关于PIX的配置及注解 (pip 配置文件)
编辑:rootadmin
PIXVersion6.3(1)interfaceethernet0auto设定端口0速率为自动interfaceethernetfull设定端口1速率为兆全双工interfaceethernet2auto设定端口2速率为自动nameifethernet0outsidesecurity0设定端口0名称为outside安全级别为0nameifethernet1insidesecurity设定端口1名称为inside安全级别为nameifethernet2dmzsecurity设定端口2名称为dmz安全级别为enablepasswordDv0yXUGPM3Xt7xVsencrypted特权密码passwd2KFQnbNIdI.2KYOUencrypted*密码hostnamehhyy设定防火墙名称fixupprotocolftpfixupprotocolhhfixupprotocolhras-fixupprotocolhttpfixupprotocolilsfixupprotocolrshfixupprotocolrtspfixupprotocolsipfixupprotocolsipudpnofixupprotocolskinnyfixupprotocol*tpfixupprotocolsqlnet允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙,防火墙默认启用了一些常见的端口,但对于ORACLE等专有端口,需要专门启用。namesaccess-listpermitip............0access-listpermitip............0access-listpermitip............0access-listpermitip............0建立访问列表,允许特定网段的*访问某些网段access-listdenyicmp..2....0anyaccess-listdenyicmp..3....0anyaccess-listdenyicmp..4....0anyaccess-listdenyicmp..5....0anyaccess-listdenyicmp..6....0anyaccess-listdenyicmp..7....0anyaccess-listdenyicmp..8....0anyaccess-listdenyicmp..9....0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyicmp......0anyaccess-listdenyudpanyanyeqnetbios-nsaccess-listdenyudpanyanyeqnetbios-dgmaccess-listdenyudpanyanyeqaccess-listdenyudpanyanyeqaccess-listdenyudpanyanyeqaccess-listdenytcpanyanyeqaccess-listdenytcpanyanyrangenetbios-ssnaccess-listpermitipanyany建立访问列表防止各个不同网段之间的ICMP发包及拒绝、等端口之间的通信(主要防止冲击波*)access-listpermitip............0pagerlinesloggingonloggingmonitordebuggingloggingbuffereddebuggingloggingtrapnotification*tuoutsidemtuinsidemtudmzipaddressoutside.1.1....设定外端口*ipaddressinside..1....0设定内端口*ipaddressdmz......0设定DMZ端口*ipaudit*actionalarmipauditattackactionalarmiplocalpoolhhyy...1-...建立名称为hhyy的*池,起始*段为:...1-...iplocalpoolyy...1-...建立名称为yy的*池,起始*段为:...1-...nofailoverfailovertimeout0::failoverpollnofailoveripaddressoutsidenofailoveripaddressinsidenofailoveripaddressdmznopdmhistoryenablearptimeout不支持故障切换global(outside).1.1.-.1.1.global(outside).1.1.7-.1.1.9global(outside).1.1.定义内部网络*将要翻译成的全局*或*范围nat(inside)0access-list使得符合访问列表为*不通过翻译,对外部网络是可见的nat(inside)..0...0.内部网络*翻译成外部*nat(dmz)..0...0.DMZ区网络*翻译成外部*static(inside,outside).1.1....netmask...static(inside,outside).1.1....netmask...static(inside,outside).1.1...2.4netmask...设定固定主机与外网固定IP之间的一对一静态转换static(dmz,outside).1.1....2netmask...设定DMZ区固定主机与外网固定IP之间的一对一静态转换static(inside,dmz)..0...0.0netmask..0.设定内网固定主机与DMZIP之间的一对一静态转换static(dmz,outside).1.1....3netmask...