PIX Version 6.3(5)* V$ f' V6 o" v" y- V
interface ethernet0 auto
) m( ^( J/ Y- h, L, Linterface ethernet1 auto }. D1 E! X& g, m( V8 F
nameif ethernet0 outside security0) Z: l' N6 y0 Y' n/ x2 m9 v# ~
nameif ethernet1 inside security100( _' G9 Y* _7 f# }5 ]
enable password 0e53SZdxezxawxDG encrypted) B. s* a; g! O% e1 y
passwd 2KFQnbNIdI.2KYOU encrypted
A( R5 j- B# `7 J+ }; Fhostname pixfirewall5 X$ \* {* r) j+ ?) T0 I
domain-name ciscopix.com
% p' Z; H# K* p0 H* wfixup protocol dns maximum-length 512
# c j8 \9 r. Y$ r5 C; H0 }fixup protocol ftp 21: _5 @) A3 [3 k% a' _
fixup protocol h323 h225 1720
4 a8 q0 f# t& tfixup protocol h323 ras 1718-1719
2 ?4 o( v2 Z+ x" F- Cfixup protocol http 80, s! D1 i$ M* o+ V0 ~' }
fixup protocol rsh 514
% r& _- |% O6 \0 L; Ufixup protocol rtsp 554" C" {+ @( t3 }/ r
fixup protocol sip 5060
- R1 I8 P! `9 }9 f6 m; @$ K, Sfixup protocol sip udp 50600 L) h5 B0 X9 }3 ^2 B
fixup protocol skinny 2000; e* y- D$ q1 k( y' M/ O
fixup protocol smtp 25# ^, @& |5 V7 x! \: z3 C
fixup protocol sqlnet 1521
* X0 C9 r% m" q7 l* Yfixup protocol tftp 693 ~$ z/ I! d4 L% I! A
names9 l3 g4 J' `1 q! ~, x4 r# ]- x3 w
access-list 102 permit tcp any host 222.191.123.6 eq www
, t; I- M. E) R% Z$ j$ oaccess-list 102 permit tcp any host 222.191.123.6 eq smtp1 [( V. W. C% ]9 {6 y1 u+ _
access-list 102 permit tcp any host 222.191.123.6 eq pop3
2 C$ ?" h# C, v6 T* W/ r" w$ V/ o! naccess-list 102 permit tcp any host 222.191.123.6 eq 56789
$ f* K9 l/ ?; u4 F# Q' Taccess-list 102 permit icmp any any
- I; E7 I9 w/ \7 V( W) \/ saccess-list 80 permit ip 192.168.11.0 255.255.255.0 192.168.11.0 255.255.255.0
) i" X3 ^' K- ]: ^- w1 G8 h2 xaccess-list 80 permit ip 192.168.12.0 255.255.255.0 192.168.11.0 255.255.255.0# Y1 g6 P ]" p/ Z- `) Y
access-list 80 permit ip 192.168.13.0 255.255.255.0 192.168.11.0 255.255.255.0
% w. R2 X, P( Oaccess-list 80 permit ip 192.168.14.0 255.255.255.0 192.168.11.0 255.255.255.0
* @$ B9 B9 [4 b0 A3 Eaccess-list 80 permit ip 192.168.15.0 255.255.255.0 192.168.11.0 255.255.255.08 C# ] ]1 h x/ c- Q# k
access-list 80 permit ip 192.168.16.0 255.255.255.0 192.168.11.0 255.255.255.0
. c% u" @7 s- l- N4 a2 s# ~" kaccess-list 80 permit ip 192.168.13.0 255.255.255.0 192.168.200.0 255.255.248.02 l2 K' k/ g6 R0 P" m( w4 a
access-list 80 permit ip 192.168.14.0 255.255.255.0 192.168.200.0 255.255.248.0
6 d% T9 K* ~8 Y0 e8 _access-list 80 permit ip 192.168.12.0 255.255.255.0 192.168.200.0 255.255.248.0
% f0 S: h8 v( z6 o1 h+ W4 _$ Vaccess-list 120 permit ip 192.168.13.0 255.255.255.0 192.168.200.0 255.255.248.! F3 v' e) h* m
; M! I% i3 h) G7 a3 W4 [4 p3 ~pager lines 24
! ], F. w7 `* J3 _& n6 M0 {% P; emtu outside 15000 j* h& y9 Z. D) z6 Y x
mtu inside 1500
, V2 C/ B( |* Q! i W& \- Xip address outside 222.191.123.6 255.255.255.252
- D; B8 l. G. }! zip address inside 192.168.11.254 255.255.255.0. J4 y, Q. L# x1 z0 O
ip audit info action alarm
! }( Y" |$ z2 z, P: ]3 z1 \ip audit attack action alarm
5 q' N/ i4 }) d5 A* Jip local pool dialer 192.168.11.200-192.168.11.220. B0 c2 x/ I5 u B" x
