{"id":178,"date":"2010-12-10T23:56:26","date_gmt":"2010-12-10T15:56:26","guid":{"rendered":"http:\/\/www.microwolf.net\/?p=178"},"modified":"2010-12-10T23:56:26","modified_gmt":"2010-12-10T15:56:26","slug":"cisco-pix-%e5%ae%89%e8%a3%85%e6%b5%81%e7%a8%8b","status":"publish","type":"post","link":"http:\/\/www.microwolf.net\/?p=178","title":{"rendered":"Cisco PIX \u5b89\u88c5\u6d41\u7a0b"},"content":{"rendered":"

1. \u5c06PIX\u5b89\u653e\u81f3\u673a\u67b6\uff0c\u7ecf\u68c0\u6d4b\u7535\u6e90\u7cfb\u7edf\u540e\u63a5\u4e0a\u7535\u6e90\uff0c\u5e76\u52a0\u7535\u4e3b\u673a\u3002
\n
2. \u5c06CONSOLE\u53e3\u8fde\u63a5\u5230PC\u7684\u4e32\u53e3\u4e0a\uff0c\u8fd0\u884cHyperTerminal\u7a0b\u5e8f\u4eceCONSOLE\u53e3\u8fdb\u5165
\u3000 PIX\u7cfb\u7edf\uff1b\u6b64\u65f6\u7cfb\u7edf\u63d0\u793apixfirewall>\u3002
3. \u8f93\u5165\u547d\u4ee4\uff1aenable,\u8fdb\u5165\u7279\u6743\u6a21\u5f0f\uff0c\u6b64\u65f6\u7cfb\u7edf\u63d0\u793a\u4e3apixfirewall#\u3002
\n
4. \u8f93\u5165\u547d\u4ee4\uff1a configure terminal,\u5bf9\u7cfb\u7edf\u8fdb\u884c\u521d\u59cb\u5316\u8bbe\u7f6e\u3002
\n
5. \u914d\u7f6e\u4ee5\u592a\u53e3\u53c2\u6570\uff1a
\u3000 interface ethernet0 auto\u3000 \uff08auto\u9009\u9879\u8868\u660e\u7cfb\u7edf\u81ea\u9002\u5e94\u7f51\u5361\u7c7b\u578b \uff09
\u3000 interface ethernet1 auto
6. \u914d\u7f6e\u5185\u5916\u7f51\u5361\u7684IP\u5730\u5740\uff1a
\u3000 ip address inside ip_address netmask
\u3000 ip address outside ip_address netmask
7. \u6307\u5b9a\u5916\u90e8\u5730\u5740\u8303\u56f4\uff1a
\u3000 global 1 ip_address-ip_address
8. \u6307\u5b9a\u8981\u8fdb\u884c\u8981\u8f6c\u6362\u7684\u5185\u90e8\u5730\u5740\uff1a
\u3000 nat 1 ip_address netmask
9. \u8bbe\u7f6e\u6307\u5411\u5185\u90e8\u7f51\u548c\u5916\u90e8\u7f51\u7684\u7f3a\u7701\u8def\u7531
\u3000 route inside 0 0 inside_default_router_ip_address
\n
\u3000 route outside 0 0 outside_default_router_ip_address
\n
10. \u914d\u7f6e\u9759\u6001IP\u5730\u5740\u5bf9\u6620\uff1a
\u3000 static outside ip_address\u3000\u3000inside ip_address
\n\u3000
11. \u8bbe\u7f6e\u67d0\u4e9b\u63a7\u5236\u9009\u9879\uff1a
\u3000 conduit global_ip port[-port] protocol foreign_ip [netmask]
\n\u3000
\u3000\u3000\u3000global_ip\u3000 \u6307\u7684\u662f\u8981\u63a7\u5236\u7684\u5730\u5740
\u3000\u3000\u3000port\u3000\u3000\u3000\u3000\u6307\u7684\u662f\u6240\u4f5c\u7528\u7684\u7aef\u53e3\uff0c\u5176\u4e2d0\u4ee3\u8868\u6240\u6709\u7aef\u53e3
\n
\u3000\u3000\u3000protocol\u3000\u3000\u6307\u7684\u662f\u8fde\u63a5\u534f\u8bae\uff0c\u6bd4\u5982\uff1aTCP\u3001UDP\u7b49
\n
\u3000\u3000\u3000foreign_ip\u3000\u8868\u793a\u53ef\u8bbf\u95eeglobal_ip\u7684\u5916\u90e8ip\uff0c\u5176\u4e2d\u8868\u793a\u6240\u6709\u7684ip\u3002
\n
12. \u8bbe\u7f6etelnet\u9009\u9879\uff1a
\u3000 telnet local_ip [netmask]
\u3000\u3000\u3000local_ip\u3000\u3000\u8868\u793a\u88ab\u5141\u8bb8\u901a\u8fc7telnet\u8bbf\u95ee\u5230pix\u7684ip\u5730\u5740\uff08\u5982\u679c\u4e0d\u8bbe\u6b64\u9879\uff0c
PIX\u7684\u914d
\u3000\u3000\u3000\u3000\u3000\u3000\u3000\u3000\u3000\u7f6e\u53ea\u80fd\u7531consle\u65b9\u5f0f\u8fdb\u884c\uff09\u3002
\n
13. \u5c06\u914d\u7f6e\u4fdd\u5b58\uff1a
\u3000 wr mem
14. \u51e0\u4e2a\u5e38\u7528\u7684\u7f51\u7edc\u6d4b\u8bd5\u547d\u4ee4\uff1a
\u3000 #ping
\u3000 #show interface\u3000\u3000\u3000\u67e5\u770b\u7aef\u53e3\u72b6\u6001
\n
\u3000 #show static\u3000\u3000\u3000\u3000 \u67e5\u770b\u9759\u6001\u5730\u5740\u6620\u5c04 <\/P>
\n

