pixfirewall#show run
4 n3 m1 c" _# m) R# D; ^! z: Saved
# K+ r5 ]2 V! S$ d) ?6 K& `:
) d5 l4 N e7 w2 K# M9 e! W, |( TPIX Version 6.3(3)
+ C" N! x' ^8 c1 F1 ginterface ethernet0 100full
{% [3 c& \( x# I# I) rinterface ethernet1 100full" y, c& H. ]% |! ^7 x
nameif ethernet0 outside security02 t2 \1 r# z( h# _5 s9 R$ P
nameif ethernet1 inside security100
% ]) C2 x9 Y$ f1 s n( \+ Menable password 8Ry2YjIyt7RRXU24 encrypted
. V/ ^. J4 W5 ?. U2 Wpasswd 2KFQnbNIdI.2KYOU encrypted
' |7 S% R& z+ K5 d4 w6 t/ ?* Whostname pixfirewall
. e; u2 N' M. b* F* [- ]fixup protocol dns maximum-length 512% y$ v( _. h+ G, d) u9 ~
fixup protocol ftp 217 h9 q' N, G! u& y9 O
fixup protocol h323 h225 1720
% N0 y( e) G8 l @6 zfixup protocol h323 ras 1718-1719# j% f# p* @# O. c
fixup protocol http 80" N% t. C) R* G- I& b- ~4 f* y
fixup protocol rsh 514
3 y6 v( X$ P- O4 \$ O4 F Qfixup protocol rtsp 5544 R4 L6 a7 I2 ?5 z% _% Y. v7 T4 f
fixup protocol sip 5060
( @4 m' q/ y- Y; {" F2 y+ S; qfixup protocol sip udp 5060
x/ F" D2 k" @fixup protocol skinny 2000' P" u' x8 u0 J6 B( W% J5 _
fixup protocol smtp 25
; B) i/ o$ K* C1 h' V$ D$ ?. |fixup protocol sqlnet 15219 x8 e* G- ?7 G* ^7 v) C/ R3 ^
fixup protocol tftp 69% V0 P h ~9 L, u+ X
names( b% m% U0 s$ |0 a" Y" U# a
: _+ ]8 e9 J, w9 J: Q& O. p!--- Do not use Network Address Translation (NAT) for inside-to-pool* I5 t, w3 G+ L
!--- traffic. This should not go through NAT.
* G6 E. ]; a- E8 J# K4 z3 U. ^; X. h9 L0 m- c3 e9 s" L
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
: p1 P8 |0 Q" N; q3 r5 J* {
. y M* K! K% F s6 K!--- Permits Internet Control Message Protocol (ICMP)1 d6 @7 m* |( y: D
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)6 ~: Q/ J) t& ?) [) ^5 X2 f
!--- traffic from any host on the Internet (non-VPN) to the web server.( }, s# v3 n' A. Q j: [$ [
# h4 {: F- K* M! k3 n3 N
access-list 120 permit icmp any host 10.89.129.131
2 n& s/ |' R" Gaccess-list 120 permit tcp any host 10.89.129.131
" }! j9 r5 e. R# a7 f3 @access-list 120 permit udp any host 10.89.129.131# g# w( a: a- e: x8 ~
" Q$ T' }8 o7 ~pager lines 247 e. Y2 V3 C k+ b8 Q7 S5 ^! Y Z
mtu outside 1500) B6 z. y c/ C! f8 N
mtu inside 1500/ L0 A3 k1 A# T* A9 W
ip address outside 192.168.1.1 255.255.255.03 A9 I8 D% [% x2 N- I# P1 j
ip address inside 10.89.129.194 255.255.255.240
- I2 e/ Q3 p: B4 ^ip audit info action alarm
0 d& _, e1 ?& h9 A3 J# xip audit attack action alarm% \6 n: s! V# c5 b/ _' i: N4 p0 p1 @
+ q3 p6 b( c {$ e!--- Specifies the inside IP address range to be assigned$ O4 k4 v' z' s7 S
!--- to the VPN Clients.+ Z! M$ V4 B6 r" i
" n. z; X& n" A; m# C
ip local pool VPNpool 10.89.129.200-10.89.129.204( _" ]& o0 ?: ?1 @( W, p; k
no failover4 X7 I6 C9 X$ N" X: n: [, m
failover timeout 0:00:00
5 G7 Z7 F4 u9 P( k& M8 r4 C9 L1 J Bfailover poll 15% @, e9 N4 ^/ l/ e
no failover ip address outside* a% {3 r; | \. B7 e$ A0 ^% L
no failover ip address inside. C) Z2 W5 c3 I& y; H- W
pdm history enable' z( e$ B: ?& K' e
arp timeout 14400$ p; ?. M3 N+ D: R4 p% e
/ b% A% j2 A; A0 R" A ?$ f% e$ H
!--- Defines a pool of global addresses to be used by NAT., ~: Z9 M8 A7 H ?: H2 v* f% k# V
' h* c/ B+ g# |( Aglobal (outside) 1 192.168.1.6-192.168.1.10
4 {* |$ K: N( ^% w
' p( L% L2 @! B4 k1 _0 [3 G2 cnat (inside) 0 access-list 101
- u- E, l0 ^: qnat (inside) 1 0.0.0.0 0.0.0.0 0 0& G' |% D: ?- X7 i
2 D' X9 Z* ?1 y# c5 w5 y
!--- Specifies which outside IP address to apply to the web server.% n2 M" A3 U3 } ]! K
6 G9 C- h& v: L {
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 09 r/ |4 ]% C% g% ~, D# }
" b# b: e* }% O
!--- Apply ACL 120 to the outside interface in the inbound direction.
