论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2003-06-30 10:04 |只看该作者 |倒序浏览

1：为什么会是dmz2呢？

From this scenario, you will need static command statements to let outside users access the dmz3 web server and for dmz1 and dmz2 users to access the web server. You will need a nat command statement to let inside and dmz4 users access the dmz3 web server.
For the mail server, you will need static command statements for access from the outside, dmz1, and dmz2, dmz3, and dmz4 interfaces.

Provide access from the outside to the inside mail server with these commands:

static (inside,outside) 209.165.201.4 192.168.0.3 netmask 255.255.255.255
access-list acl_out permit tcp any host 209.165.201.4 eq smtp
access-group acl_out in interface outside
These commands create a global address of 209.165.201.4 that PIX Firewall maps to the 192.168.0.3 mail server on the dmz2 interface. The access-list command statement permits any outside users to access the mail server at the SMTP port (25). The access-group command statement binds the mail server permission to the outside interface.

You will need to inform your DNS administrator to create an MX record for the global address (such as 209.165.201.4) so that mail is directed to the correct address.

为什么会Map到dmz2呢？

原文：http://www.cisco.com/en/US/produ ... 08cd36.html#1020898

2：这2个掩码为什么这样用？
Use the PIX Firewall telnet command.For example, to let a host on the internal interface with an address of 192.168.1.2 access the PIX Firewall.enter:
telnet 192.168.1.2 255.255.255.255 inside

If IPSec is in place,you can let a host on the outside interface access the PIX Firewall console.Refer to "Securing a Telnet Connection on the Outside Interface" for more information.Use a command such as the following:
telnet 209.165.200.225 255.255.255.224 outside

不明白显示红部分的掩码为什么会有所不同：1：telnet 192.168.1.2 255.255.255.255 inside的掩码为255.255.255.255就是说只允许192.168.1.2来Telnet PIX.255.255.255.255 代表只是一个地址终端，而不是一段网络。
2：可是telnet 209.165.200.225 255.255.255.224 outside中为什么却是255.255.255.224呢？

上面的例子在原文中step12:
http://www.cisco.com/univercd/cc ... 0/config/config.pdf

文库|博客

windtalkers

稍有积蓄

论坛徽章:: 0

2楼 [报告]

发表于 2003-06-30 13:01 |只看该作者

2 PIX问题？

1.问题一我感觉应该是排版错误，怎么说都不应该是DMZ2，肯定是Inside

2. 我觉得这也是很正常的，他只是举了个例子而已嘛，而且如果他使用了IPsec连上来，那么他的地址可能是变化的，所以就使用了一个网段，这也比较合乎情理，我认为。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

geanxue

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2003-06-30 14:45 |只看该作者

2 PIX问题？

[quote]原帖由 "windtalkers"]2. 我觉得这也是很正常的，他只是举了个例子而已嘛，而且如果他使用了IPsec连上来，那么他的地址可能是变化的，所以就使用了一个网段，这也?.........[/quote 发表：

  允许一段地址telnet是这样配置的：
telnet 192.168.11.0 255.255.255.0 in
这是我们PIX525上截的配置！

而上例却为：209.165.200.(111|00001)
               255.255.255.(111|00000)

照我们PIX上配置上列应为：209.165.200.(111|00000)
                                    255.255.255.(111|00000)

即telnet 209.165.200.224 255.255.255.224 outside

上例为PIX手册上的举例，应该没有错的，一定有它的道理。