思唯网络Cisco配置防火墙 | 思唯网络课堂Swiers

rx online

Cisco防火墙&路由器&交换机配置文件
Pix515E防火墙配置
pixfirewall>en
pixfirewall#conf ter
pixfirewal(config)#
pixfirewal (config)#interface ethernet0 auto 激活e0口
pixfirewal (config)#interface ethernet1 auto 激活e1 口
pixfirewal (config)#nameif ethernet0 outside security0 outside是指外部接口
pixfirewal (config)#nameif ethernet1 inside security100 inside是指内部接口
pixfirewal (config)#ip address inside 10.11.45.1 255.255.255.0 配置内网口IP地
pixfirewal (config)#ip address outside218.52.57.82 255.255.248.0 配置外网口IP 地址
pixfirewal (config)#access-list 100 permit any any 建立访问控制列表定义都能访问
pixfirewal (config)# access-group acl 100 in interface outside 在外部网络接口上绑定名称为100的访问控制列表。
pixfirewal (config)# nat (inside) 1 10.11.45.0 255.255.255.0 表示把所有网络地址为10.11.45.0，子网掩码为255.255.255.0的主机地址定义为1号NAT地址组
pixfirewal (config)# global (outside) 1 218.52.57.83-218.52.57.86 netmask 255.255.255.0 将上述nat命令所定的内部IP地址组转换成218.52.57.83-218.12.47.86的外部地址池中的外部IP地址
pixfirewal (config)#static (inside,outside) 218.12.47.86 192.168.0.2 将内网地址192.168.0.2 映射到218.12.47.86 这个外网地址上面
pixfirewal (config)#conduit permit tcp host 218.52.57.86 eq www any 建立一个通道允许外网访问此外网的www 也就是80 端口
pixfirewal (config)#route outside 0.0.0.0 0.0.0.0 218.52.57.81
pixfirewal (config)#telnet 192.168.0.2 255.255.255.0 inside 允许内网地192.168.0.2通过telnet 访问pix 外网是不予允许telnet 的
pixfirewal (config)#enable password ******** 进入特权模式密码
pixfirewal (config)#password ****** telnet 密码
pixfirewal (config)#conduit permit icmp any any 允许icmp 也就是ping 包通过
pixfirewal (config)# write memory
2621路由器配置
route> en
rouote# conf ter
route(conf)#int f0/0
route(conf –if)#ip add 10.11.45.2 255.255.255.0
route(conf-if)#no sh
route(conf-if)#ip nat outside
route(conf-if)#int f0/1
route(conf-if)#no sh
route(conf-if)#ip nat inside
route(conf-if)#inf f0/1.192 进入子接口
route(conf-subif)#encapsulation dot1q 2 配置封装类型和vlan 2为vlan的id号
route(conf-subif)ip add 192.168.0.1 255.255.255.0 配置ip地址
route(conf-if)#inf f0/1.172
route(conf-subif)#encapsulation dot1q 3
route(conf-subif)#ip add 172.16.0.1 255.255.255.0
默认情况下各vlan之间是能相互访问的
route(conf)#access-list 100 deny 192.168.0.0 0.0.0.255
定义只能192.168.0.0 访问自己网段
route(conf)#access-list 100 permit ip any any
允许其他网段时间相互访问
route(conf)#access 100 permit ip host 192.168.0.1 any
允许任何主机通过192.168.0.1访问外网
route(conf)#ip route 0.0.0.0 0.0.0.0 10.11.45.1
route(conf)#access-list 1 permit any
route(conf)#ip nat pool rjt 10.11.46.2 10.11.45.254 netmask 255.255.255.0
route(conf)#ip nat inside source list 1 pool rjt overload
route(conf)# ip nat inside source ststic 192.168.0.2 218.12.47.83 把内网地址映射到外网
route(conf)#copy run start
路由器交换机用户名.秘密设置
route(conf)#host name #####
route(conf)#password ******
route(conf)#enable password ******
路由器用telnet
route(conf)#line vty 0 4
#login
route(conf)#password ******
route(conf-if)#ip add 192.168.1.1 255.255.255.0 se********* 为路由器某一端口配置第二个ip地址
路由器信息无法保存
conf-register 0x2102
end
write
reload
2950 交换机配置
switch> en 进入特权模式
switch# conf ter 进入配置模式
switch（conf）#interface vlan 1
switch（conf）#ip add 192.168.100.1 255.255.255.0 配置交换机ip地址
switch（vlan）# vlan datebase 进入vlan配置模式
switch（vlan）#vtp domain domain name
建立vtp域
switch（vlan）#vtp server 定义vtp类型
switch（vlan）#vlan vlan-id vlan-name 建立vlan并命名