& E6 K+ J, L0 }6 j& Q1 w6 k& m, o7 w5 E1 ?+ f B3 G4 y
access-group 120 in interface outside
5 I. l+ q, {! ^5 |* B( ?) S& h& s8 K, B; m: y' T
!--- Defines a default route for the PIX.
( j1 e8 Q) y$ h! u/ j2 J" V( D8 t! \7 Q9 b5 B [
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
9 ?! G( p5 s5 X, Y# n' K, A
7 ~- e* I: Z. k# @. t!--- Defines a route for traffic within the PIX's' @' m& J$ g0 z$ r3 T
!--- subnet to reach other inside hosts." M1 A9 {0 _3 X4 o. [5 i' x4 e
% h8 N) ^2 D4 A- U
route inside 10.89.129.128 255.255.255.128 10.89.129.193 1: `1 i0 q3 m. ^& M# z% r/ q: ]
2 t k( d m c; {4 C/ L, Wtimeout xlate 3:00:00
0 N9 E6 K" J1 r# u" e$ q# w) b( Q+ dtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
( c- f* o8 N2 ltimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:001 g' Y0 ?3 O2 z* Q, S4 D$ l
timeout uauth 0:05:00 absolute
) f( x+ W/ N+ k* h2 v1 x% p; P4 j5 u4 Qaaa-server TACACS+ protocol tacacs+
3 F. W: \( H6 D3 X2 iaaa-server RADIUS protocol radius$ \3 y% N/ @. v G! W1 w
aaa-server LOCAL protocol local
+ r* G5 n2 h3 t0 W6 |2 ]
) S# {% c, U3 a; d7 Z!--- Authentication, authorization, and accounting (AAA)9 I7 {7 [; w+ f7 ]
!--- statements for authentication. Method AuthInbound uses TACACS+.
, @% A$ J2 Y/ v$ ^5 g7 }# s
0 E' j/ O% K: d- v! q* _7 }aaa-server AuthInbound protocol tacacs+
5 K" z/ _; c0 }/ \* X5 s
5 Y$ `3 ^6 T# {2 P0 G9 U( T5 l( n!--- Specify the TACACS+ server and key.9 i: G" B- {' \3 v. `7 }
( `- Y% k% ~5 w" ] B' h5 Raaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10 a6 A; d1 q1 W) R& e4 \
( F! B3 A9 U) {6 D6 ]!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.& v/ _+ V4 M' i2 g
" w& ]. Q- J# B+ f* Vaaa authentication include http outside / a ?6 }% H, G
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
2 F9 P' q* N5 ?' Y3 f' N$ h* N& c8 A; P3 o9 G
aaa authentication include ftp outside: A+ m' S1 V" R) f8 P" n/ [/ U2 o
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound, N8 R# P! U$ p o' L* l
! O' H* v& D1 |( W+ Y. g( a
aaa authentication include telnet outside
, B. C' f" v8 s# z* p& ]( c10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound, R. `- ]+ t% g4 V$ t/ R
' Y+ x0 Y- C( b Gno snmp-server location1 b [6 G( i) u' b
no snmp-server contact4 J0 Q3 T& l; c0 l( E2 R4 J6 T
snmp-server community public
* M+ r( D3 f+ [% p S& [2 Ano snmp-server enable traps
/ d3 ]) s2 W4 V8 k. N& z' p1 k% ]floodguard enable
/ s/ C8 t" ]/ N7 E+ ~, `4 _1 ^: Z y* O. m+ P1 d
!--- Trust IPSec traffic and avoid going through ACLs/NAT.3 ` c8 x- n2 b
; I4 m: a# Q8 asysopt connection permit-ipsec
! ]+ l r: f% b8 g2 K4 V8 `6 h1 u$ d3 Z1 f/ N' T
!--- IPSec and dynamic map configuration.' X, V/ {. j3 i- K
$ z( l. U8 y) c2 qcrypto ipsec transform-set myset esp-des esp-md5-hmac
6 p4 m0 g3 F0 D1 _$ ccrypto dynamic-map dynmap 10 set transform-set myset
/ X5 L) W% K& K e! `. rcrypto map mymap 10 ipsec-isakmp dynamic dynmap4 Y+ t) f$ A6 R$ S
* ~/ X, p- d% W& d" T H!--- Assign IP address for VPN 1.1 Clients.' t4 H4 J& f6 f3 ]* n
' |" y6 Q# t# b( b
crypto map mymap client configuration address initiate' {( v" l% q& m2 v9 i7 V9 O
crypto map mymap client configuration address respond) Y4 O5 N% w/ j; J7 S# q8 d, o) b
# s A4 v' J. @; T5 K3 z, t+ B
!--- Use the AAA server for authentication (AuthInbound).
