pixfirewall#show run
4 g! H6 c6 |' a8 w: Saved
2 m; ^' I$ }6 `5 [. {( x$ u; C:. [5 l( N) ]& h( [' k( j4 d0 \& \: j
PIX Version 6.3(3): I8 O' T9 o" e1 _0 E+ T) R6 A% e
interface ethernet0 100full. h$ B# w9 s) j, m9 R
interface ethernet1 100full" a* h4 a1 N" @+ Z+ K* H7 Z
nameif ethernet0 outside security0
9 ]: f: T ?) o) S+ Z5 U" Vnameif ethernet1 inside security1006 K) W1 h% n4 b/ e2 V7 O
enable password 8Ry2YjIyt7RRXU24 encrypted
: k- Y9 j u. cpasswd 2KFQnbNIdI.2KYOU encrypted
8 G# V3 O/ b, H( P3 _, i* Ehostname pixfirewall9 N* I9 O; a5 Y. |# D) x
fixup protocol dns maximum-length 5123 s- y/ ]0 q. j
fixup protocol ftp 216 ]4 M8 { t) b, L
fixup protocol h323 h225 1720
2 d0 B2 m' W& b- F0 U6 Zfixup protocol h323 ras 1718-1719. `4 Q5 w% a4 V: ?2 W; V+ o+ G: w
fixup protocol http 80
! s' D5 o! n5 g! Y Jfixup protocol rsh 514
) o; J. d8 t# c7 v' M- y" zfixup protocol rtsp 554- c, q6 z# N& S7 z3 }
fixup protocol sip 5060( E! c$ I: o1 f. o3 }
fixup protocol sip udp 5060" a d' z7 R: l( e$ n$ c( ?
fixup protocol skinny 2000; C4 o S& M" N
fixup protocol smtp 252 \4 n. {4 f# L3 R3 @2 U. ]' n
fixup protocol sqlnet 1521
; ^ E+ U& Q' [: O' i* sfixup protocol tftp 69
3 C* d% g2 U; a$ E5 y( X1 D, Fnames% J) |# m; j. P
9 t$ Z" j6 f7 x+ r
!--- Do not use Network Address Translation (NAT) for inside-to-pool
, M8 i$ W6 q3 i& Y!--- traffic. This should not go through NAT.. \9 n6 a( @+ r6 T- g( E8 F' p; X
" }7 E7 v& @3 Q1 h
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.2406 N' I% n6 x d. |: b
( h; d+ Q2 m# y) ~$ l2 U2 o/ U!--- Permits Internet Control Message Protocol (ICMP)
% V8 J9 I' t" D3 k' W( n( L!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)$ L( s% V+ k: v* G& _2 X7 d7 [
!--- traffic from any host on the Internet (non-VPN) to the web server.' |; r9 T- s3 W1 n
3 H0 K) r' U4 k$ p2 u7 j" ~- A0 A9 T; oaccess-list 120 permit icmp any host 10.89.129.131
; V% _. l7 S1 c! v& ^access-list 120 permit tcp any host 10.89.129.1317 A5 ^; s1 e3 d, h( a
access-list 120 permit udp any host 10.89.129.131* H: u. }: p9 M* b6 }
! L, `, i3 Z9 c2 g% Y/ s
pager lines 24
# u5 H: v2 V! K% J! s' @7 o" C/ emtu outside 1500
6 Q/ `/ s1 I( c* F& Dmtu inside 1500" Q M2 f5 o9 A0 c$ ~
ip address outside 192.168.1.1 255.255.255.0
8 |) i& Q% p9 R1 x" B: e6 vip address inside 10.89.129.194 255.255.255.240+ K* Q; }" ^/ t* V( \) K5 \, F
ip audit info action alarm
* y' o' V$ O) y5 v1 zip audit attack action alarm
5 J) D3 ^' ?, M2 F
% P/ W( m }9 S+ u( ?7 Z, f' f* [!--- Specifies the inside IP address range to be assigned& v: Y" M. `% Z2 V) v: M+ h
!--- to the VPN Clients.; c8 ]/ F0 V% U! v. V; C) V0 `
$ g3 } D2 _/ J2 f2 Oip local pool VPNpool 10.89.129.200-10.89.129.204
" p1 w: D1 q1 ^/ z! h% Q! nno failover* t1 _+ j0 b3 L' p4 @- f5 ]9 f
failover timeout 0:00:00- U) {. ?: @- W. u
failover poll 15
, S4 `2 |" [" @$ t* d1 Q' Fno failover ip address outside
' S, b+ J3 T2 g5 vno failover ip address inside
3 m) Z7 t5 x( {2 |% Xpdm history enable" f- z$ w/ S8 _& h- j" ^" u
arp timeout 144009 N! Y7 Q3 ^$ @5 Q, F+ s