no failover+ Y' M% i; U* ^/ Z7 w
failover timeout 0:00:00
* R8 X, F0 j$ J3 a+ ^failover poll 15
" G: _; X6 _: Tno failover ip address outside5 g0 [! U1 ^' h6 {# k
no failover ip address inside
4 Q" z- ^# I$ i3 r. _pdm location 192.168.12.0 255.255.255.0 inside$ k0 _2 \/ ?# P8 X* Q$ g# ?
pdm location 192.168.13.0 255.255.255.0 inside
7 e! I9 d" | K0 e* i3 A4 ~pdm location 192.168.14.0 255.255.255.0 inside+ b- c2 T8 N$ ~- |( L
pdm location 192.168.15.0 255.255.255.0 inside
9 E) I5 f7 ~' h: kpdm location 192.168.16.0 255.255.255.0 inside
, C. ]3 z& e$ n, Spdm location 192.168.18.0 255.255.255.0 outside- R6 p/ ]5 {6 K* d
pdm location 192.168.11.0 255.255.255.0 inside
- w( O/ D3 p, F8 b' N% s1 p$ a$ jpdm location 192.168.18.0 255.255.255.0 inside
1 ?/ s" h/ p, a' x1 n( u7 [: mpdm location 192.168.12.3 255.255.255.255 inside6 `8 Q9 g% V1 e" U
pdm location 0.0.0.0 255.0.0.0 inside
, `$ r; d, ~3 j1 l5 r! T1 epdm location 192.168.11.0 255.255.255.0 outside! s* j: t) ]6 @# \
pdm location 192.168.12.4 255.255.255.255 inside
1 H7 F* }, m, s' i# epdm location 192.168.200.0 255.255.248.0 outside+ u8 `; ~0 F( d
pdm history enable
% w' B6 [2 V* Garp timeout 144009 M, K6 `9 h L% q
global (outside) 1 interface
' F0 Y/ X7 F! B* |/ t( ?nat (inside) 0 access-list 80
# k, r7 K" B( N) cnat (inside) 1 192.168.11.0 255.255.255.0 0 0) N8 @7 |" l7 X2 ` T8 J
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
) w( O9 x# i- T( f6 f0 ^: Sstatic (inside,outside) tcp interface ftp 192.168.12.3 ftp netmask 255.255.255.- u; L4 M( B: E( s0 X+ O
55 0 09 I' E) X3 M# N! s
static (inside,outside) tcp interface smtp 192.168.12.3 smtp netmask 255.255.25$ |& q( e. [: l4 g
.255 0 0
9 i4 `7 K/ K) `6 W' L$ d# tstatic (inside,outside) tcp interface www 192.168.12.3 www netmask 255.255.255.
0 G2 s- s2 D2 F; Z$ Q55 0 0
3 J A3 b* b6 e! ?static (inside,outside) tcp interface pop3 192.168.12.3 pop3 netmask 255.255.25, A& \ h- K H$ O5 d
.255 0 0
# M" i- S, h- X5 C3 ostatic (inside,outside) tcp interface 56789 192.168.12.3 615 netmask 255.255.257 p4 n; U3 E/ Q8 A& u \1 T4 z5 C
.255 0 0
2 f7 z/ S+ P' _7 T6 E! w& f+ U5 |access-group 102 in interface outside
: ?6 z* ]8 X. }( jroute outside 0.0.0.0 0.0.0.0 222.191.234.5 1
- o {# A( T( s- Droute inside 192.168.12.0 255.255.255.0 192.168.11.1 17 p% l9 q d# a" B, c7 ~
route inside 192.168.13.0 255.255.255.0 192.168.11.1 19 p, p& [ c# b: y7 R: U
route inside 192.168.14.0 255.255.255.0 192.168.11.1 1
7 y( c) t) \+ e9 ~" P& [4 K, ? M3 {; oroute inside 192.168.15.0 255.255.255.0 192.168.11.1 1
8 b( D8 @3 ~: [: kroute inside 192.168.16.0 255.255.255.0 192.168.11.1 1( {# n, R# q! v- f# _
route inside 192.168.18.0 255.255.255.0 192.168.11.1 1
3 i/ H3 L7 p# a# _, [, k" `0 ]timeout xlate 3:00:00( `7 @! J% `' A" H
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 _5 k9 Z' C) ?