switch（vlan）#exit
switch（conf）#interface switch-interface 进入端口配置模式
switch（conf-if）#switchport mode access 定义端口类型
switch（conf-if）#switchport access vlan vlan-id 将端口加入到vlan 中
switch（conf-if）#interface switch-interface
switch（conf-if）#switchport mode mode 配置trunk 模式
switch(conf)#enable password ******
交换机配置telnet
switch(conf)#line vty 0 4 启用远程终端
#login
switch(conf)#password ******
关于PIX的配置及注解完全手册
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto 设定端口0 速率为自动
interface ethernet1 100full 设定端口1 速率为100兆全双工
interface ethernet2 auto 设定端口2 速率为自动
nameif ethernet0 outside security0 设定端口0 名称为 outside 安全级别为0
nameif ethernet1 inside security100 设定端口1 名称为 inside 安全级别为100
nameif ethernet2 dmz security50 设定端口2 名称为 dmz 安全级别为50
enable password Dv0yXUGPM3Xt7xVs encrypted 特权密码
passwd 2KFQnbNIdI.2KYOU encrypted 登陆密码
hostname hhyy 设定防火墙名称
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。
names
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0
建立访问列表，允许特定网段的地址访问某些网段
access-list 120 deny icmp 192.168.2.0 255.255.255.0 any
access-list 120 deny icmp 192.168.3.0 255.255.255.0 any
access-list 120 deny icmp 192.168.4.0 255.255.255.0 any
access-list 120 deny icmp 192.168.5.0 255.255.255.0 any
access-list 120 deny icmp 192.168.6.0 255.255.255.0 any
access-list 120 deny icmp 192.168.7.0 255.255.255.0 any
access-list 120 deny icmp 192.168.8.0 255.255.255.0 any
access-list 120 deny icmp 192.168.9.0 255.255.255.0 any
access-list 120 deny icmp 192.168.10.0 255.255.255.0 any
access-list 120 deny icmp 192.168.11.0 255.255.255.0 any
access-list 120 deny icmp 192.168.12.0 255.255.255.0 any
access-list 120 deny icmp 192.168.13.0 255.255.255.0 any
access-list 120 deny icmp 192.168.14.0 255.255.255.0 any
access-list 120 deny icmp 192.168.15.0 255.255.255.0 any
access-list 120 deny icmp 192.168.16.0 255.255.255.0 any
access-list 120 deny icmp 192.168.17.0 255.255.255.0 any
access-list 120 deny icmp 192.168.18.0 255.255.255.0 any
access-list 120 deny icmp 192.168.19.0 255.255.255.0 any
access-list 120 deny icmp 192.168.20.0 255.255.255.0 any
access-list 120 deny icmp 192.168.21.0 255.255.255.0 any
access-list 120 deny icmp 192.168.22.0 255.255.255.0 any
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 4444
access-list 120 deny udp any any eq 1205
access-list 120 deny udp any any eq 1209
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any range 135 netbios-ssn
access-list 120 permit ip any any
建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信（主要防止冲击波病毒）
access-list 110 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 10.1.1.4 255.255.255.224 设定外端口地址
ip address inside 192.168.1.254 255.255.255.0 设定内端口地址
ip address dmz 192.168.19.1 255.255.255.0 设定DMZ端口地址
ip audit info action alarm
ip audit attack action alarm
ip local pool hhyy 192.168.170.1-192.168.170.254
建立名称为hhyy的地址池，起始地址段为：192.168.170.1-192.168.170.254
ip local pool yy 192.168.180.1-192.168.180.254
建立名称为yy 的地址池，起始地址段为：192.168.180.1-192.168.180.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no pdm history enable
arp timeout 14400
不支持故障切换
global (outside) 1 10.1.1.13-10.1.1.28
global (outside) 1 10.1.1.7-10.1.1.9
global (outside) 1 10.1.1.10