5 l) G; @- A& w!--- Defines a pool of global addresses to be used by NAT.. h. M7 s ^+ M( O6 t' y
% Q( v, U# M5 q3 Y; [: o+ {% wglobal (outside) 1 192.168.1.6-192.168.1.10
, ~, F/ x) p7 I2 h+ R0 H
8 _) P" C) A. E# R0 U P4 ^0 `' [8 Hnat (inside) 0 access-list 101/ w1 W9 W" T8 l( R/ X
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0 t4 w' }+ x& T" B
3 _- j9 p* x' G. G. Y L!--- Specifies which outside IP address to apply to the web server.: x% y {7 R& z q+ r; o1 M1 p7 q2 {
( y0 L5 S& T1 M9 k0 G' v
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
# z7 |" f" s! o( i7 R; Z7 M- l# s- J: d
!--- Apply ACL 120 to the outside interface in the inbound direction.3 J! `/ Y$ }7 E& B$ {* ~
: b* j6 c/ t4 V4 v# G) Kaccess-group 120 in interface outside1 ^/ B2 {- f( G) C( d. |) Q
% p6 B B" {+ I!--- Defines a default route for the PIX.! A, u. O* z9 H
, c2 ^& p4 q C: h1 f0 V$ F0 V
route outside 0.0.0.0 0.0.0.0 192.168.1.3 16 x+ ^- W- M2 [$ [+ I
" e6 g- V# @, f% Y/ M4 A9 G
!--- Defines a route for traffic within the PIX's
8 L& H3 [$ o& y- m( W!--- subnet to reach other inside hosts.% _+ e( P7 u! e' Z4 i* N
: c! F& B9 ^# ~route inside 10.89.129.128 255.255.255.128 10.89.129.193 1
E, i5 x3 E' B( G) e' N* ` z8 M+ _( Y* e7 c( z
timeout xlate 3:00:009 v- c1 W: v" ]3 S6 \3 p) G& [
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
$ `1 K0 s. f9 S+ i3 A3 k! f: f8 ?timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:000 d4 n+ O9 _5 h% `
timeout uauth 0:05:00 absolute
' D& L, {3 w2 ?$ w) \aaa-server TACACS+ protocol tacacs+2 @& Y }- [5 W/ z
aaa-server RADIUS protocol radius
' h2 d; ~8 h" J. c+ d1 Y2 m8 Laaa-server LOCAL protocol local
* [7 l! j, o: V+ F4 Y4 Y% x) _- @: i8 Z
!--- Authentication, authorization, and accounting (AAA)) [+ [6 L0 D; y# Q
!--- statements for authentication. Method AuthInbound uses TACACS+.9 R; n* ]. A! k7 u' c# X( N6 }, D
^' D [7 z1 taaa-server AuthInbound protocol tacacs+: w& F8 ]6 ^1 C& z! j
8 q+ w. Y8 f9 m: y Z: Y!--- Specify the TACACS+ server and key.
; I8 T& d6 u' z5 _+ C6 D f+ Y
- @7 K' ^4 Z4 ]9 Qaaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10 P5 h" x$ Z8 F
6 @& y1 T# h) n$ f- f
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
6 z8 B- g$ X" D }3 J) `, x
7 I+ q1 M: I/ B- m, f+ b0 Aaaa authentication include http outside
% _5 C/ _! H4 {! N! k* l9 q, h10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound/ v, h3 z2 C9 F: H v) w
7 v5 T, c$ V# J8 k+ X% O$ Q. Z, `2 l
aaa authentication include ftp outside7 q4 W9 H) J$ }, m. {( G
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
) N% C3 @' h2 f3 ^2 f( C: e* Z2 s0 j4 Q7 x3 B6 E' ?
aaa authentication include telnet outside " V5 v( P1 r) c$ R$ q; K8 q$ k
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
" s* t$ e8 Z/ E" i( w
! H, Z* s4 L G+ |7 Eno snmp-server location
* N: t3 P; G+ M3 w Z. g- Lno snmp-server contact7 k# p8 F& |2 [$ A
snmp-server community public
4 C! [2 O! E' P9 s X5 uno snmp-server enable traps
! Q% l% P0 m9 o5 T0 gfloodguard enable2 s5 q. W) s) N/ u
9 l9 j5 F9 c7 Q
!--- Trust IPSec traffic and avoid going through ACLs/NAT.
