關于pix的配置及注解完全手冊

1、關于 PIX 的配置及注解完全手冊6.3(1)PIX Vererface erfaceerfaceethernet0 ethernet1ethernet2auto 設定端口 0 速率為自動100full 設定端口 1 速率為 100 兆全雙工 auto 設定端口 2 速率為自動nameif ethernet0 outside security0 設定端口 0 名稱為 outside 安全級別為 0nameifethernet1 inside security100 設定端口 1 名稱為inside 安全級別為100nameif enablepasswdethernet2 dmz securit

2、y50 設定端口 2 名稱為 dmz password Dv0yXUGPM3Xt7xVs encrypted2KFQnbNIdI.2KYOU encrypted 登陸安全級別為 50hostname hhyy 設定名稱fixup fixup fixup fixup fixup fixup fixup fixupfixupprotocol protocol protocol protocol protocol protocol protocol protocolprotocolftp 21h323 h323httph225 1720ras 1718-171980ils 389rsh 514rts

3、p 554sip 5060sip udp 5060no fixup protocol skinny 2000 fixup protocol smtp 25fixup protocol sqlnet 1521允許用戶查看、改變、啟用或一個服務或協(xié)議通過 PIX，默認啟用了一些常見的端口，但對于 ORACLE 等專有端口，需要專門啟用。namesacs-list101permitipacs-list101permitipacs-list101permitipacs-list101permitip建立列表，允許特定網(wǎng)段的地址某些網(wǎng)段acs-list 120 deny icmp anyac ac ac

4、 ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac ac acacs-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-list s-lists-list12012012012012012012012012012012

5、0120120120120120120120120120120120120120120120120120deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny denydenyicmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmp icmpicmpany any any any a

6、ny any anyany any any any any any any any any any any anyanyudp udp udp udp udp tcptcpany any any any any anyanyany any any any any anyanyeq eq eq eq eqeqnetbios-ns netbios-dgm 444412051209445range 135 netbios-permit ip any any建立列表 120 防止各個不同網(wǎng)段之間的 ICMP 發(fā)包及135、137 等端口之間的通信（主要防止沖擊波）acs-list 110 permit

7、 ip pager lines 24logging logging loggingloggingonmonitor debugging buffered debugging trap notificationsmtu mtumtuoutside 1500inside 1500dmz 1500ip address outside 24 設定外端口地址ip ip ip ipipaddress inside 54 設定內(nèi)端口地址address dmz 設定 DMZ 端口地址audit audilocalinfo action alarm tack action alarmpool hhyy -54建

8、立名稱為 hhyy 的地址池，起始地址段為：-54ip local pool yy -54建立名稱為 yy 的地址池，起始地址段為：-54no failoverfailover timeout 0:00:00failovoll 15no no nonofailover failoverfailoverip ipipaddress address addressenableoutside insidedmzpdm historyarp timeout 14400不支持故障切換globalglobal global(outside)(outside) (outside)1113-8-0定網(wǎng)絡地址將

9、要翻譯成的全局地址或地址范圍nat (inside) 0 acs-list 101使得符合列表為 101 地址不通過翻譯，對外部網(wǎng)絡是可見的nat (inside) 1 0 0網(wǎng)絡地址翻譯成外部地址nat (dmz) 1 0 0DMZ區(qū)網(wǎng)絡地址翻譯成外部地址sic (inside,outside) 00 netmask 55 00sic (inside,outside) 2 58 netmask 5500sic (inside,outside) netmask 55 0 0設定固定主機與固定IP之間的一對一靜態(tài)轉(zhuǎn)換sic (dmz,outside) netmask 55 0 0設定DMZ區(qū)固定

10、主機與固定IP之間的一對一靜態(tài)轉(zhuǎn)換sic (inside,dmz) netmask 0 0設定內(nèi)網(wǎng)固定主機與DMZ IP之間的一對一靜態(tài)轉(zhuǎn)換sic (dmz,outside)9 netmask5500設定DMZ區(qū)固定主機與固定IP之間的一對一靜態(tài)轉(zhuǎn)換ac acacs-group s-groups-group120120120in ininerface erfaceerfaceoutside insidedmz將列表應用于端口conduit conduit conduitconduitpermit permit permitpermittcp tcp tcptcphost host hostho

11、stanyany2 any9 any設置管道：允許任何地址對全局地址進行TCP協(xié)議的conduit permit icmp any設置管道：允許任何地址對 地址進行測試rip outside passive verrip inside passive ver22route outside 設定默認路由到電信端route route routerouteinside inside insideinside1111route route route route routerouteinside inside inside inside insideinside1111 1 1設定路由回指到的子網(wǎng)t

12、imeout timeo 1:00:00timeouttimeoutxlate 3:00:00onn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00h225h323 0:05:000:05:00 sip 0:30:00 sip_media0:02:00uauth 0:05:00 absoluteaaa-serveraaa-server aaa-serverTACACS+ protocol tacacs+RADIUS protocol radius LOCAL protocol localno snmp-server location no

13、 snmp-server contactsnmp-server community public no snmp-server enable traps floodguard enablesysopt connection permit-ipsec sysopt connection permit-pptp service resetinboundservice resetoutsidecrypto ipsec transform-set myset esp-des esp-md5-hmac定義一個名稱為myset的交換集crypto dynamic-map dynmap 10 set tra

14、nsform-set myset根據(jù)myset交換集產(chǎn)生名稱為dynmap的動態(tài)加密圖集（可選）crypto map10 ipsec-isakmp dynamic dynmap將dynmap動態(tài)加密圖集應用為IPSEC的策略模板（可選）crypto map20 ipsec-isakmp用IKE來建立IPSEC安全關聯(lián)以保護由該加密條目指定的數(shù)據(jù)流crypto map20 match address 110為加密圖指定列表 110 作為可匹配的列表crypto map20 set peer 1在加密圖條目中指定IPSEC對等體crypto map20 set transform-set myse

15、t指定myset交換集可以被用于加密條目crypto mapcnt configuration address initiate指示PIX試圖為每個對等體設置IP地址crypto mapcnt configuration address respond指示PIX接受來自任何請求對等體的IP地址請求crypto maperface outside將加密圖應用到外部接口isakmp enable outside在外部接口啟用 IKE 協(xié)商isakmp key * address 1 netmask 55指定預共享密鑰和遠端對等體的地址isakmentity addressIKE設置成接口的 IP

16、地址isakmpisakmpcnt configuration address-pool local yy outsidepolicy 10 authentication pre-share指定預共享密鑰作為認證isakmp policy 10 encryption des指定 56 位 DES 作為將被用于 IKE 策略的加密算法isakmp policy 10 hash md5指定 MD5 (HMAC 變種)作為將被用于 IKE 策略的散列算法isakmp policy 10 group 2指定 1024 比特 Diffie-man 組將被用于 IKE 策略isakmp policy 10

17、 lifetime 86400每個安全關聯(lián)的生存周期為 86400 秒（一天）group group group group group group group group groupgroupcisco pix_ pix_pix_idle-time 1800 address-pool yy idle-time 1800password *123123123456456456address-pool yy idle-time 1800 password * address-pool yyidle-time 1800password* 55 inside55 insidenet netnet4454timeout 5ssh timeout 5console timeout 0vpdn vpdn vpdn vpdn vpdn vpdn vpdn vpdn vpdnvpdngroup group group group group group groupgroup11111111accept dialin pptpppp ppp ppp pppcauthentication authenticationauthenticationpap chapmschapencryption mppe 40nt