帮忙诠释一下PIX配置例文
以下是例文,很大部分没看懂特别是后面。
PIX的配置
1,
定义端口速率模式
例: interface ethernet0 auto 设定端口0 速率为自动
interface ethernet1 100full 设定端口1 速率为100兆全双工
interface ethernet2 auto 设定端口2 速率为自动
2,定义端口名及安全级别
nameif ethernet1(端口) inside(端口名称)security**(端口安全极别100/50)
3,定义主机名,特权及登录密码
4, 允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙,防火墙默认启用了一些常见的端口,但对于ORACLE等专有端口,需要专门启用。(定义在PIX防火墙本身上服务,协议及端口的可用性)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
5, 建立访问列表两个,
第一个允许特定网段的地址访问某些网段(根据地址范围确立内部网络间的互访可能性关系)
access-list 101(列表号) permit(允许或/deny禁止) ip 192.168.99.0(发启地址范围) 255.255.255.0(掩码) 192.168.170.0(目标地址范围) 255.255.255.0(掩码)
第二个访问列表防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信(主要防止冲击波病毒)(根据协议确立端口访问安全交换可能性关系)
access-list 120(列表号) deny(禁止) icmp(协议) 192.168.22.0(发起地址) 255.255.255.0 any (目标地址范围,ANY代表所有地址)
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 4444
access-list 120 deny udp any any eq 1205
access-list 120 deny udp any any eq 1209
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any range 135 netbios-ssn
access-list 120 permit ip any any
把此列表应用到PIX三大类端口上
access-group 120 in interface outside/ inside/dmz
(pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500微调三大端口的MTU值及诊断)
6,定义outside(外部端口), inside(内部端口),dmz(交火区端口)的地址
ip address outside/ inside/dmz 10.1.1.4(地址) 255.255.255.224(掩码)
(定义两个地址池
ip audit info action alarm
ip audit attack action alarm
ip local pool hhyy(地址池名) 192.168.170.1-192.168.170.254地址范围)(不清楚什么意思,为什么需要)
7,使路由器不支持故障切换(什么意思没搞懂)
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no pdm history enable
arp timeout 14400
8, 定义内部网络地址将要翻译成的全局地址或地址范围
global (outside) 1(可译0为不可译) 10.1.1.13-10.1.1.28(对应地址池范围)
使得符合前面互访问列表地址不通过翻译,对外部网络是可见的
nat (inside) 0 access-list 101(列表号)此应用例表为原根据地址范围的内网访问列表
内部/dmz区网络地址翻译成外部地址
nat (inside/dmz) 1 192.168.0.0(内部地址网络) 255.255.0.0 0 0
9, 设定固定主机与外网固定IP(DMZ区固定主机与外网固定IP, 内网固定主机与DMZ IP)三种关系区之间的一对一静态转换
static (inside,outside)/ (dmz,outside)/ (inside,dmz) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0(一对一静态转换)
10,允许外部地址对全部地址进行TCP协议的访问
conduit permit tcp host 10.1.1.2(外部地址) any
设定路由协议在内外端口上应用的版本及默认路由到isp
rip outside passive version 2
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 10.1.1.1(默认路由)
/设定路由回指到内部的子网(没搞明白)
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.1.1 1
11, 安全定义
定义一个名称为**的交换集
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set myset(交换集名) esp-des esp-md5-hmac
产生一个动态加密图集
crypto dynamic-map dynmap(加密图集名) 10(集表号) set transform-set myset(交换集名)
将动态加密图集应用为IPSEC的策略模板(不明白为什么牵涉VPN)
crypto map vpn 10(集表号) ipsec-isakmp dynamic dynmap(加密图集名)
用IKE来建立IPSEC安全关联以保护由该加密条目指定的数据流
crypto map vpn 20(第二个集表号) ipsec-isakmp
为加密图指定列表号作为可匹配的列表
crypto map vpn 20(第二个集号) match address 110(指定列表号)
下面的更没看懂
crypto map vpn 20 set peer 10.1.1.41
在加密图条目中指定IPSEC对等体
crypto map vpn 20 set transform-set myset
指定myset交换集可以被用于加密条目
crypto map vpn client configuration address initiate
指示PIX防火墙试图为每个对等体设置IP地址
crypto map vpn client configuration address respond
指示PIX防火墙接受来自任何请求对等体的IP地址请求
crypto map vpn interface outside
将加密图应用到外部接口
isakmp enable outside
在外部接口启用IKE协商
isakmp key ******** address 10.1.1.41 netmask 255.255.255.255
指定预共享密钥和远端对等体的地址
isakmp identity address
IKE身份设置成接口的IP地址
isakmp client configuration address-pool local yy outside
isakmp policy 10 authentication pre-share
指定预共享密钥作为认证手段
isakmp policy 10 encryption des
指定56位DES作为将被用于IKE策略的加密算法
isakmp policy 10 hash md5
指定MD5 (HMAC变种)作为将被用于IKE策略的散列算法
isakmp policy 10 group 2
指定1024比特Diffie-Hellman组将被用于IKE策略
isakmp policy 10 lifetime 86400
每个安全关联的生存周期为86400秒(一天)
vpngroup cisco idle-time 1800
vpngroup pix_vpn address-pool yy
vpngroup pix_vpn idle-time 1800
vpngroup pix_vpn password ********
vpngroup 123 address-pool yy
vpngroup 123 idle-time 1800
vpngroup 123 password ********
vpngroup 456 address-pool yy
vpngroup 456 idle-time 1800
vpngroup 456 password ********
telnet 192.168.88.144 255.255.255.255 inside
telnet 192.168.88.154 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local hhyy
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 2
vpnclient vpngroup cisco_vpn password ********
vpnclient username pix password ********
terminal width 80
Cryptochecksum:9524a589b608c79d50f7c302b81bdfa4b
