分享
 
 
 

Cisco PIX 防火墙的问题集锦

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

如何答应外网用户Telnet至PIX的outside?

补充一下

Licensed Features:

VPN-DES: Enabled

VPN-3DES: Disabled

用SSH就可以。 telnet不可以!

对inside 倒dmz的访问,需要做nat配

置,对于dmz到inside的访问,需要做static 与Access-list的配置。

PIX 515E连接ADSL 路由MODEM!

想知道E0口上怎么配置与开启路由的MODEM的连接。让内网所有用户可以都通过这个MODEM上网。

ADSL MODEM IP:192.168.1.1

pixfirwall(config)#vpdn group <组名> request dialout pppoe

pixfirwall(config)#vpdn group <组名> ppp auth PAP/CHAP/MSCHAP

pixfirwall(config)#vpdn group <组名> localname <拨号的用户名>

pixfirwall(config)#vpdn username <用户名> passWord <密码>

pixfirwall(config)#ip add <接口名称-随便定义> pppoe

我想通过在pix 515e 上进行设置使某些内网用户只能上一个特定的网站

当前配置如下:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol FTP 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol SKINny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 61.155.88.82 255.255.255.252

ip address inside 10.10.3.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 3 interface

nat (inside) 3 10.10.1.1 255.255.255.255 0 0

nat (inside) 3 10.10.1.9 255.255.255.255 0 0

nat (inside) 3 10.10.1.81 255.255.255.255 0 0

nat (inside) 3 10.10.1.82 255.255.255.255 0 0

nat (inside) 3 10.10.1.113 255.255.255.255 0 0

nat (inside) 3 10.10.1.161 255.255.255.255 0 0

nat (inside) 3 10.10.1.162 255.255.255.255 0 0

nat (inside) 3 10.10.1.165 255.255.255.255 0 0

nat (inside) 3 10.10.1.240 255.255.255.255 0 0

nat (inside) 3 10.10.2.240 255.255.255.248 0 0

nat (inside) 3 10.10.1.240 255.255.255.240 0 0

route outside 0.0.0.0 0.0.0.0 61.155.88.81 1

route inside 10.0.0.0 255.0.0.0 10.10.3.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc

0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media

0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:72a261056ba18f4dbefab375fb871688

: end

是的,可以将针对这些主机的限制策略放在acl的最上端,应用在inside口的in的方向上。

你可以用支持时间的acl来做,也可以用tacacs来验证用户,定义downloaded acl

请教pix515 acl 如何屏蔽一个网段?

deny ip host 61.129.64.* any

61.129.64.*这样的网段该咋样屏蔽?

juechen70 (版主)

deny ip 61.129.64.0 255.255.255.0

csco10334975 (普通用户)

deny ip 61.129.64.0 255.255.255.0 any

mythis (普通用户)

access-list 100 deny ip 61.129.64.0 255.255.255.0 any

pix上启用了DHCP,不答应内网自动获取只答应DMZ自动获如何做。

dhcpd address 192.118.0.5-192.118.0.254 dmz

dhcpd enable dmz

dhcpd dns 219.141.136.10 218.247.141.68

这样就可以了!

pix7.0 如何在routed 和 transparent 两种方式中切换?

我的pix 515e 升级到pix7.01 我想使用 transparent 模式, 请大家教如何做了?

firewall transparent

no firewall transparent

在515E中配置DHCP网关的命令是什么

dhcpd enable inside

pix能不能实现dmz和inside透明模式呢?

有客户想把服务器搬到dmz区,但是服务器地址不变,这样除了透明模式我还想不到其他办法,inside和outside的透明模式我知道,但是

inside和dmz的透明模式怎么办?地址必须改变。透明桥模式下是没有DMZ概念的。地址不变也可以.做地址映射的时候翻译相同的地址就行了. 但是想搬到dmz区的机器和inside区的机器是同一网段的服务器和用户都是用一网段的,不改变地址怎么搞?

如何配置PIX透明模式?

首先,需要升级pix os到7.0.1

直接输入firewall transparent 命令就可以让PIX工作在透明模式下面。 工作在透明模式下时,pix相当于一条网线,故障切换由其它的三层设

备完成。

做防火墙的策略一般多是和端口对应的,外网在透明模式时怎样访问内网HTTI.HTTPS.PPTP,TCP/UDP-5060/1270

有一点,透明模式下必须设置治理地址才会通

有所变化,以前用PIX515双机作failover,pix os版本似乎是6.3就不支持透明模式.看来透明模式的应用还是挺多的,可以做网络分区之间的安全隔离,最重要的是可以让动态路由协议穿过.

如何看用命令看这两台PIX支持的最大连接数(不是使用中的最大连接数,而是license所限制的最大连接数)

show ver.

QQRead.com 推出数据恢复指南教程 数据恢复指南教程

数据恢复故障解析

常用数据恢复方案

硬盘数据恢复教程

数据保护方法

数据恢复软件

专业数据恢复服务指南

为什么ping不通515E的outside地址?

