Cisco PIX Firewall - 防火牆設定指令及註解
PIX Version 6.3(1)
interface ethernet0 auto 設定埠0 速率為自動
interface ethernet1 100full 設定埠1 速率為100兆全雙工
interface ethernet2 auto 設定埠2 速率為自動
nameif ethernet0 outside security0 設定埠0 名稱為 outside 安全級別為0
nameif ethernet1 inside security100 設定埠1 名稱為 inside 安全級別為100
nameif ethernet2 dmz security50 設定埠2 名稱為 dmz 安全級別為50
enable password Dv0yXUGPM3Xt7xVs encrypted 特權密碼
passwd 2KFQnbNIdI.2KYOU encrypted 登陸密碼
hostname hhyy 設定防火牆名稱
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
允許用戶查看、改變、啟用或禁止一個服務或協議通過PIX防火牆,防火牆默認啟用了一些常見的埠,但對於ORACLE等專有埠,需要專門啟用。
names
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0
無線路由器密碼破解
建立訪問列表,允許特定網段的位址訪問某些網段
access-list 120 deny icmp 192.168.2.0 255.255.255.0 any
access-list 120 deny icmp 192.168.3.0 255.255.255.0 any
access-list 120 deny icmp 192.168.4.0 255.255.255.0 any
access-list 120 deny icmp 192.168.5.0 255.255.255.0 any
access-list 120 deny icmp 192.168.6.0 255.255.255.0 any
access-list 120 deny icmp 192.168.7.0 255.255.255.0 any
access-list 120 deny icmp 192.168.8.0 255.255.255.0 any
access-list 120 deny icmp 192.168.9.0 255.255.255.0 any
access-list 120 deny icmp 192.168.10.0 255.255.255.0 any
access-list 120 deny icmp 192.168.11.0 255.255.255.0 any
access-list 120 deny icmp 192.168.12.0 255.255.255.0 any
access-list 120 deny icmp 192.168.13.0 255.255.255.0 any
access-list 120 deny icmp 192.168.14.0 255.255.255.0 any
access-list 120 deny icmp 192.168.15.0 255.255.255.0 any
access-list 120 deny icmp 192.168.16.0 255.255.255.0 any
access-list 120 deny icmp 192.168.17.0 255.255.255.0 any
access-list 120 deny icmp 192.168.18.0 255.255.255.0 any
access-list 120 deny icmp 192.168.19.0 255.255.255.0 any
access-list 120 deny icmp 192.168.20.0 255.255.255.0 any
access-list 120 deny icmp 192.168.21.0 255.255.255.0 any
access-list 120 deny icmp 192.168.22.0 255.255.255.0 any
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 4444
access-list 120 deny udp any any eq 1205
access-list 120 deny udp any any eq 1209
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any range 135 netbios-ssn
access-list 120 permit ip any any
--------------------------------------------------------------------------------------------------------------------------------------
建立訪問列表120防止各個不同網段之間的ICMP發包及拒絕135、137等埠之間的通信(主要防止衝擊波病毒)
access-list 110 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 10.1.1.4 255.255.255.224 設定外埠位址
ip address inside 192.168.1.254 255.255.255.0 設定內埠位址
ip address dmz 192.168.19.1 255.255.255.0 設定DMZ埠位址
ip audit info action alarm
ip audit attack action alarm
ip local pool hhyy 192.168.170.1-192.168.170.254
建立名稱為hhyy的位址集區,起始地址段為:192.168.170.1-192.168.170.254
ip local pool yy 192.168.180.1-192.168.180.254
建立名稱為yy 的位址集區,起始地址段為:192.168.180.1-192.168.180.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no pdm history enable
arp timeout 14400
不支援故障切換
global (outside) 1 10.1.1.13-10.1.1.28
global (outside) 1 10.1.1.7-10.1.1.9
global (outside) 1 10.1.1.10
定義內部網路位址將要翻譯成的全域地址或地址範圍
nat (inside) 0 access-list 101
使得符合訪問列表為101位址不通過翻譯,對外部網路是可見的
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
內部網路位址翻譯成外部位址
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
