防火墙技术——pix中的七个命令 (防火墙技术的优点)
编辑:rootadmin
六个基本命令 static:Configureapersistentone-to-oneaddresstranslationrulebymappingalocalIPaddresstoaglobalIPaddress.ThisisalsoknownasStaticPortAddressTranslation(StaticPAT).(Configurationmode.) static[(prenat_interface,postnat_interface)]{mapped_address|interface}real_address[dns][netmaskmask][norandomseq] [connection_limit[em_limit]] showstatic nameif,Nameinterfacesandassignsecuritylevel.(Configurationmode.) nameifhardware_idif_namesecurity_level shownameif/clearnameif interface:Identifynetworkinterfacespeedandduplex.(Configurationmode.) interfacehardware_id[hardware_speed][shutdown] showinterfacehardware_id[hardware_speed][shutdown] ipaddress:Identifiesaddressesfornetworkinterfaces,andenablesyoutosetthenumberoftimesthePIXFirewallwill pollforDHCP*rmation.(Configurationmode.) ipaddressif_nameip_address[netmask] ipaddressoutsidedhcp[setroute][retryretry_cnt] ipaddressif_namepppoe[setroute] ipaddressif_nameip_addressnetmaskpppoe[setroute] showip DisplaysIPaddressesassignedtothenetworkinterfaces. showipaddressif_namedhcp Displaysdetailed*rmationabouttheDHCPlease. showipaddressif_namepppoe Displaysdetailed*rmationaboutthePPPOEconnection. global:Createordele*triesfromapoolofglobaladdresses.(Configurationmode.) global[(if_name)]nat_id{global_ip[-global_ip][netmaskglobal_mask]}|interface global[(if_name)]nat_id{{global_ip}[netmaskglobal_mask]|interface} showglobal nat:AssociateanetworkwithapoolofglobalIPaddresses.(Configurationmode.) nat[(if_name)]idaddress[netmask[outside][dns][norandomseq][timeouthh:mm:ss][conn_limit[em_limit]]] nat[(if_name)]0access-listacl_name shownat route Enterastaticordefaultrouteforthespecifiedinterface.(Configurationmode.) routeif_nameip_addressnetmaskgateway_ip[metric] showroute conduit.. 联合使用static和conduit命令来只允许http访问。 pixfirewall(config)#static(inside,outside)..1..0.1.netmask... pixfirewall(config)#conduitpertcpanyeqwwwhost..1.1 conduit语法; conduitdeny|permitprotocol|object-groupprotocol_obj_grp_idglobal_ipglobal_mask|object-groupnetwork_obj_grp_id [operatorport[port]|object-groupservice_obj_grp_id]foreign_ipforeign_mask|object-groupnetwork_obj_grp_id[operator port[port]|object-groupservice_obj_grp_id]