6 J: H3 H# K; k1 x( }3 n. X
5 Y" g) d' n9 H* K( e; B! Tcrypto map mymap client authentication AuthInbound
/ w3 g$ j& ^1 U0 P6 k9 y; a
- Z' F! x0 l: t7 [!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.
* U5 i" Z, f% I
6 {5 ]/ }/ P' C6 t8 T$ ncrypto map mymap interface outside
( h9 O9 h1 T6 @4 Lisakmp enable outside
, A& C3 t2 u) |* W4 z8 F5 ^) P/ J% G
* u7 I( |0 V$ l. q5 g!--- Pre-shared key for VPN 1.1 Clients.+ f3 S, G V- j
6 b- |6 `) c( b N( c
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
, ~5 x, x, v* z4 S8 [5 Sisakmp identity address: x7 v: C7 w9 ]1 E2 f& c
8 [* p5 y7 R* G!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
; a4 u. ]. h( R& R" T
0 e0 z% P8 x# ?! x' ]$ V. uisakmp client configuration address-pool local VPNpool outside* G. w5 ]) {4 |) o7 ]; d
) Q/ Z$ m# G4 F1 q/ Y' U- V!--- ISAKMP configuration for VPN Client 3.x/4.x.7 }7 x) X& {# ]- ^) ?' _+ k% b
8 q7 d! V3 V9 [2 K+ y0 o7 S1 ]+ ^isakmp policy 10 authentication pre-share2 N( q9 z7 i3 G5 |% j
isakmp policy 10 encryption des. _. s# ~% t; v9 w) w3 k4 w
isakmp policy 10 hash md5
. i, n$ A- t0 g" L x2 I- d0 h7 W1 Aisakmp policy 10 group 24 ?0 `2 l: L9 u: }
isakmp policy 10 lifetime 86400/ _. Y8 Z0 K9 G3 E; q6 O6 D8 J
5 q0 b1 u5 E5 f: r
!--- ISAKMP configuration for VPN Client 1.x.! t1 u) W; ?3 j6 t. H1 r7 {
( f4 T% r: E3 l% V0 P1 _
isakmp policy 20 authentication pre-share
1 ^: q. u9 N% _ N( y8 bisakmp policy 20 encryption des5 }# v0 q- T$ C# Q5 x. k
isakmp policy 20 hash md5
# M' B( Z0 ]2 H) l9 N. [3 Bisakmp policy 20 group 1
6 |5 T% ~, F, b6 Disakmp policy 20 lifetime 86400
9 `5 F( ~6 J' B; m& j8 \/ m2 C( E5 k
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
4 m, w% ]. d. ^# T& v$ a7 Y2 {' X1 u# n5 i: J/ w- D, @' z5 Z' c* z8 m
vpngroup vpn3000 address-pool VPNpool
5 R/ N# R! B& _9 Z% l! b5 S6 O! P' T6 q3 G7 n2 N) Z
vpngroup vpn3000 idle-time 1800
) {& x5 @5 m4 u( C$ A7 U" X& L" a. t# c9 s" Z
6 f: m( G3 y( d4 ?. e1 l
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).; N% G2 P* R! `/ |
9 `5 P, b% r! f& V! |
vpngroup vpn3000 password ********
" j1 y. C! Y' i6 ktelnet timeout 5
1 I; M! E/ q7 _; ^ssh timeout 5
( E1 T8 A& ?! ~) _console timeout 0
/ Q$ V3 T6 S+ P' tterminal width 805 {6 {- Y( v4 \1 e' G/ r4 q8 c0 c' e
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc; h- I" k; Z$ ]6 h0 `- }2 o
: end7 u1 `2 L' }, q& P9 Y
pixfirewall# |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