DMZ區網路位址翻譯成外部位址
static (inside,outside) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.12 192.168.12.158 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.1.3 192.168.2.4 netmask 255.255.255.255 0 0
設定固定主機與外網固定IP之間的一對一靜態轉換
static (dmz,outside) 10.1.1.2 192.168.19.2 netmask 255.255.255.255 0 0
設定DMZ區固定主機與外網固定IP之間的一對一靜態轉換
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
設定內網固定主機與DMZ IP之間的一對一靜態轉換
static (dmz,outside) 10.1.1.29 192.168.19.3 netmask 255.255.255.255 0 0
設定DMZ區固定主機與外網固定IP之間的一對一靜態轉換
access-group 120 in interface outside
access-group 120 in interface inside
access-group 120 in interface dmz
將訪問列表應用於埠
conduit permit tcp host 10.1.1.2 any
conduit permit tcp host 10.1.1.3 any
conduit permit tcp host 10.1.1.12 any
conduit permit tcp host 10.1.1.29 any
設置管道:允許任何位址對全域位址進行TCP協議的訪問
conduit permit icmp 192.168.99.0 255.255.255.0 any
設置管道:允許任何位址對192.168.99.0 255.255.255.0位址進行PING測試
rip outside passive version 2
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 10.1.1.1
設定默認路由到電信端
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.1.1 1
設定路由回指到內部的子網
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS protocol tacacs
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set myset esp-des esp-md5-hmac
定義一個名稱為myset的交換集
crypto dynamic-map dynmap 10 set transform-set myset
根據myset交換集產生名稱為dynmap的動態加密圖集(可選)
crypto map vpn 10 ipsec-isakmp dynamic dynmap
將dynmap動態加密圖集應用為IPSEC的策略範本(可選)
crypto map vpn 20 ipsec-isakmp
用IKE來建立IPSEC安全關聯以保護由該加密條目指定的資料流程
crypto map vpn 20 match address 110
為加密圖指定列表110作為可匹配的列表
crypto map vpn 20 set peer 10.1.1.41
在加密圖條目中指定IPSEC對等體
crypto map vpn 20 set transform-set myset
指定myset交換集可以被用於加密條目
crypto map vpn client configuration address initiate
指示PIX防火牆試圖為每個對等體設置IP位址
crypto map vpn client configuration address respond
--------------------------------------------------------------------------------------------------------------------------------------
指示PIX防火牆接受來自任何請求對等體的IP位址請求
crypto map vpn interface outside
將加密圖應用到外部介面
isakmp enable outside
在外部介面啟用IKE協商
isakmp key ******** address 10.1.1.41 netmask 255.255.255.255
指定預共用金鑰和遠端對等體的地址
isakmp identity address
IKE身份設置成介面的IP位址
isakmp client configuration address-pool local yy outside
isakmp policy 10 authentication pre-share
指定預共用金鑰作為認證手段
isakmp policy 10 encryption des
指定56位DES作為將被用於IKE策略的加密演算法
isakmp policy 10 hash md5
指定MD5 (HMAC變種)作為將被用於IKE策略的散列演算法
isakmp policy 10 group 2
指定1024比特Diffie-Hellman組將被用於IKE策略
isakmp policy 10 lifetime 86400
每個安全關聯的生存週期為86400秒(一天)
vpngroup cisco idle-time 1800
vpngroup pix_vpn address-pool yy
vpngroup pix_vpn idle-time 1800
vpngroup pix_vpn password ********
vpngroup 123 address-pool yy
vpngroup 123 idle-time 1800
vpngroup 123 password ********
vpngroup 456 address-pool yy
vpngroup 456 idle-time 1800
vpngroup 456 password ********
telnet 192.168.88.144 255.255.255.255 inside
telnet 192.168.88.154 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local hhyy
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
vpnclient vpngroup cisco_vpn password ********
vpnclient username pix password ********
terminal width 80
Cryptochecksum:9524a589b608c79d50f7c302b81bdfa4b