虚拟防火墙测试贴！！！！

network · 发表于 2007-12-19 13:24:26

虚拟防火墙测试贴！！！！庆五一！！！

虚拟防火墙（一个出口）

pix(config)#mode multiple 把防火墙从单一
模式改为支持多防火墙模式。会自动重启！
会默认一子防火墙
admin-context admin
context admin
  config-url flash:/admin.cfg
全局下新建一个子墙
context ctx1（命名子墙）
  allocate-interface Ethernet2 把接口加入到子墙ctx1
  allocate-interface Ethernet5 把接口加入到子墙ctx1
  config-url flash:/config1.cfg 命名存放配置文件
!
context ctx2（命名子墙）
  allocate-interface Ethernet3 把接口加入到子墙ctx2
  allocate-interface Ethernet4 把接口加入到子墙ctx2
  config-url flash:/config2.cfg 命名存放配置文件

进子防火墙
cha cont ctx1 （虚拟防火墙名）
然后在子防火墙里当普通墙正常配

sh ver

Cisco PIX Security Appliance Software Version 7.0(2) <system>

Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 7 mins 37 secs

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0          : address is 0012.daf1.5686, irq 10
1: Ext: Ethernet1          : address is 0012.daf1.5687, irq 11
2: Ext: Ethernet2          : address is 000d.88ff.b804, irq 11
3: Ext: Ethernet3          : address is 000d.88ff.b805, irq 10
4: Ext: Ethernet4          : address is 000d.88ff.b806, irq 9
5: Ext: Ethernet5          : address is 000d.88ff.b807, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs             : 100
Inside Hosts             : Unlimited
<--- More --->

Failover                   : Active/Active
VPN-DES                   : Enabled
VPN-3DES-AES             : Enabled
Cut-through Proxy          : Enabled
Guards                   : Enabled
URL Filtering             : Enabled
Security Contexts          : 2
GTP/GPRS                   : Disabled
VPN Peers                : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 808495289
Running Activation Key: 0xd60ccff6 0x66c10288 0x4708d0ce 0x2ae96ff3
Configuration has not been modified since last system restart.

pixfirewall# sh run
: Saved
:
PIX Version 7.0(2) <system>
!
interface Ethernet0
!
interface Ethernet0.3
vlan 3
!
interface Ethernet1
!
interface Ethernet1.4
vlan 4
!
interface Ethernet1.5
vlan 5
!
interface Ethernet1.6
vlan 6
!
interface Ethernet1.7
vlan 7
!
interface Ethernet2
shutdown
<--- More --->

!
interface Ethernet3
shutdown
!
interface Ethernet4
shutdown
!
interface Ethernet5
shutdown
!
enable password 8Ry2YjIyt7RRXU24 encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.4
  config-url flash:/admin.cfg
<--- More --->

!

context cnc-1
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.5
  config-url flash:/admin1.cfg
!

context cnc-2
  allocate-interface Ethernet0.3
  allocate-interface Ethernet1.6
  config-url flash:/admin2.cfg
!

Cryptochecksum:2ca7023a984f7b13b7e8d439d2e31f5d
: end

pixfirewall#

pixfirewall# changeto context admin  进子防火墙

pixfirewall/admin# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet1.4
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->

  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:94b0359659f181071f35aed50efda86f
: end

pixfirewall/admin# exit
pixfirewall#

pixfirewall#  changeto context cnc-1

pixfirewall/cnc-1# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.11 255.255.255.0
!
interface Ethernet1.5
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-1
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->

  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:1ae33c23b0bca81a0714bc6668207811
: end

pixfirewall/cnc-1# exit
pixfirewall#
pixfirewall# changeto context cnc-2 进子防火墙

pixfirewall/cnc-2# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0.3
nameif outside
security-level 0
ip address 192.168.0.13 255.255.255.0
!
interface Ethernet1.6
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-2
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
<--- More --->

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
<--- More --->

  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:66e1eba6f57fd5db9fea45987ad44959
: end

pixfirewall/cnc-2#

network · 发表于 2007-12-19 13:24:52

虚拟防火墙（多个出口）

sh ver

Cisco PIX Security Appliance Software Version 7.0(2) <system>

Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 9 mins 51 secs

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0          : address is 0012.daf1.5686, irq 10
1: Ext: Ethernet1          : address is 0012.daf1.5687, irq 11
2: Ext: Ethernet2          : address is 000d.88ff.b804, irq 11
3: Ext: Ethernet3          : address is 000d.88ff.b805, irq 10
4: Ext: Ethernet4          : address is 000d.88ff.b806, irq 9
5: Ext: Ethernet5          : address is 000d.88ff.b807, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs             : 100
Inside Hosts             : Unlimited
<--- More --->

Failover                   : Active/Active
VPN-DES                   : Enabled
VPN-3DES-AES             : Enabled
Cut-through Proxy          : Enabled
Guards                   : Enabled
URL Filtering             : Enabled
Security Contexts          : 2
GTP/GPRS                   : Disabled
VPN Peers                : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 808495289
Running Activation Key: 0xd60ccff6 0x66c10288 0x4708d0ce 0x2ae96ff3
Configuration has not been modified since last system restart.

pixfirewall# sh run
: Saved
:
PIX Version 7.0(2) <system>
!
interface Ethernet0
!
interface Ethernet1
!
interface Ethernet2
!
interface Ethernet3
!
interface Ethernet4
!
interface Ethernet5
!
enable password 8Ry2YjIyt7RRXU24 encrypted
hostname pixfirewall
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

<--- More --->

admin-context admin
context admin
  allocate-interface Ethernet0
  allocate-interface Ethernet1
  config-url flash:/admin.cfg
!

context cnc-1
  allocate-interface Ethernet2
  allocate-interface Ethernet3
  config-url flash:/cnc-1.cfg
!

context cnc-2
  allocate-interface Ethernet4
  allocate-interface Ethernet5
  config-url flash:/cnc-2.cfg
!

Cryptochecksum:1785a918b6c389976708b6f933687826
: end

pixfirewall#

pixfirewall#  changeto context admin 进子防火墙

pixfirewall/admin# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname admin
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->

icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->

  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:0fa292be4bf97aadf52da496b3c521d4
: end

pixfirewall/admin#
pixfirewall#
pixfirewall#  changeto context cnc-1 进子防火墙

pixfirewall/cnc-1# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-1
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->

icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->

  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:037ff73f3db30dbbc964c48c536c0816
: end

pixfirewall/cnc-1# exit

pixfriewall#
pixfirewall#  changeto context cnc-2 进子防火墙

pixfirewall/cnc-2# sh run
: Saved
:
PIX Version 7.0(2) <context>
names
!
interface Ethernet4
nameif outside
security-level 0
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet5
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cnc-2
access-list 1 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp permit any outside
<--- More --->

icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.4.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
<--- More --->

  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:738597503a14f95ceb5a1efed1ddb8cf
: end

pixfirewall/cnc-2#

weixing1977 · 发表于 2008-11-12 18:44:30

怎么解决怎么解决怎么解决怎么解决怎么解决怎么解决怎么解决

账号		自动登录	找回密码
密码			注册