一个较复杂网络中PIX525的配置问题

west-mail

: end
xjpi-pixfirewall# config t
xjpi-pixfirewall(config)# no nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
xjpi-pixfirewall(config)# nat (dmz) 1 0 0                  
xjpi-pixfirewall(config)# exit
xjpi-pixfirewall# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 oil security20
enable password VDRup4bjmt5K90/Y encrypted
passwd VDRup4bjmt5K90/Y encrypted
hostname xjpi-pixfirewall
domain-name xjpi.ciscopix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu oil 1500
ip address outside 202.201.220.2 255.255.255.192
ip address inside 202.201.220.65 255.255.255.192
ip address dmz 202.201.220.129 255.255.255.128
ip address oil 10.71.208.2 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address oil
pdm location 202.201.221.130 255.255.255.255 inside
pdm location 202.201.221.0 255.255.255.0 inside
pdm location 202.201.222.0 255.255.255.0 inside
pdm location 202.201.223.0 255.255.255.0 inside
pdm location 202.201.220.131 255.255.255.255 dmz
pdm location 202.201.220.132 255.255.255.255 dmz
pdm location 202.201.220.133 255.255.255.255 dmz
pdm location 202.201.220.134 255.255.255.255 dmz
pdm location 202.201.220.135 255.255.255.255 dmz
pdm history enable
arp timeout 14400
global (dmz) 1 202.201.220.200-202.201.220.254
global (dmz) 1 202.201.220.199
global (oil) 2 10.71.208.11-10.71.208.254
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 202.201.220.132 202.201.220.132 netmask 255.255.255.255 0 0
static (dmz,outside) 202.201.220.133 202.201.220.133 netmask 255.255.255.255 0 0
static (dmz,outside) 202.201.220.134 202.201.220.134 netmask 255.255.255.255 0 0
static (dmz,outside) 202.201.220.131 202.201.220.131 netmask 255.255.255.255 0 0
static (dmz,outside) 202.201.220.135 202.201.220.135 netmask 255.255.255.255 0 0
static (inside,outside) 202.201.221.130 202.201.221.130 netmask 255.255.255.255 0 0
conduit permit tcp host 202.201.220.132 eq www any
conduit permit tcp host 202.201.220.134 eq pop3 202.201.220.0 255.255.255.192
conduit permit tcp host 202.201.220.134 eq smtp any
conduit permit udp host 202.201.220.131 eq domain any
conduit permit tcp host 202.201.220.135 eq www any
conduit permit tcp host 202.201.220.132 eq tacacs 202.201.220.0 255.255.255.192
conduit permit tcp host 202.201.220.133 eq 554 202.201.220.0 255.255.255.192
conduit permit tcp host 202.201.220.133 eq www any
conduit permit tcp host 202.201.221.130 eq www any
conduit deny ip 202.201.220.64 255.255.255.192 any
conduit deny ip 202.201.221.0 255.255.255.0 any
conduit deny ip 202.201.222.0 255.255.255.0 any
conduit deny ip 202.201.223.0 255.255.255.0 any
conduit deny ip any any
outbound   1 deny 0.0.0.0 0.0.0.0 4444 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 69 udp
outbound   1 deny 0.0.0.0 0.0.0.0 445 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 593 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 139 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 135-139 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 137 udp
outbound   1 deny 0.0.0.0 0.0.0.0 138 udp
outbound   1 deny 0.0.0.0 0.0.0.0 445 udp
outbound   1 deny 0.0.0.0 0.0.0.0 593 udp
outbound   1 deny 0.0.0.0 0.0.0.0 1434 udp
outbound   1 deny 0.0.0.0 0.0.0.0 135-139 udp
outbound   1 deny 0.0.0.0 0.0.0.0 0 icmp
outbound   1 deny 0.0.0.0 0.0.0.0 1025 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 5554 tcp
outbound   1 deny 0.0.0.0 0.0.0.0 9996 tcp
apply (inside) 1 outgoing_src
route oil 0.0.0.0 0.0.0.0 10.71.208.1 1
route dmz 0.0.0.0 0.0.0.0 202.201.220.1 2
route inside 202.201.221.0 255.255.255.0 202.201.220.66 1
route inside 202.201.222.0 255.255.255.0 202.201.220.66 1
route inside 202.201.223.0 255.255.255.0 202.201.220.66 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 202.201.220.64 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 202.201.220.64 255.255.255.192 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c233f8423e046241ab90af53097e4e17
: end
xjpi-pixfirewall# config t
xjpi-pixfirewall(config)# no route dmz 0.0.0.0 0.0.0.0 202.201.220.1 2
xjpi-pixfirewall(config)# exit
xjpi-pixfirewall#

