des( F/ B5 {' [$ j
isakmp policy 20 hash md5- c& B/ y! Y0 y, Y! x7 x
isakmp policy 20 group 1) l. n! |1 }* {$ y/ U* Z/ X
isakmp policy 20 lifetime 86400
, S4 t& k7 R$ Z
2 D2 f) \' S* C3 d. J e# k8 `!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
4 ? m! u/ \+ q3 i9 ~/ ^
# O5 @" v5 ?4 g3 X+ U3 c dvpngroup vpn3000 address-pool VPNpool
8 t- F9 |$ G4 B `( w$ a$ V8 l% O4 Z8 P
vpngroup vpn3000 idle-time 1800
$ C) R: G! B' U& ]% \1 b# i+ S& p# @1 u7 \
) o4 E+ D4 o* i!--- Group password for VPN Client 3.x/4.x (not shown in configuration).9 w: ], E$ b' Z2 n0 T, m9 O
) I4 d: p8 i G5 H. S& W+ X
vpngroup vpn3000 password ********
1 v% B. h, P+ c; |! h: ftelnet timeout 5
$ p% I' h0 N$ P% ~& I% mssh timeout 5" ]: E7 k1 h+ J) I/ H7 q
console timeout 0" I) b. E l: B
terminal width 805 W' B, D8 [ C1 b! h! c
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc7 j) q- p5 d, }; i, o! @7 L7 I
: end
: s4 F) A$ p% @9 C( _* V6 I$ ^. Ypixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