Cisco PIX 520 \u662f\u4e00\u6b3e\u6027\u80fd\u826f\u597d\u7684\u7f51\u7edc\u5b89\u5168\u4ea7\u54c1\uff0c\u5982\u679c\u518d\u52a0\u4e0aCheck
\nPoint \u7684\u8f6f\u4ef6\u9632\u706b\u5899\u7ec4\u6210\u4e24\u9053\u9632\u62a4\uff0c\u53ef\u4ee5\u5f97\u5230\u66f4\u52a0\u5b8c\u5584\u7684\u5b89\u5168\u9632\u8303\u3002<\/FONT><\/P>
\n

\u3000\u3000
\n\u4e3b\u8981\u7528\u4e8e\u5c40\u57df\u7f51\u7684\u5916\u8fde\u8bbe\u5907\uff08\u5982\u8def\u7531\u5668\u3001\u62e8\u53f7\u8bbf\u95ee\u670d\u52a1\u5668\u7b49\uff09\u4e0e\u5185\u90e8\u7f51\u7edc\u4e4b\u95f4\uff0c\u5b9e\u73b0\u5185\u90e8\u7f51\u7edc\u7684\u5b89\u5168\u9632\u8303\uff0c\u907f\u514d\u6765\u81ea\u5916\u90e8\u7684\u6076\u610f\u653b\u51fb\u3002<\/FONT><\/P>
\n

\u3000\u3000\u3000\u3000Cisco PIX
\n520\u7684\u9ed8\u8ba4\u914d\u7f6e\u5141\u8bb8\u4ece\u5185\u5230\u5916\u7684\u6240\u6709\u4fe1\u606f\u8bf7\u6c42\uff0c\u62d2\u7edd\u4e00\u5207\u5916\u6765\u7684\u4e3b\u52a8\u8bbf\u95ee\uff0c\u53ea\u5141\u8bb8\u5185\u90e8\u4fe1\u606f\u7684\u53cd\u9988\u4fe1\u606f\u8fdb\u5165\u3002\u5f53\u7136\u4e5f\u53ef\u4ee5\u901a\u8fc7\u67d0\u4e9b\u8bbe\u7f6e\uff0c\u4f8b\u5982\uff1a\u8bbf\u95ee\u8868\u7b49\uff0c\u5141\u8bb8\u5916\u90e8\u7684\u8bbf\u95ee\u3002\u56e0\u4e3a\uff0c\u8fdc\u7a0b\u7528\u6237\u7684\u8bbf\u95ee\u9700\u8981\u4ece\u5916\u5230\u5185\u7684\u8bbf\u95ee\u3002\u53e6\u5916\uff0c\u53ef\u4ee5\u901a\u8fc7NAT\u5730\u5740\u8f6c\u6362\uff0c\u5b9e\u73b0\u516c\u6709\u5730\u5740\u548c\u79c1\u6709\u5730\u5740\u7684\u8f6c\u6362\u3002<\/FONT><\/P>
\n

\u3000\u3000\u3000\u7b80\u5355\u5730\u8bb2\uff0cPIX
\n520\u7684\u4e3b\u8981\u529f\u80fd\u6709\u4e24\u70b9\uff1a<\/FONT><\/P>
\n

\u3000\u3000\u3000
\n1.\u5b9e\u73b0\u7f51\u7edc\u5b89\u5168<\/FONT><\/P>
\n

\u3000<\/FONT><\/P>
\n

2.\u5b9e\u73b0\u5730\u5740\u8f6c\u6362 <\/FONT><\/P>
\n

\u3000\u3000\u3000 \u4e0b\u9762\u7b80\u5355\u5217\u51faPIX 520
\n\u7684\u57fa\u672c\u914d\u7f6e<\/FONT><\/P>