User Access Verification

Password:
% Password:  timeout expired!
Password:
1w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async33, changed state to down
1w5d: %LINK-5-CHANGED: Interface Async33, changed state to reset
% Access denied

Password:
1w5d: %LINK-3-UPDOWN: Interface Async33, changed state to down
% Access denied


































xjpi con0 is now available





Press RETURN to get started.












User Access Verification

Password:

xjpi>;en
Password:
xjpi#sh ru
1w5d: %LINK-3-UPDOWN: Interface Async33, changed state to upn
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xjpi
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs enable
aaa authentication ppp default tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting network default start-stop tacacs+
enable secret 5 $1$uaoh$BEXUghhLUHPVOpvlM/5ON1
enable password 7 110A1016141D
!
username test password 7 15060E1F10
ip subnet-zero
ip domain-name xjpi.edu.cn
ip name-server 202.201.220.131
!         
async-bootp dns-server 202.201.220.131
!
!
!
!
interface Ethernet0/0
ip address 10.71.208.12 255.255.255.0
no ip directed-broadcast
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Ethernet0/1
ip address 202.201.220.1 255.255.255.192
no ip directed-broadcast
full-duplex
!
--More--
1w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async33, changed sinterface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
interface FastEthernet2/0
description connect to GuangDian_ZhongGuoCheng
ip address 202.201.223.2 255.255.255.252
ip access-group 110 in
ip access-group 110 out
no ip directed-broadcast
full-duplex
!
interface Group-Async1
ip unnumbered FastEthernet2/0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address pool setup_pool
ppp authentication chap pap
group-range 33 48
!
interface Group-Async2
ip unnumbered FastEthernet2/0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address pool setup1
ppp authentication chap pap
group-range 97 112
!
ip local pool setup_pool 202.201.220.31 202.201.220.46
ip local pool setup1 202.201.220.47 202.201.220.62
ip classless
ip route 0.0.0.0 0.0.0.0 202.201.223.1
ip route 202.201.220.64 255.255.255.192 202.201.220.2
ip route 202.201.220.128 255.255.255.128 202.201.220.2
ip route 202.201.221.0 255.255.255.128 202.201.220.2
ip route 202.201.221.128 255.255.255.192 202.201.220.2
ip route 202.201.221.192 255.255.255.192 202.201.220.2
ip route 202.201.222.0 255.255.255.128 202.201.220.2
ip route 202.201.222.128 255.255.255.128 202.201.220.2
ip route 202.201.223.128 255.255.255.128 202.201.220.2
no ip http server
!
access-list 110 deny   icmp any any echo
access-list 110 deny   tcp any any eq 4444
access-list 110 deny   udp any any eq tftp
access-list 110 deny   tcp any any eq 135
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq 136
access-list 110 deny   tcp any any eq 136
access-list 110 deny   udp any any eq netbios-ns
access-list 110 deny   tcp any any eq 137
access-list 110 deny   udp any any eq netbios-dgm
access-list 110 deny   tcp any any eq 139
access-list 110 deny   udp any any eq netbios-ss
access-list 110 deny   tcp any any eq 445
access-list 110 deny   udp any any eq 445
access-list 110 deny   tcp any any eq 593
access-list 110 deny   udp any any eq 593
access-list 110 deny   udp any any eq 1434
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
tacacs-server host 202.201.220.132
tacacs-server key xjpi
snmp-server engineID local 000000090200003080F35101
snmp-server community public RO
snmp-server community private RW
!
line con 0
login authentication no_tacacs
transport input none
line 33 48
autoselect during-login
autoselect ppp
modem InOut
autocommand ppp
transport input all
flowcontrol hardware
line 97 112
autoselect during-login
autoselect ppp
modem InOut
autocommand ppp
transport input all
flowcontrol hardware
line aux 0
line vty 0 4
password 7 060506324F41
!
end      