PIX的版本是6.3(4),设置了515E的outside地址和inside地址后,用网线将笔记本和515E的outside端口联起来,本本的地址和outside地址在

一个网段内,但总是ping不通outside地址,但同样的配置在6.2版本的515E上使用时是没有问题的,好希奇啊??

icmp pemit any outside

========================================================

pix vpn设置好了,DDN方式可以上,为什么家里的adsl不行?

配置如下:pix520

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 Outside security0

nameif ethernet1 inside security100

nameif ethernet2 Outside-DMZ security50

enable password GyBjREM5Y/fIjrzB encrypted

passwd enO4Olec9w1AmAwd encrypted

hostname PIX-yinhetech

domain-name test.cn

clock timezone CST 8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol ftp 2121

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.128.1.0 notebookpoolIP

access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0

access-list 101 permit ip 10.10.0.0 255.255.0.0 any

access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any

access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any

access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0

access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any

pager lines 24

logging on

logging standby

logging buffered debugging

logging trap notifications

icmp deny any Outside

mtu Outside 1500

mtu inside 1500

mtu Outside-DMZ 1500

ip address Outside ***.***.***.** 255.255.255.240

ip address inside 10.127.1.253 255.255.255.0

ip address Outside-DMZ 172.18.3.254 255.255.255.0

ip verify reverse-path interface Outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool notebookpool 10.128.1.1-10.128.1.250

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address Outside

no failover ip address inside

no failover ip address Outside-DMZ

pdm history enable

arp timeout 14400

global (Outside) 1 ***.***.***.** netmask 255.255.255.240

global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.128.0.0 0 0

access-group 101 in interface inside

route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1

route inside 10.0.0.0 255.128.0.0 10.127.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.10.10.74 255.255.255.255 inside

http 10.10.10.88 255.255.255.255 inside

snmp-server host inside 10.10.10.10

snmp-server host inside 10.10.10.74

snmp-server location soft_yuan_internet

snmp-server contact bill

snmp-server community public

snmp-server enable traps

tftp-server inside 10.10.10.74 /

no floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp identity address

isakmp keepalive 60 5

isakmp nat-traversal 120

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup notebookpc address-pool notebookpool

vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68

vpngroup notebookpc default-domain yhgroup.cn

vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl

vpngroup notebookpc idle-time 1800

vpngroup notebookpc password ********

telnet 10.0.0.0 255.128.0.0 inside

telnet 10.10.10.110 255.255.255.255 inside

telnet 10.10.10.110 255.255.255.255 Outside-DMZ

telnet timeout 31

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35

surf_qj (普通用户)

对了,是使用cisco system VPN Client 4.01登录的,家里adsl可以连上VPN,但是不能访问,DDN就可以其实,不光是PIX问题,我用2620做的和你的也一样,用一般的ADSL是不行的,但假如是用带路由功能ADSL就可以。

isakmp nat-traversal 120

还有客户端NAT打开,估计是NAT穿透的问题吧。

========================================================

pix515的问题

具体现象是,DMZ和inside各接一台单机,DMZ的单机能用上网,其他不能,inside的机器什么都干不了。单机保证无问题。请各位帮忙看看配置吧。 outside的地址和global的地址不同,有影响么?(没有空闲的连续地址了,只能用两个不同地址表示一下)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password O53fPNRgHkA6IEsY encrypted

passwd TWjtI1emvjruV4SY encrypted

hostname jygatewall

domain-name 219.2.2.2

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list dmz_jygate_acl deny icmp any any

access-list dmz_jygate_acl permit udp any any eq domain

access-list dmz_jygate_acl permit tcp any any eq www

access-list dmz_jygate_acl permit udp any any eq 20

access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 20817

access-list dmz_jygate_acl permit tcp any host 219.150.1..1eq 20820

access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8080

access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8383

access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 32002

pager lines 24

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 219.150.1.2 255.255.255.224

ip address inside 192.168.168.1 255.255.255.0

ip address dmz 172.172.172.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 219.150.1.2

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0

access-group dmz_jygate_acl in interface outside

access-group dmz_jygate_acl in interface dmz

route outside 0.0.0.0 0.0.0.0 219.150.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:594b9bbf77abf8a342afee1764e4f7cd

: end

nyb0319 (普通用户)

no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0

改为static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0

加一条

static (inside,outside)

219.150.1.2 192.168.168.0

netmask 255.255.255.0 0 0

no access-group dmz_jygate_acl in interface dmz

crazytank (普通用户)

按照上面的提示改了,结果提示global address overlaps with mask 请各位大侠再帮忙看看啊

lcschina (活跃用户) ip address outside 219.150.1.2 255.255.255.224

global (outside) 1 219.150.1.2

地址重叠!!!

加上 global (outside) 1 interface 去掉你的那个global

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有