- 论坛徽章:
- 0
|
本案例通过PIX515实现外网主机只能访问内网10.10.1.6服务器的所有服务,防止外网攻击内网其他主机 \r\n\r\n“# #”为配置命令的注解 \r\nnameif ethernet0 outside security0 # 定义e0为外部接口,安全等级为0 # \r\nnameif ethernet1 inside security100 # 定义e1为内部接口,安全等级为100 # \r\nenable password 8Ry2YjIyt7RRXU24 encrypted # 设置enable密码 # \r\npasswd 2KFQnbNIdI.2KYOU encrypted # 设置telnet密码 # \r\nhostname pixfirewall # PIX主机名 # \r\nfixup protocol ftp 21 \r\nfixup protocol http 80 \r\nfixup protocol h323 1720 \r\nfixup protocol rsh 514 \r\nfixup protocol smtp 25 \r\nfixup protocol sqlnet 1521 \r\nfixup protocol sip 5060 \r\nnames \r\naccess-list acl_out permit ip any any # 定义外部访问控制列表 # \r\npager lines 24 \r\nlogging on \r\nno logging timestamp \r\nno logging standby \r\nno logging console \r\nno logging monitor \r\nno logging buffered \r\nno logging trap \r\nno logging history \r\nlogging facility 20 \r\nlogging queue 512 \r\ninterface ethernet0 auto # 设置e0口自适应 # \r\ninterface ethernet1 auto # 设置e1口自适应 # \r\nmtu outside 1500 \r\nmtu inside 1500 \r\nip address outside 192.168.1.1 255.255.255.0 # 外部端口ip # \r\nip address inside 10.10.1.230 255.255.255.0 # 内部端口ip # \r\nip audit info action alarm \r\nip audit attack action alarm \r\narp timeout 14400 \r\nglobal (outside) 1 192.168.1.244-192.168.1.254 netmask 255.255.255.0 # nat的ip-pool # \r\nnat (inside) 1 0.0.0.0 0.0.0.0 0 0 # 将内部所有的ip转换成外部地址 # \r\nstatic (inside,outside) 192.168.1.6 10.10.1.6 netmask 255.255.255.255 0 0 # 将内部服务器10.10.1.6map成外部地址192.168.1.6 # \r\naccess-group acl_out in interface outside # 在外部端口应用访问控制列表 # \r\nconduit permit ip host 192.168.1.6 192.168.1.0 255.255.255.0 # 允许192.168.1.0访问内部服务器的所有ip服务 # \r\nroute outside 0.0.0.0 0.0.0.0 192.168.1.2 1 # 设置默认路由192.168.1.2 # \r\ntimeout xlate 3:00:00 \r\ntimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0 \r\ntimeout uauth 0:05:00 absolute \r\naaa-server TACACS+ protocol tacacs+ \r\naaa-server RADIUS protocol radius \r\nno snmp-server location \r\nno snmp-server contact \r\nsnmp-server community public \r\nno snmp-server enable traps \r\nfloodguard enable \r\nno sysopt route dnat \r\nisakmp identity hostname \r\ntelnet 10.10.1.0 255.255.255.0 inside # 只允许内部10.10.1.0网段的主机telnet到PIX # \r\ntelnet timeout 5 \r\nssh timeout 5 \r\nterminal width 80 |
|