定义内部网络地址将要翻译成的全局地址或地址范围
nat (inside) 0 access-list 101
使得符合访问列表为101地址不通过翻译，对外部网络是可见的
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
内部网络地址翻译成外部地址
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
DMZ区网络地址翻译成外部地址
static (inside,outside) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.12 192.168.12.158 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.3 192.168.2.4 netmask 255.255.255.255 0 0
设定固定主机与外网固定IP之间的一对一静态转换
static (dmz,outside) 10.1.1.2 192.168.19.2 netmask 255.255.255.255 0 0
设定DMZ区固定主机与外网固定IP之间的一对一静态转换
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
设定内网固定主机与DMZ IP之间的一对一静态转换
static (dmz,outside) 10.1.1.29 192.168.19.3 netmask 255.255.255.255 0 0
设定DMZ区固定主机与外网固定IP之间的一对一静态转换
access-group 120 in interface outside
access-group 120 in interface inside
access-group 120 in interface dmz
将访问列表应用于端口
conduit permit tcp host 10.1.1.2 any
conduit permit tcp host 10.1.1.3 any
conduit permit tcp host 10.1.1.12 any
conduit permit tcp host 10.1.1.29 any
设置管道：允许任何地址对全局地址进行TCP协议的访问
conduit permit icmp 192.168.99.0 255.255.255.0 any
设置管道：允许任何地址对192.168.99.0 255.255.255.0地址进行PING测试
rip outside passive version 2
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 10.1.1.1
设定默认路由到电信端
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.1.1 1
设定路由回指到内部的子网
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set myset esp-des esp-md5-hmac
定义一个名称为myset的交换集
crypto dynamic-map dynmap 10 set transform-set myset
根据myset交换集产生名称为dynmap的动态加密图集（可选）
crypto map vpn 10 ipsec-isakmp dynamic dynmap
将dynmap动态加密图集应用为IPSEC的策略模板（可选）
crypto map vpn 20 ipsec-isakmp
用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流
crypto map vpn 20 match address 110
为加密图指定列表110作为可匹配的列表
crypto map vpn 20 set peer 10.1.1.41
在加密图条目中指定IPSEC对等体
crypto map vpn 20 set transform-set myset
指定myset交换集可以被用于加密条目
crypto map vpn client configuration address initiate
指示PIX防火墙试图为每个对等体设置IP地址
crypto map vpn client configuration address respond
指示PIX防火墙接受来自任何请求对等体的IP地址请求
crypto map vpn interface outside
将加密图应用到外部接口
isakmp enable outside
在外部接口启用IKE协商
isakmp key ******** address 10.1.1.41 netmask 255.255.255.255
指定预共享密钥和远端对等体的地址
isakmp identity address
IKE身份设置成接口的IP地址
isakmp client configuration address-pool local yy outside
isakmp policy 10 authentication pre-share
指定预共享密钥作为认证手段
isakmp policy 10 encryption des
指定56位DES作为将被用于IKE策略的加密算法
isakmp policy 10 hash md5
指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法
isakmp policy 10 group 2
指定1024比特Diffie-Hellman组将被用于IKE策略
isakmp policy 10 lifetime 86400
每个安全关联的生存周期为86400秒（一天）
vpngroup cisco idle-time 1800
vpngroup pix_vpn address-pool yy
vpngroup pix_vpn idle-time 1800
vpngroup pix_vpn password ********
vpngroup 123 address-pool yy
vpngroup 123 idle-time 1800
vpngroup 123 password ********
vpngroup 456 address-pool yy
vpngroup 456 idle-time 1800
vpngroup 456 password ********
telnet 192.168.88.144 255.255.255.255 inside
telnet 192.168.88.154 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local hhyy
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
vpnclient vpngroup cisco_vpn password ********
vpnclient username pix password ********
terminal width 80
Cryptochecksum:9524a589b608c79d50f7c302b81bdfa4