PIX 几个配置注意的地方
生活随笔
收集整理的這篇文章主要介紹了
PIX 几个配置注意的地方
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
1、清除閃存中配置文件 write erase
? 2、顯示nat信息 show xlate
? 3、默認情況下pix的直連接口可以ping通的。但對于穿越pix的icmp的流量需要通過ACL來控制。
? 4、允許(inside)ping(outside)的配置 access-list outside extended permit icmp any any access-group outside in interface outside
? 5、允許(inside)ping(dmz)的配置 access-list 100 permit icmp any any #允許DMZ區域的主機的ICMP協議的報文能夠訪問出去 access-group 100 in interface dmz #將策略應用在dmz接口上 static (inside,dmz) 192.168.100.2 192.168.100.2 #192.168.100.2 為內部需要和DMZ通訊的主機,這條保證內部訪問dmz主機時不被nat轉換
? 6、外網訪問DMZ區域的web服務器,配置防火墻的反向NAT。 static (inside,outside) tcp interface www 10.1.1.2 www?//將DMZ區域的web發布到公網上// access-list 100 permit tcp any host 202.101.1.1 eq 80 /// 允許外網訪問dmz的80 端口/// access-group 100 in interface outside
? 9、映射DMZ主機到公網,例如把192.168.120.3 的23端口映射為202.100.100.11 的23端口 static (dmz,outside) tcp 202.100.100.11 telnet 192.168.120.3 telnet netmask 255.255.255.255 access-list 101 extended permit tcp any any eq telnet access-group 101 in interface outside
? -------------------------基本配置------------------ interface Ethernet0 nameif outside security-level 0 ip address 202.100.100.254 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.100.254 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 50 ip address 192.168.120.254 255.255.255.0
? access-list 100 extended permit icmp any any access-list 100 extended permit ip host 192.168.120.3 host 192.168.100.2 ! global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 ! static (inside,dmz) 192.168.100.2 192.168.100.2 netmask 255.255.255.255 access-group 100 in interface dmz
? 2、顯示nat信息 show xlate
? 3、默認情況下pix的直連接口可以ping通的。但對于穿越pix的icmp的流量需要通過ACL來控制。
? 4、允許(inside)ping(outside)的配置 access-list outside extended permit icmp any any access-group outside in interface outside
? 5、允許(inside)ping(dmz)的配置 access-list 100 permit icmp any any #允許DMZ區域的主機的ICMP協議的報文能夠訪問出去 access-group 100 in interface dmz #將策略應用在dmz接口上 static (inside,dmz) 192.168.100.2 192.168.100.2 #192.168.100.2 為內部需要和DMZ通訊的主機,這條保證內部訪問dmz主機時不被nat轉換
? 6、外網訪問DMZ區域的web服務器,配置防火墻的反向NAT。 static (inside,outside) tcp interface www 10.1.1.2 www?//將DMZ區域的web發布到公網上// access-list 100 permit tcp any host 202.101.1.1 eq 80 /// 允許外網訪問dmz的80 端口/// access-group 100 in interface outside
?
?
?
8、映射內部的主機到公網,例如把192.168.100.2 的23 端口映射為202.100.100.10 的23端口
static (inside,outside) tcp 202.100.100.10 telnet 192.168.100.2 telnet netmask 255.255.255.255 access-list 101 extended permit tcp any any eq telnet access-group 101 in interface outside? 9、映射DMZ主機到公網,例如把192.168.120.3 的23端口映射為202.100.100.11 的23端口 static (dmz,outside) tcp 202.100.100.11 telnet 192.168.120.3 telnet netmask 255.255.255.255 access-list 101 extended permit tcp any any eq telnet access-group 101 in interface outside
?
? -------------------------基本配置------------------ interface Ethernet0 nameif outside security-level 0 ip address 202.100.100.254 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.100.254 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 50 ip address 192.168.120.254 255.255.255.0
? access-list 100 extended permit icmp any any access-list 100 extended permit ip host 192.168.120.3 host 192.168.100.2 ! global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 ! static (inside,dmz) 192.168.100.2 192.168.100.2 netmask 255.255.255.255 access-group 100 in interface dmz
?
本文轉自zcm8483 51CTO博客,原文鏈接:http://blog.51cto.com/haolun/991607
總結
以上是生活随笔為你收集整理的PIX 几个配置注意的地方的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 最新的Java SE平台和JDK版本发布
- 下一篇: Nginx基本操作