pix的virtual telnet疑问

shichunda

今天测试了一下pix 8.0的virtual telnet feature。本意是想ping外部的一个ip，用virtual telnet绑定icmp流量，但发现login之后不但能ping外部ip，还能telnet，http！！
检查了一下配置，感觉没配错，那是不是virtual telnet feature只要login之后就能用所有的协议了呢？

配置和拓扑如下

PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.112 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown     
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ping extended permit ip any any
access-list nostand extended permit icmp any any
access-list nostand extended permit tcp any host 10.1.1.100 eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group ping in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 3a protocol tacacs+
aaa-server 3a host 192.168.1.200
key cisco
aaa authentication match nostand inside 3a
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 10.1.1.100
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f48b1e8b0403153dd8c8650d11acd2ed
: end
pixfirewall(config)#


pixfirewall(config)# show uau
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'pix' at 192.168.1.199, authenticated (idle for 0:00:41)
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00


pc的ip是192.168.1.199/24，在pc上配置了到10.1.1.1的路由。route add 10.1.1.0 mask 255.255.255.0 192.168.1.112

shichunda

login之后telnet 10.1.1.1能成功。用firefox打开http：//10.1.1.1也行。

shichunda

顶起来

ssffzz1

virtual telnet feature

不知道这个是干吗的。

shichunda

对于telnet，http这些流量，穿越pix的时候都能够进行authentication（cut-through），很多其他类型的流量没法直接进行认证，smtp，icmp都不行，所以得和virtual绑定一下才能提供.比如下边这个http的流量
access-list http extended permit ip any 10.1.1.1
aaa authentication match http inside aaa
在配置好pix和acs后，当有http穿越pix时就会弹出一个对话框进行认证。
但icmp，smtp等就没有这项功能，所以得添加
access-list nostand extended permit tcp any host 10.1.1.100 eq telnet ，先telnet到10.1.1.100进行认证，就相当于对cut-through的icmp进行了认证，如果不认证的话就不允许icmp通过。认证过后就能ping通了。
好像拨号一样。

[ 本帖最后由 shichunda 于 2009-9-29 15:09 编辑 ]

shichunda

一个feature

shichunda

expecting