设定DMZ区固定主机与外网固定IP之间的一对一静态转换access-groupininterfaceoutsideaccess-groupininterfaceinsideaccess-groupininterfacedmz将访问列表应用于端口conduitpermittcphost.1.1.2anyconduitpermittcphost.1.1.3anyconduitpermittcphost.1.1.anyconduitpermittcphost.1.1.any设置管道:允许任何*对全局*进行TCP协议的访问conduitpermiticmp......0any设置管道:允许任何*对......0*进行PING测试ripoutsidepassiveversion2ripinsidepassiveversion2routeoutside0.0.0..0.0..1.1.1设定默认路由到电信端routeinside..2......1.routeinside..3......1.routeinside..4......1.routeinside..5......1.routeinside..6......1.routeinside..7......1.routeinside..8......1.routeinside..9......1.routeinside........1.routeinside........1.设定路由回指到内部的子网timeoutxlate3::timeoutconn1::half-closed0::udp0::rpc0::h::timeouth::mgcp0::sip0::sip_media0::timeoutuauth0::absoluteaaa-serverTACACS+protocoltacacs+aaa-serverRADIUSprotocolradiusaaa-serverLOCALprotocollocalnosnmp-serverlocationnosnmp-servercontactsnmp-servercommunitypublicnosnmp-serverenabletrapsfloodguardenablesysoptconnectionpermit-ipsecsysoptconnectionpermit-pptpserviceresetinboundserviceresetoutsidecryptoipsectransform-setmysetesp-desesp-md5-hmac定义一个名称为myset的交换集cryptodynamic-mapdynmapsettransform-setmyset根据myset交换集产生名称为dynmap的动态加密图集(可选)cryptomapvpnipsec-isakmpdynamicdynmap将dynmap动态加密图集应用为IPSEC的策略模板(可选)cryptomapvpnipsec-isakmp用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流cryptomapvpnmatchaddress为加密图指定列表作为可匹配的列表cryptomapvpnsetpeer.1.1.在加密图条目中指定IPSEC对等体cryptomapvpnsettransform-setmyset指定myset交换集可以被用于加密条目cryptomapvpnclientconfigurationaddressinitiate指示PIX防火墙试图为每个对等体设置IP*cryptomapvpnclientconfigurationaddressrespond指示PIX防火墙接受来自任何请求对等体的IP*请求cryptomapvpninterfaceoutside将加密图应用到外部接口isakmpenableoutside在外部接口启用IKE协商isakmpkey********address.1.1.netmask...指定预共享密钥和远端对等体的*isakmpidentityaddressIKE身份设置成接口的IP*isakmpclientconfigurationaddress-poollocalyyoutsideisakmppolicyauthenticationpre-share指定预共享密钥作为认证手段isakmppolicyencryptiondes指定位DES作为将被用于IKE策略的加密算法isakmppolicyhashmd5指定MD5(HMAC变种)作为将被用于IKE策略的散列算法isakmppolicygroup2指定比特Diffie-Hellman组将被用于IKE策略isakmppolicylifetime每个安全关联的生存周期为秒(一天)vpngroupciscoidle-timevpngrouppix_vpnaddress-poolyyvpngrouppix_vpnidle-timevpngrouppix_vpnpassword********vpngroupaddress-poolyyvpngroupidle-timevpngrouppassword********vpngroupaddress-poolyyvpngroupidle-timevpngrouppassword********telnet......insidetelnet......insidetelnettimeout5sshtimeout5consoletimeout0vpdngroup1acceptdialinpptpvpdngroup1pppauthenticationpapvpdngroup1pppauthenticationchapvpdngroup1pppauthenticationmschapvpdngroup1pppencryptionmppevpdngroup1clientconfigurationaddresslocalhhyyvpdngroup1pptpechovpdngroup1clientauthenticationlocalvpdnusernameciscopassword*********vpdnenableoutsideusernameciscopassword3USUcOPFUiMCO4Jkencryptedprivilege2vpnclientvpngroupcisco_vpnpassword********vpnclientusernamepixpassword********terminalwidthCryptochecksum:abcdf7cbbdfa4b
标签: pip 配置文件
本文链接地址:https://www.iopcc.com/jiadian/35321.html转载请保留说明!