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:009 W& r: ?* S( k N( o
timeout sip-disconnect 0:02:00 sip-invite 0:03:00. ], z8 \0 F3 f% j. i
timeout uauth 0:05:00 absolute
+ f# ]2 d L& {# G! F3 @aaa-server TACACS+ protocol tacacs+0 ]+ ]! X. A( ~, N" }, H9 n
aaa-server TACACS+ max-failed-attempts 31 C2 v+ g" v H d6 `0 g
aaa-server TACACS+ deadtime 10
) z% |. [1 C& U" e! y5 \. q, \6 haaa-server RADIUS protocol radius; v1 ` x* m* h
aaa-server RADIUS max-failed-attempts 3& `- i9 I% h, R6 e) W( T/ H1 B+ b
aaa-server RADIUS deadtime 10* t0 G2 v l; ]/ A
aaa-server LOCAL protocol local1 R7 h1 n% k; Q
http server enable" t* }$ n% z* ]4 T5 o, d3 u9 c, x
http 0.0.0.0 0.0.0.0 inside
. W' S8 d: g8 `8 E8 M" ]no snmp-server location+ I) S! n' P4 K' c' j! h o: ?
no snmp-server contact( z$ P; Q) x# T: M1 l
snmp-server community public
% \* h7 \3 A7 y6 W! X: Ano snmp-server enable traps2 I9 \4 d( K4 ~7 q {
floodguard enable% w6 ~6 ^& x) I3 F" i" D3 H6 C
sysopt connection permit-ipsec
5 B& C% y2 W4 d3 q; d" v; acrypto ipsec transform-set aaades esp-des esp-md5-hmac7 \; G2 ^% i3 V% b8 t# T
crypto ipsec transform-set myset esp-3des esp-md5-hmac( J h5 {/ n$ l: B
crypto dynamic-map dynomap 10 set transform-set aaades L0 C' M5 u% G/ V* | B! W( B) h& w
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap2 J' C1 q0 L/ Y$ x( D
crypto map vpnpeer 40 ipsec-isakmp
9 ]$ z' @ y- S: ycrypto map vpnpeer 40 match address 120
2 D) b0 k# o% icrypto map vpnpeer 40 set peer 222.191.232.34- J8 p2 L5 l) r
crypto map vpnpeer 40 set transform-set myset
- D+ l: B& g- `' B' a7 jcrypto map vpnpeer client configuration address initiate6 u% Z: v- K, O' n7 z7 A% t y+ e: [
crypto map vpnpeer client configuration address respond
7 c% W7 @ ~3 u8 o$ U) s Tcrypto map vpnpeer client authentication LOCAL
1 A6 ]. W- h' K+ f5 `1 V/ ~crypto map vpnpeer interface outside
& w4 K i& Q5 r" q! aisakmp enable outside4 j; \# m& G! P; Z/ _, N1 ]5 r; V! K/ N6 ]
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0* T, y7 n* z/ l
isakmp key ******** address 222.191.232.34 netmask 255.255.255.2554 b2 F. J( @ t+ w
isakmp client configuration address-pool local dialer outside1 ]) a! J# Q! [! [7 I) O
isakmp policy 10 authentication pre-share9 w) W. r Q1 B; p
isakmp policy 10 encryption des
; p% R( h! t* g8 b; H. R# _! f& kisakmp policy 10 hash md5
0 Z' c! c. x1 Z7 h# R8 t7 cisakmp policy 10 group 2$ t. q" M- c- x. k
isakmp policy 10 lifetime 86400: |$ g& C7 V2 V: q1 C& ~
vpngroup weifu103user address-pool dialer
1 }: k4 b& @) H; @6 D* \vpngroup weifu103user idle-time 1800
- F( b, ?& z, B8 L% q* vvpngroup weifu103user password ********/ r M$ C; g. h# g
telnet 0.0.0.0 0.0.0.0 outside& Y- s0 c# u) H2 X$ u; `2 j
telnet 0.0.0.0 0.0.0.0 inside! K, W/ d! o% Q& s" c6 Q
telnet timeout 5
) [( D. l. b& a0 [ssh timeout 5
8 q6 }9 d W7 B. ~# z/ @console timeout 01 P5 @/ V9 c$ v9 ?, w) o
username weifu103 password 0KczsG6c9C2DHNWX encrypted privilege 26 [- t5 \ Y/ p4 [( S+ A
username weifu password ObN5By5VruQxn1Fr encrypted privilege 2! t& I8 ?( r# r* g% v8 z3 v' s
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 2- x1 S* ?; M9 U w! ]
terminal width 80: C' g8 n1 F$ _' ~
Cryptochecksum:9c994cccc5b7fcc843383017fd2e4c692 R: L! A6 h$ Y( m) r% l4 ]. Z J% A
: end4 z! A0 t5 {" Z
pixfirewall(config)# quit
. z& {$ a9 ~5 @' L0 s9 N1 A: xpixfirewall# quit. [: A, z% b7 D9 x' M# v& Q/ G( N
/ Y1 {4 ]( o3 s4 p) `# ]' l
Logoff" W! z( I9 h: {5 H( J c
5 @5 h5 _; u1 L% u' D( F1 W
; G; K/ g- P0 M/ r
) i5 @1 i/ n I9 N) y% y( _失去了跟主机的连接。 |