Cisco PIX 515E安装配置维护手册
================== 文档约定 ================== ()表示注释; ================== 登陆Pix515E ================== 1.、telnet 192.168.0.1 User Access Verification Password:(输入密码出现如下信息:) Type help or '?' for a list of available commands. weibo> (此时是PIX 515E的无特权模式,此模式只能查看,并且只能查看防火墙的系统信息) /**************chase*********************/ 2.、enable(进入特权模式,出现如下信息) password:(输入密码进入特权模式) weibo#(weibo>变为weibo#) (在特权模式下只能查看放火墙的配置不能修改防火墙的配置,用disable退出特权模式返回无特权模式) /*************chase*********************/ 3.、con t(进入配置模式,出现如下信息) weibo(config)#(weibo#变为weibo(config)#) (在配置模式才能修改防火墙的配置,用exit、quit退出配置模式到特权模式) ==================== 修改密码 ==================== 1、password whr(把telnet的密码修改为whr) 2、 enable password whr(把特权模式的密码修改为whr) 3、修改×××拨入密码 no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(删除共享密匙) isakmp key whr address 0.0.0.0 netmask 0.0.0.0 (设置共享密匙) vpdn username chase (删除chase用户) vpdn username chase password whr (设置用户名为chase;密码为whr;密码要与共享密匙相同) ===================== 查看命令 ===================== 1、show ver(查看系统信息) 2、show run(查看防火墙运行配置) 3、show conn (查看防火墙IP连接信息) 4、show ip address(查看防火墙IP地址) ===================== 激活以太端口 ===================== interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto ====================== 命名端口与安全级别 ====================== interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto ======================= 配置以太端口ip 地址 ======================= ip address outside 61.233.203.114 255.255.255.192 ip address inside 192.168.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 ip address e3 61.233.203.47 255.255.255.192 ======================= 配置DHCP ======================= dhcpd address 192.168.0.2-192.168.0.254 inside(DHCP的IP地址范围) dhcpd dns 211.98.2.4 211.98.4.1(DHCP的DNS) dhcpd enable inside(启用inside内网口的dhcpd服务) ======================= 配置路由 ======================= route outside 0.0.0.0 0.0.0.0 61.233.203.65 1(配置outside使用61.234.204.65的网关) route e3 0.0.0.0 0.0.0.0 61.233.203.1 2 ======================= 配置远程telnet访问 ======================= telnet 192.168.0.1 255.255.255.255 inside(开启内网口的telnet服务) telnet 192.168.0.0 255.255.255.0 inside(允许所有内网用户访问telnet服务) telnet 0.0.0.0 0.0.0.0 e3 telnet 61.233.203.47 255.255.255.255 e3 ======================= 配置NAT ======================= 1、配置内网到×××不做NAT access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->×××的访问列表) nat (inside) 0 access-list 107 (内网-->×××不做NAT,引用上一步access-list 107) 2、配置内网到DMZ 做NAT access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433 access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125 nat (inside) 2 access-list 102(内网-->DMZ做NAT,引用上一步access-list 102) 3、配置内网到Internet 做NAT access-list 101 permit ip 192.168.0.0 255.255.255.0 any nat (inside) 1 access-list 101 0 0 4、配置DMZ到×××不做NAT access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->×××的访问列表) nat (DMZ) 0 access-list 107 4、配置×××到DMZ不做NAT access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0 (建立内网-->×××的访问列表) nat (e3) 0 access-list 150 ======================= 配置映射 ======================= static (inside,outside) tcp 61.233.203.114 80 192.168.0.116 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.233.203.114 20 192.168.0.116 20 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.233.203.114 21 192.168.0.116 21 netmask 255.255.255.255 0 0 (从61.233.203.114-->192.168.0.116的映射) ======================= 配置××× ======================= ip local pool pigpool 172.16.1.1-172.16.1.240 (建立×××的地址空间) sysopt connection permit-ipsec(开启系统ipsec端口) sysopt connection permit-pptp(开启系统pptp端口) sysopt connection permit-l2tp(开启系统l2tp端口) isakmp enable e3 (e3接口启用isakmp) isakmp policy 8 encryption des(定义phase 1协商用DES加密算法) isakmp policy 8 hash md5(定义phase 1协商用MD5散列算法) isakmp policy 8 authentication pre-share(定义phase 1使用pre-shared key进行认证) isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定义使用共享密匙pix) isakmp client configuration address-pool local pigpool e3(将××× client地址池绑定到isakmp) isakmp policy 8 group 2(isakmp policy 10 group 2) crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定义一个变换集strong-des) crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到动态加密策略cisco) crypto map partner-map 20 ipsec-isakmp dynamic cisco(把动态加密策略绑定到partner-map 加密图) crypto map partner-map client configuration address initiate(定义给每个客户端分配IP地址) crypto map partner-map client configuration address respond(定义PIX防火墙接受来自任何IP的请求) crypto map partner-map interface e3(把动态加密图***peer绑定到e3口) vpdn group 2 accept dialin l2tp vpdn group 2 ppp authentication pap vpdn group 2 client configuration address local pigpool vpdn group 2 client authentication local vpdn group 2 l2tp tunnel hello 80 vpdn username pix password pix(设置***密码,密码必须与共享密匙一样) vpdn enable e3 ======================= ***本地身份验证 ======================= crypto map ***peer client authentication LOCAL username whr password whr no username whr ======================= 备份cisco PIX 515E的配置的全部数据 ======================= show tech-support |
转载于:https://blog.51cto.com/jsilencer/317794