博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2512|回复: 2

虚拟防火墙测试贴!!!!

[复制链接]
发表于 2007-12-19 13:24:26 | 显示全部楼层 |阅读模式
虚拟防火墙测试贴!!!!庆五一!!!


虚拟防火墙(一个出口)

pix(config)#mode multiple 把防火墙从单一
模式改为支持多防火墙模式。会自动重启!
会默认一子防火墙
admin-context admin
context admin
  config-url flash:/admin.cfg
全局下新建一个子墙
context ctx1(命名子墙)
  allocate-interface Ethernet2 把接口加入到子墙ctx1
  allocate-interface Ethernet5 把接口加入到子墙ctx1
  config-url flash:/config1.cfg 命名存放配置文件
!
context ctx2(命名子墙)
  allocate-interface Ethernet3 把接口加入到子墙ctx2
  allocate-interface Ethernet4 把接口加入到子墙ctx2
  config-url flash:/config2.cfg 命名存放配置文件

进子防火墙
cha cont ctx1 (虚拟防火墙名)
然后在子防火墙里当普通墙正常配



sh ver

Cisco PIX Security Appliance Software Version 7.0(2) <system>

Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 7 mins 37 secs

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0           : address is 0012.daf1.5686, irq 10
1: Ext: Ethernet1           : address is 0012.daf1.5687, irq 11
2: Ext: Ethernet2           : address is 000d.88ff.b804, irq 11
3: Ext: Ethernet3           : address is 000d.88ff.b805, irq 10
4: Ext: Ethernet4           : address is 000d.88ff.b806, irq 9
5: Ext: Ethernet5           : address is 000d.88ff.b807, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10        
Maximum VLANs               : 100      
Inside Hosts                : Unlimited
<--- More --->
              
Failover                    : Active/Active
VPN-DES                     : Enabled   
VPN-3DES-AES                : Enabled   
Cut-through Proxy           : Enabled   
Guards                      : Enabled   
URL Filtering               : Enabled   
Security Contexts           : 2         
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 808495289
Running Activation Key: 0xd60ccff6 0x66c10288 0x4708d0ce 0x2ae96ff3
Configuration has not been modified since last system restart.

pixfirewall# sh run
: Saved
:
PIX Version 7.0(2) <system>
!
interface Ethernet0
!
interface Ethernet0.3
vlan 3
!
interface Ethernet1
!
interface Ethernet1.4
vlan 4
!
interface Ethernet1.5
vlan 5
!
interface Ethernet1.6
vlan 6
!
interface Ethernet1.7
vlan 7
!
interface Ethernet2
shutdown
<--- More --->
              
!
interface Ethernet3
shutdown
!
interface Ethernet4
shutdown
!
interface Ethernet5
shutdown
!
enable password 8Ry2YjIyt7RRXU24 encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.4
  config-url flash:/admin.cfg
<--- More --->
              
!

context cnc-1
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.5
  config-url flash:/admin1.cfg
!

context cnc-2
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.6
  config-url flash:/admin2.cfg
!

Cryptochecksum:2ca7023a984f7b13b7e8d439d2e31f5d
: end

pixfirewall#

pixfirewall# changeto context admin  进子防火墙

pixfirewall/admin# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet1.4
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->
              
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->
              
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:94b0359659f181071f35aed50efda86f
: end

pixfirewall/admin# exit
pixfirewall#

pixfirewall#  changeto context cnc-1

pixfirewall/cnc-1# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.11 255.255.255.0
!
interface Ethernet1.5
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-1
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->
              
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->
              
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:1ae33c23b0bca81a0714bc6668207811
: end

pixfirewall/cnc-1# exit
pixfirewall#
pixfirewall# changeto context cnc-2 进子防火墙

pixfirewall/cnc-2# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.13 255.255.255.0
!
interface Ethernet1.6
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-2
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->
              
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->
              
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:66e1eba6f57fd5db9fea45987ad44959
: end

pixfirewall/cnc-2#
 楼主| 发表于 2007-12-19 13:24:52 | 显示全部楼层
虚拟防火墙(多个出口)


sh ver

Cisco PIX Security Appliance Software Version 7.0(2) <system>

Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 9 mins 51 secs

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0           : address is 0012.daf1.5686, irq 10
1: Ext: Ethernet1           : address is 0012.daf1.5687, irq 11
2: Ext: Ethernet2           : address is 000d.88ff.b804, irq 11
3: Ext: Ethernet3           : address is 000d.88ff.b805, irq 10
4: Ext: Ethernet4           : address is 000d.88ff.b806, irq 9
5: Ext: Ethernet5           : address is 000d.88ff.b807, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10        
Maximum VLANs               : 100      
Inside Hosts                : Unlimited
<--- More --->
              
Failover                    : Active/Active
VPN-DES                     : Enabled   
VPN-3DES-AES                : Enabled   
Cut-through Proxy           : Enabled   
Guards                      : Enabled   
URL Filtering               : Enabled   
Security Contexts           : 2         
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 808495289
Running Activation Key: 0xd60ccff6 0x66c10288 0x4708d0ce 0x2ae96ff3
Configuration has not been modified since last system restart.

pixfirewall# sh run
: Saved
:
PIX Version 7.0(2) <system>
!
interface Ethernet0
!
interface Ethernet1
!
interface Ethernet2
!
interface Ethernet3
!
interface Ethernet4
!
interface Ethernet5
!
enable password 8Ry2YjIyt7RRXU24 encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

<--- More --->
              
admin-context admin
context admin
  allocate-interface Ethernet0
  allocate-interface Ethernet1
  config-url flash:/admin.cfg
!

context cnc-1
  allocate-interface Ethernet2
  allocate-interface Ethernet3
  config-url flash:/cnc-1.cfg
!

context cnc-2
  allocate-interface Ethernet4
  allocate-interface Ethernet5
  config-url flash:/cnc-2.cfg
!

Cryptochecksum:1785a918b6c389976708b6f933687826
: end

pixfirewall#  

pixfirewall#  changeto context admin 进子防火墙

pixfirewall/admin# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname admin
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->
              
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->
              
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:0fa292be4bf97aadf52da496b3c521d4
: end

pixfirewall/admin#  
pixfirewall#
pixfirewall#  changeto context cnc-1 进子防火墙

pixfirewall/cnc-1# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-1
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->
              
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->
              
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:037ff73f3db30dbbc964c48c536c0816
: end

pixfirewall/cnc-1# exit

pixfriewall#
pixfirewall#  changeto context cnc-2 进子防火墙

pixfirewall/cnc-2# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet4
nameif outside
security-level 0
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet5
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-2
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->
              
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.4.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->
              
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:738597503a14f95ceb5a1efed1ddb8cf
: end

pixfirewall/cnc-2#
发表于 2008-11-12 18:44:30 | 显示全部楼层

怎么解决

怎么解决怎么解决怎么解决怎么解决怎么解决怎么解决怎么解决
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 03:56 , Processed in 0.115185 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表