秀脱linux笔记之PIX501防火墙实战篇
环境:
--------------------------------------------
pix501防火墙,内核:PIX OS 6.3
pppoe拨号上网,
公网ip自动获得,路由自动分配
私网ip:192.168.1.254
启动dhcp,
dhcp地址池:192.168.1.2-192.168.1.128
启用ssh,内外网都可以登入
启用telnet,可以内网登入
内网可以自由访问外网,
外网可以通过访问内网192.168.1.153的8080端口
************
如果是静态外网ip,需要设置公网ip和路由,具体步骤
a.在第4节那里增加外网ip:
ip address outside WAN_IP WAN_NETMASK
其中:
//WAN_IP为isp给的公网ip,
//WAN_NETMASK为isp给的公网的子网掩码
b.在第5接里增加一条路由:
route outside 0.0.0.0 0.0.0.0 WAN_GATEWAY 1
其中
//WAN_GATEWAY是下一条的ip,就是isp那边的网关ip
c.去掉第12节--pppoe拨号那一段
*************
++++++++++++++++++++++++++++++++++++++++++++++
----------------------------------------------
//1.定义网络接口
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
----------------------------------------------
//2.设置密码:telnet密码和特权模式enable密码
password cisco
enable password cisco
----------------------------------------------
//3.设置pix主机名和域名
hostname test
domain-name test.com
----------------------------------------------
//4.设置网络接口ip:内网和外网
ip address inside 192.168.1.254 255.255.255.0
----------------------------------------------
//5.设置nat:让内网自由访问外网
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
----------------------------------------------
//6.端口映射:让外网访问内网机器192.168.1.153的8080端口
static (inside,outside) tcp 59.42.191.97 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//静态公网ip
static (inside,outside) tcp interface 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//动态公网ip
----------------------------------------------
//7.定义访问规则
//.a.定义内网访问规则
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-group inside_access_in in interface inside
//.b.定义外网访问规则
access-list outside_access_in permit tcp any host 59.42.191.97 eq 8080
//静态公网ip
access-list outside_access_in permit tcp any interface outside eq 8080
//动态公网ip
access-group outside_access_in in interface outside
icmp permit any outside
icmp permit any inside
------------------------------------------------------
//8.配置pdm
pdm location 192.168.2.0 255.255.255.255 inside
pdm history enable
------------------------------------------------------
//9.配置telnet:内部所有机器都可以telnet到pix防火墙
telnet 0.0.0.0 0.0.0.0 inside
------------------------------------------------------
//10.配置dhcp
dhcpd address 192.168.1.2-192.168.1.128 inside
dhcpd dns 61.144.56.100 202.96.128.166
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
------------------------------------------------------
//11.ssh
//.a. aaa本地认证:增加了test用户,密码cisco,LOCAL一定要大写
username test password cisco
ca generate rsa key 1024
ca save all
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ca zeroize rsa 清空以前配置
//.b.非aaa本地认证,默认用户是pix,密码cisco
ca gen rsa key 1024
ca save all
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
passwd cisco
----------------------------------------------
//12.pppoe
//pppoe配置---isp给的拨号帐号:[email protected] 密码12345678
vpdn group pppoex request dialout pppoe //指定组
ip address outside pppoe setroute //指定pppoe外网ip和路由
vpdn group pppoex localname [email protected] //指定isp分配的帐号
vpdn group pppoex ppp authentication pap //指定协议
vpdn username [email protected] password 12345678 //指定isp分配pppoe密码