在这里学的点思科防火墙,公司买个cisco pix506e,来配置的怎么也是思科认证过的,跟着学习!虽然不是都能掌握,看还是会的!
用COM口联上蓝色的线接到终端和防火墙上
直接回车,用下面的话设置telnet 192.168.1.1所要的密码。(在网络中的机器上控制防火墙)
ena pass cisco
在局域网中的机器:
运行telnet 192.168.1.1
进入password: cisco
Pix506E> en回车
password:********(我的密码)
Pix506E # sh run (显示防火墙状态)
Pix506E # conf t
Pix506E<config> #(然后接可以在这里面编辑了)
常用到的是:
/*IP与MAC绑定*/
arp inside 192.168.1.86 0016.1730.9442 alias
arp inside 192.168.1.66 0017.316a.e5e8 alias
arp inside 192.168.1.70 0017.316a.e140 alias
/*允许访问外网的IP,其他IP都不能访问*/
access-list 110 permit ip host 192.168.1.86 any
access-list 110 permit ip host 192.168.1.66 any
access-list 110 permit ip host 192.168.1.70 any
access-list 110 deny ip any any
access-group 110 in interface inside
/*(从这里开始不是我厂的配置)*/
/*pix基本配置*/
interface eth0 100full
interface eth1 100full
interface eth2 100full
interface eth3 100full
nameif eth0 outside security0
nameif eth1 inside security100
nameif eth2 DMZ security50
nameif eth3 server security40
hostname PIX515E
domain-name hd4u.com
ip add inside 192.168.1.1 255.255.255.0
ip add outside 61.234.184.139 255.255.255.248
ip add DMZ 172.16.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 61.234.184.137 1
/*配置DHCP*/
dhcpd add 192.168.1.2-192.168.1.253 inside
dhcpd dns 61.153.177.197 61.153.177.201
dhcpd enable inside
/*配置地址映射*/
static (dmz,outside) 61.130.11.134 172.16.1.2 netmask 255.255.255.255 0 0
conduit permit tcp host 61.130.11.134 eq smtp any
conduit permit tcp host 61.130.11.134 eq 110 any
static (inside,outside) 61.130.11.132 192.168.0.94 netmask 255.255.255.255 0 0
conduit permit udp host 61.130.11.132 eq 1721-1724 any
(这是我厂的)邮件服务器的配置
static (inside,outside) tcp 60.191.9.34 pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 60.191.9.34 smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0
三个允许:
conduit permit tcp host 60.191.9.34 eq www any
conduit permit tcp host 60.191.9.34 eq smtp any
conduit permit tcp host 60.191.9.34 eq pop3 any
/*ACL*/
object-group service MYSERVICES tcp
port-object eq http
port-object eq ftp
port-object eq https
object-group icmp-type PING
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
object-group network WWWSERVERS
network-object host 外网IP
access-list ACLIN permit tcp 外网IP 子网掩码 object-group WWWSERVERS object-group MYSERVICES
access-list ACLIN permit icmp any any object-group PING
access-list ACLIN deny ip any any
access-group ACLIN in interface outside
access-list ACLDMZ permit icmp any any object-group PING
access-group ACLDMZ in interface dmz
/*配置PMD*/
pdm location 192.168.1.89 255.255.255.255 inside
http server enable
/*配置多接口*/
interface eth1 vlan1 physical
interface eth1 vlan5 logical
nameif vlan5 vlan5 security30
ip add vlan5 192.168.100.1 255.255.255.0
/*TELNET*/
telnet 192.168.1.89 255.255.255.0 inside
/*配置VPN*/
ip local pool myvpn 192.168.1.100-192.168.1.200
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-DE5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client authentication Partner
crypto map outside_map interface outside
isakmp enable outside
isakmp key cisco address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash de5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
vpngroup vpn3000 address-pool myvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********