xjpi#config t
Enter configuration commands, one per line.  End with CNTL/Z.
xjpi(config)#exit     
xjpi#
1w5d: %SYS-5-CONFIG_I: Configured from console by console
xjpi#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xjpi
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs enable
aaa authentication ppp default tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting network default start-stop tacacs+
enable secret 5 $1$uaoh$BEXUghhLUHPVOpvlM/5ON1
enable password 7 110A1016141D
!
username test password 7 15060E1F10
ip subnet-zero
ip domain-name xjpi.edu.cn
ip name-server 202.201.220.131
!         
async-bootp dns-server 202.201.220.131
!
!
!
!
interface Ethernet0/0
ip address 10.71.208.12 255.255.255.0
no ip directed-broadcast
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Ethernet0/1
ip address 202.201.220.1 255.255.255.192
no ip directed-broadcast
full-duplex
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
interface FastEthernet2/0
description connect to GuangDian_ZhongGuoCheng
ip address 202.201.223.2 255.255.255.252
ip access-group 110 in
ip access-group 110 out
no ip directed-broadcast
full-duplex
!
interface Group-Async1
ip unnumbered FastEthernet2/0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address pool setup_pool
ppp authentication chap pap
group-range 33 48
!
interface Group-Async2
ip unnumbered FastEthernet2/0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address pool setup1
ppp authentication chap pap
group-range 97 112
!
ip local pool setup_pool 202.201.220.31 202.201.220.46
ip local pool setup1 202.201.220.47 202.201.220.62
ip classless
ip route 0.0.0.0 0.0.0.0 202.201.223.1
ip route 202.201.220.64 255.255.255.192 202.201.220.2
ip route 202.201.220.128 255.255.255.128 202.201.220.2
ip route 202.201.221.0 255.255.255.128 202.201.220.2
ip route 202.201.221.128 255.255.255.192 202.201.220.2
ip route 202.201.221.192 255.255.255.192 202.201.220.2
ip route 202.201.222.0 255.255.255.128 202.201.220.2
ip route 202.201.222.128 255.255.255.128 202.201.220.2
ip route 202.201.223.128 255.255.255.128 202.201.220.2
no ip http server
!
access-list 110 deny   icmp any any echo
access-list 110 deny   tcp any any eq 4444
access-list 110 deny   udp any any eq tftp
access-list 110 deny   tcp any any eq 135
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq 136
access-list 110 deny   tcp any any eq 136
access-list 110 deny   udp any any eq netbios-ns
access-list 110 deny   tcp any any eq 137
access-list 110 deny   udp any any eq netbios-dgm
access-list 110 deny   tcp any any eq 139
access-list 110 deny   udp any any eq netbios-ss
access-list 110 deny   tcp any any eq 445
access-list 110 deny   udp any any eq 445
access-list 110 deny   tcp any any eq 593
access-list 110 deny   udp any any eq 593
access-list 110 deny   udp any any eq 1434
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
tacacs-server host 202.201.220.132
tacacs-server key xjpi
snmp-server engineID local 000000090200003080F35101
snmp-server community public RO
snmp-server community private RW
!
line con 0
login authentication no_tacacs
transport input none
line 33 48
autoselect during-login
autoselect ppp
modem InOut
autocommand ppp
transport input all
flowcontrol hardware
line 97 112
autoselect during-login
autoselect ppp
modem InOut
autocommand ppp
transport input all
flowcontrol hardware
line aux 0
line vty 0 4
password 7 060506324F41
!
end      

xjpi#exit

































xjpi con0 is now available


现在的问题是内网法通过专网出去，再通过3640访问DMZ的E-MAIL服务器。


Press RETURN to get started.

jacamar

3640 f0/0不太好吧，不如走pix路有
C-4不知道您打算如何实现......
请问您是通过修改pix路有来改变内网上网方式的吗？

hcjia

专线没做global!