/ E. R2 T# u" U0 r) |$ d( N5 [2 |
8 `6 w& G. r. d0 p! Isysopt connection permit-ipsec, i6 f# z _/ g7 }3 [2 y8 A
( c$ M$ N( t, |0 @+ c1 Q!--- IPSec and dynamic map configuration. c C, d' T# V7 w) Y( X, e, [
# w( \- I! c I" \; O$ o. mcrypto ipsec transform-set myset esp-des esp-md5-hmac6 Y# P7 }; O) K% Y& g, s! _
crypto dynamic-map dynmap 10 set transform-set myset
2 m: E9 D, n8 m$ ]3 j- A" b* }2 Gcrypto map mymap 10 ipsec-isakmp dynamic dynmap- {$ I( o/ O1 o
+ @/ J# S9 S2 _6 @
!--- Assign IP address for VPN 1.1 Clients.
; b0 ` `% H7 y
: h1 Y, x# Z @1 u- Tcrypto map mymap client configuration address initiate- o$ \, g; A, B. V' z
crypto map mymap client configuration address respond/ J' P" i/ H3 c n$ l
- d! u+ s& M3 o$ p3 u, ?* Y
!--- Use the AAA server for authentication (AuthInbound).
7 E9 {, Z. Y1 m! a0 k' m7 c
K% n( A3 G' s. N2 S' p9 Lcrypto map mymap client authentication AuthInbound; y! |+ f: o% z& c- g9 n: Q
, f$ p! q' `" p/ c( |3 Z! q3 ]) c
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
8 d/ C* V, v1 ?. ]2 D$ V ~; X! j3 j( z9 v
crypto map mymap interface outside
- W1 i4 f( J$ x3 B0 l$ Z& O! h9 W( Hisakmp enable outside' l$ z2 J) K* S E
1 n- v6 o" l1 }8 B!--- Pre-shared key for VPN 1.1 Clients.6 d' J% l% `* O! F, r
4 V, n( h, Q/ o$ ` W2 L. l8 s" L
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
! R0 K( i# q3 H8 i/ q5 [0 ?isakmp identity address4 v& ^% a! z. p+ p" ~- r
# {3 ]0 U% ^6 |6 h' M- Z! B* a
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
$ K7 J- N4 P& H2 n
& g j5 O$ _7 [$ ?: q" Eisakmp client configuration address-pool local VPNpool outside( ~+ L* _ E6 V+ y& W
; w2 F' i5 W- z
!--- ISAKMP configuration for VPN Client 3.x/4.x.$ [# T+ T* Q" X; a2 ]* X
7 k: p, u# \0 U+ X K K% R* ^% e
isakmp policy 10 authentication pre-share- k$ L" W% L2 i
isakmp policy 10 encryption des V$ b( F `7 e) G2 b8 N
isakmp policy 10 hash md53 ^5 w5 U* g! }. z5 c9 p$ u% {/ I
isakmp policy 10 group 2' p* [- a" _8 b$ R
isakmp policy 10 lifetime 86400
. H* x6 i# H# }! P% \' d
% u3 X! V: f! A& _!--- ISAKMP configuration for VPN Client 1.x.$ X" U7 [8 l9 ~3 a
3 N( I% U" O% L9 v
isakmp policy 20 authentication pre-share
! e, e" X; ~ `0 gisakmp policy 20 encryption des
: C! }& [# e0 Tisakmp policy 20 hash md5! l# R; }% X' T$ r
isakmp policy 20 group 1
! y; \# c! t+ x3 x0 ~isakmp policy 20 lifetime 86400
7 J' x- E& ]4 D5 Q
" V! @+ M, c" o* a+ R3 g!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.% ^6 [3 y+ r# F' A
% ~& {. _$ [* ~
vpngroup vpn3000 address-pool VPNpool
1 {# d% F, w9 z
- p( }2 g5 s% C8 Z$ H+ T7 `vpngroup vpn3000 idle-time 1800# x: \$ \# `% N/ F
' E# S% w' e* X, }
" e9 N( Q$ d" |( Q5 R% P
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).) ?' _) b% m- O; r3 A) a
& _8 |% H' h& A+ m+ zvpngroup vpn3000 password ********
; K5 r- v$ Y2 O$ _2 `' l7 t! J4 jtelnet timeout 5
_9 F6 p, X+ F" K7 I+ M1 assh timeout 5
( G$ M* G% `$ f! V9 @2 W5 }console timeout 0
; @6 _2 ]" W& v3 n) mterminal width 80. C2 J4 ^8 B5 j( }& O. F
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc o' H; P5 d5 B Q4 o6 G" L% T
: end
4 i! |! r4 Z& [' Gpixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
