博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 1826|回复: 0

pix515+log服务器+vpn

[复制链接]
发表于 2007-5-4 15:48:34 | 显示全部楼层 |阅读模式
pix515+log服务器+vpn [/td]
login as: pix
Sent username "pix"
pix@218.*.*.7's password:
Type help or '?' for a list of available commands.
langfang>;
langfang>; en
Password: ********
langfang# show run
: Saved
:
PIX Version 6.3(3)

#--------
#接口速率,安全等级, e0外口,e1 内口,e2DMZ
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password LuO1g4.ka4RRJSgu encrypted
passwd 0ai3Sv8iUzWyCmuD encrypted
hostname *
domain-name ciscopix.com.cn
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1719
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.16.0 vlan16
name 172.16.17.0 vlan17
object-group service voip24 tcp-udp
  port-object range 6024 6024
  port-object range 6026 6027
object-group service voip88 tcp-udp
  port-object range 6088 6088
  port-object range 6090 6091
object-group service voipweb tcp
  port-object range 7080 7080
object-group service voipweb1 tcp
  port-object range 6080 6080
object-group network vlan16and17
  network-object vlan16 255.255.255.0
  network-object vlan17 255.255.255.0

#---
控制列表201主要用来屏蔽的某些个病毒端口
access-list 201 deny ip object-group vlan16and17 any log
access-list 201 deny tcp any any eq 593
access-list 201 deny tcp any any eq 1434
access-list 201 deny tcp any any eq 2500
access-list 201 deny tcp any any eq 4444
access-list 201 deny tcp any any eq 5900
access-list 201 deny tcp any any eq 6346
access-list 201 deny tcp any any eq 6667
access-list 201 deny tcp any any eq 9393
access-list 201 deny udp any any eq 135
access-list 201 deny udp any any eq netbios-ns
access-list 201 deny udp any any eq 139
access-list 201 deny udp any any eq 445
access-list 201 deny udp any any eq 593
access-list 201 deny udp any any eq 1434
access-list 201 deny tcp any any eq 9995
access-list 201 deny tcp any any eq 5554
access-list 201 deny tcp any any eq 9996
access-list 201 deny udp any any eq 6346
access-list 201 deny udp any any eq 6881
access-list 201 deny udp any any eq 6882
access-list 201 deny udp any any eq 6883
access-list 201 deny udp any any eq 6885
access-list 201 deny udp any any eq 6886
access-list 201 deny udp any any eq 6887
access-list 201 deny udp any any eq 6888
access-list 201 deny udp any any eq 6889
access-list 201 deny tcp any any eq 6881
access-list 201 deny tcp any any eq 6882
access-list 201 deny tcp any any eq 6883
access-list 201 deny tcp any any eq 6884
access-list 201 deny tcp any any eq 6885
access-list 201 deny tcp any any eq 6886
access-list 201 deny tcp any any eq 6887
access-list 201 deny tcp any any eq 6888
access-list 201 deny tcp any any eq 6889
access-list 201 deny tcp any any eq 135
access-list 201 deny tcp any any eq 445
access-list 201 deny tcp any any eq 137
access-list 201 deny tcp any any eq netbios-ssn
access-list 201 permit ip any any

#---
下面这个控制列表是为ip电话和DMZ的机器向外做静态nat后能够被
外边也就是低安全等级所访问,不推荐是用管道命令,管道在pdm中
不支持,并且控制不能细化
access-list outside_access_in permit tcp any interface outside object-group voip24
access-list outside_access_in permit udp any interface outside object-group voip24
access-list outside_access_in permit tcp any interface outside object-group voip88
access-list outside_access_in permit udp any interface outside object-group voip88
access-list outside_access_in permit tcp any interface outside object-group voipweb
access-list outside_access_in permit tcp any interface outside object-group voipweb1
access-list outside_access_in permit ip any host 218.12.164.44  
access-list outside_access_in permit ip any host 218.12.164.45  
access-list outside_access_in permit ip any host 218.12.164.46  


#---
#下面这个控制列表outside_cryptomap_20为vpn所准备
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.0.0 192.168.0.0  

255.255.0.0

pager lines 24

#---------
#指定一个日志服务器,及日志级别
logging on
logging timestamp
logging trap informational
logging host inside 172.16.14.74


mtu outside 1500
mtu inside 1500
mtu dmz 1500

#------------
#设定3个口的地址
ip address outside 218.*.*.7 255.255.255.0
ip address inside 172.16.10.2 255.255.255.0
ip address dmz 172.16.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz

#------------
#可以使用pdm管理防火墙的ip地址
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 192.168.0.0 255.255.0.0 outside
pdm history enable
arp timeout 14400

#------------
#nat部分
global (outside) 1 interface  内到外转换后地址
global (dmz) 1 interface 内到DMZ转换后地址


#下面这个为vpn做的,0代表不做nat,即outside_cryptomap_20定义的流量不做nat
nat (inside) 0 access-list outside_cryptomap_20

#做nat的源地址
nat (inside) 1 0.0.0.0 0.0.0.0 0 0   内部所有
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0      DMZ所有


#------------
#下面是为了把一些ip电话映射到公网上
static (inside,outside) tcp interface 6024 172.16.10.24 6024 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6024 172.16.10.24 6024 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6026 172.16.10.24 6026 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6026 172.16.10.24 6026 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6027 172.16.10.24 6027 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6027 172.16.10.24 6027 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6088 172.16.14.88 6088 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6088 172.16.14.88 6088 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6090 172.16.14.88 6090 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6090 172.16.14.88 6090 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6091 172.16.14.88 6091 netmask 255.255.255.255 0  

0
static (inside,outside) udp interface 6091 172.16.14.88 6091 netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 6080 172.16.10.24 www netmask 255.255.255.255 0  

0
static (inside,outside) tcp interface 7080 172.16.14.88 www netmask 255.255.255.255 0  

0

#------------
#下面是DMZ的三台服务器向外的静态NAT
static (dmz,outside) 218.*.*.4 172.16.100.4 netmask 255.255.255.255 0 0
static (dmz,outside) 218.*.*.5 172.16.100.5 netmask 255.255.255.255 0 0
static (dmz,outside) 218.*.*.6 172.16.100.6 netmask 255.255.255.255 0 0

#--------------
#绑定控制列表到接口
#outside_access_in控制列表
#允许从外界访问ip电话和dmz中机器的流量通过,其他遵循状态包监测
#201控制列表,屏蔽某些病毒端口和不常用端口,放行其他内部流量
access-group outside_access_in in interface outside
access-group 201 in interface inside


#------
#下面的向外的默认路由,和向内的路由(有个3550,几个网络段)
route outside 0.0.0.0 0.0.0.0 218.*.*.1 1
route inside 172.16.0.0 255.255.0.0 172.16.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

#---------
#启动pdm管理,和监听ip,类似apache的监听ip
#使用ie的https登陆用的ssl,客户端需要java虚拟机,忘了什么版本了
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


#---------------
#下面vpn  site-to-site

#在防火墙的安全等级的放行或这拒绝的规则里里为ipsec流量打开绿灯
sysopt connection permit-ipsec  
  
#转换集和加密图
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 218.*.*.140
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside

#ike
isakmp enable outside
isakmp key ******** address 218.*.*.140 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

#远程telnet 和ssh允许的地址
telnet 192.168.10.1 255.255.255.255 inside
telnet 172.16.10.100 255.255.255.255 inside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:14b8ea16b5207b2a9593d7846e3a3f65
: end


您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 01:39 , Processed in 0.103831 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表