PIX的配置及注解完全手册

1、PIX的配置及注解完全手册PIXVersion6.3(1)interfaceethernet0auto设定端口0速率为自动interfaceethernet1100full设定端口1速率为100兆全双工interfaceethernet2auto设定端口2速率为自动nameifethernet0outsidesecurity0设定端口0名称为outside安全级别为0nameifethernet1insidesecurity100设定端口1名称为inside安全级别为100nameifethernet2dmzsecurity50设定端口2名称为dmz安全级别为50enablepasswordD

2、v0yXUGPM3Xt7xVsencrypted特权密码passwd2KFQnbNIdI.2KYOUencrypted登陆密码hostnamehhyy设定防火墙名称fixupprotocolftp21fixupprotocolh323h2251720fixupprotocolh323ras1718-1719fixupprotocolhttp80fixupprotocolils389fixupprotocolrsh514fixupprotocolrtsp554fixupprotocolsip5060fixupprotocolsipudp5060nofixupprotocolskinny2000f

3、ixupprotocolsmtp25fixupprotocolsqlnet1521允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。namesaccess-list101permitipaccess-list101permitip25anyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list

4、120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list

5、120denyicmpanyaccess-list120denyicmpanyaccess-list120denyicmpanyaccess-list120denyudpanyanyeqnetbios-nsaccess-list120denyudpanyanyeqnetbios-dgmaccess-list120denyudpanyanyeq4444access-list120denyudpanyanyeq1205access-list120denyudpanyanyeq1209access-list120denytcpanyanyeq445access-list120denytcpanyan

6、yrange135netbios-ssnaccess-list120permitipanyany建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信（主要防止冲击波病毒）access-list110permitippagerlines24loggingonloggingmonitordebuggingloggingbuffereddebuggingloggingtrapnotificationsmtuoutside1500mtuinside1500mtudmz1500ipaddressoutside.424设定外端口地址ipaddressinside54设定

7、内端口地址ipaddressdmz设定DMZ端口地址ipauditinfoactionalarmipauditattackactionalarmiplocalpoolhhyy-54建立名称为hhyy的地址池，起始地址段为：-54iplocalpoolyy-54建立名称为yy的地址池，起始地址段为：-54nofailoverfailover.1.9global(outside)10定义内部网络地址将要翻译成的全局地址或地址范围nat(inside)0access-list101使得符合访问列表为101地址不通过翻译，对外部网络是可见的nat(inside)100内部网络地址翻译成外部地址nat(

8、dmz)100DMZ区网络地址翻译成外部地址static(inside,outside)00netmask5500static(inside,outside)258netmask5500static(inside,outside)netmask5500设定固定主机与外网固定IP之间的一对一静态转换static(dmz,outside)netmask5500设定DMZ区固定主机与外网固定IP之间的一对一静态转换static(inside,dmz)netmask00设定内网固定主机与DMZIP之间的一对一静态转换static(dmz,outside)9netmask5500设定DMZ区固定主机与外

9、网固定IP之间的一对一静态转换access-group120ininterfaceoutsideaccess-group120ininterfaceinsideaccess-group120ininterfacedmz将访问列表应用于端口conduitpermittcphostanyconduitpermittcphostanyconduitpermittcphost2anyconduitpermittcphost9any设置管道：允许任何地址对全局地址进行TCP协议的访问conduitpermiticmpany设置管道：允许任何地址对地址进行PING测试ripoutsidepassiveve

10、rsion2ripinsidepassiveversion2routeoutside设定默认路由到电信端routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1设定路由回指到内部的子网timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00rpc0:10:00h2251:00:00timeouth3230:05:00mgcp0:05:00s

11、ip0:30:00sip_media0:02:00timeoutuauth0:05:00absoluteaaa-serverTACACS+protocoltacacs+aaa-serverRADIUSprotocolradiusaaa-serverLOCALprotocollocalnosnmp-serverlocation nosnmp-servercontactsnmp-servercommunitypublicnosnmp-serverenabletrapsfloodguardenablesysoptconnectionpermit-ipsecsysoptconnectionpermit

12、-pptpserviceresetinboundserviceresetoutsidecryptoipsectransform-setmysetesp-desesp-md5-hmac定义一个名称为myset的交换集cryptodynamic-mapdynmap10settransform-setmyset根据myset交换集产生名称为dynmap的动态加密图集（可选）cryptomapvpn10ipsec-isakmpdynamicdynmap将dynmap动态加密图集应用为IPSEC的策略模板（可选）cryptomapvpn20ipsec-isakmp用IKE来建立IPSEC安全关联以保护由

13、该加密条目指定的数据流cryptomapvpn20matchaddress110为加密图指定列表110作为可匹配的列表cryptomapvpn20setpeer1在加密图条目中指定IPSEC对等体cryptomapvpn20settransform-setmyset指定myset交换集可以被用于加密条目cryptomapvpnclientconfigurationaddressinitiate指示PIX防火墙试图为每个对等体设置IP地址cryptomapvpnclientconfigurationaddressrespond指示PIX防火墙接受来自任何请求对等体的IP地址请求cryptomap

14、vpninterfaceoutside将加密图应用到外部接口isakmpenableoutside在外部接口启用IKE协商isakmpkey*address1netmask55指定预共享密钥和远端对等体的地址isakmpidentityaddressIKE身份设置成接口的IP地址isakmpclientconfigurationaddress-poollocalyyoutsideisakmppolicy10authenticationpre-share指定预共享密钥作为认证手段isakmppolicy10encryptiondes指定56位DES作为将被用于IKE策略的加密算法isakmppo

15、licy10hashmd5指定MD5(HMAC变种)作为将被用于IKE策略的散列算法isakmppolicy10group2指定1024比特Diffie-Hellman组将被用于IKE策略isakmppolicy10lifetime86400每个安全关联的生存周期为86400秒（一天）vpngroupciscoidle-time1800vpngrouppix_vpnaddress-poolyyvpngrouppix_vpnidle-time1800vpngrouppix_vpnpassword*vpngroup123address-poolyyvpngroup123idle-time1800v

16、pngroup123password*vpngroup456address-poolyyvpngroup456idle-time1800vpngroup456password*telnet4455insidetelnet5455insidetelnettimeout5sshtimeout5consoletimeout0vpdngroup1acceptdialinpptpvpdngroup1pppauthenticationpapvpdngroup1pppauthenticationchapvpdngroup1pppauthenticationmschapvpdngroup1pppencryptionmppe40vpdngroup1clientconfigurationaddresslocalhhyyvpdngroup1pptpecho60vpdng