1.Configure without NAT<\/FONT>
\n<\/PRE>
nameif ethernet0 outside security0<\/FONT>
\n<\/PRE>
nameif ethernet1 inside security100<\/FONT>
\n<\/PRE>
interface ethernet0 auto<\/FONT>
\n<\/PRE>
interface ethernet1 auto<\/FONT>
\n<\/PRE>
\n
\u3000\u3000\u3000\u3000\u3000ip address outside
\n202.109.77.1 255.255.255.0 (\u5047\u8bbe\u5bf9\u5916\u7aef\u53e3\u5730\u5740) \u3000\u3000\u3000 <\/FONT><\/P>
\n
\u3000<\/P>
\n
\u3000\u3000\u3000\u3000\u3000ip address inside
\n10.1.0.9 255.255.255.0(\u5047\u8bbe\u5185\u90e8\u7f51\u7edc\u4e3a:10.1.0.0)<\/FONT><\/P>
\n
\u3000<\/P>
\n
\u3000\u3000\u3000\u3000\u3000hostname
\nbluegarden<\/FONT><\/P>
arp timeout 14400<\/FONT>
\n<\/PRE>
no failover<\/FONT>
\n<\/PRE>
names<\/FONT>
\n<\/PRE>
pager lines 24<\/FONT>
\n<\/PRE>
\n
\u3000\u3000\u3000\u3000 logging buffered
\ndebugging<\/FONT><\/P>
\n
\u3000\u3000\u3000\u3000 nat (inside) 0 0
\n0<\/FONT><\/P>
rip inside default no rip inside passive no rip outside default rip outside passive<\/FONT>
\n<\/PRE>
route outside 0.0.0.0 0.0.0.0 202.109.77.2 1(\u5916\u8fde\u8bbe\u5907\u7684\u5185\u90e8\u7aef\u53e3\u5730\u5740)<\/FONT>
\n<\/PRE>
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute<\/FONT>
\n<\/PRE>
no snmp-server location no snmp-server contact snmp-server community public<\/FONT>
\n<\/PRE>
mtu outside 1500 mtu inside 1500<\/FONT>
\n<\/PRE>
\n
\u3000\u3000\u3000\u30002.Configure with
\nNAT<\/FONT><\/P>
nameif ethernet0 outside security0<\/FONT>
\n<\/PRE>
nameif ethernet1 inside security100<\/FONT>
\n<\/PRE>
interface ethernet0 auto<\/FONT>
\n<\/PRE>
interface ethernet1 auto<\/FONT>
\n<\/PRE>
\n
\u3000\u3000\u3000\u3000 ip address outside
\n202.109.77.1 255.255.255.0 (\u5047\u8bbe\u5bf9\u5916\u7aef\u53e3\u5730\u5740) \u3000\u3000\u3000 <\/FONT><\/P>
\n
\u3000<\/P>
\n
\u3000\u3000\u3000\u3000 ip address inside
\n10.1.0.9 255.255.255.0(\u5047\u8bbe\u5185\u90e8\u7f51\u7edc\u4e3a:10.1.0.0)<\/FONT><\/P>
\n
\u3000<\/P>
\n
\u3000\u3000\u3000\u3000 hostname
\nbluegarden<\/FONT><\/P>
arp timeout 14400<\/FONT>
\n<\/PRE>
no failover<\/FONT>
\n<\/PRE>
names<\/FONT>
\n<\/PRE>
pager lines 24<\/FONT>
\n<\/PRE>
\n
\u3000\u3000\u3000\u3000 logging buffered
\ndebugging<\/FONT><\/P>
\n
\u3000\u3000\u3000\u3000 nat (inside) 1 0
\n0<\/U><\/FONT><\/P>
global (outside) 1 202.109.77.10-202.109.77.20<\/FONT><\/U> global (outside) 1 202.109.22.21<\/U><\/FONT>
\n<\/PRE>
no rip inside default<\/FONT><\/U> no rip inside passive no rip outside default no rip outside passive<\/U><\/FONT>
\n<\/PRE>
conduit permit icmp any any<\/FONT><\/U>
\n<\/PRE>
route outside 0.0.0.0 0.0.0.0 202.109.77.2 1(\u5916\u8fde\u8bbe\u5907\u7684\u5185\u90e8\u7aef\u53e3\u5730\u5740)<\/FONT>
\n<\/PRE>
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute<\/FONT>
\n<\/PRE>
no snmp-server location no snmp-server contact snmp-server community public<\/FONT>
\n<\/PRE>
mtu outside 1500 mtu inside 1500<\/FONT>
\n<\/PRE>
Cisco PIX \u7684\u591a\u70b9\u670d\u52a1\u914d\u7f6e<\/FONT>
\n<\/PRE>
\n
\n  
\n  
\n    

\n      
\u3000<\/P>
\n      
\u3000<\/P>
\n      
\u7ed3\u6784\u56fe\u5982\u4e0b:<\/P>
\n      
\"pix.jpg <\/P>
\n      
PIX
\n520<\/FONT><\/P>
\n      
Two Interface Multiple
\n      Server Configuration<\/FONT><\/P>
\n      
nameif ethernet0 outside
\n      security0<\/FONT><\/P>
\n      
nameif ethernet0 inside
\n      security100<\/FONT><\/P>
\n      
interface ethernet0
\n      auto<\/FONT><\/P>
\n      
interface ethernet1
\n      auto<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
ip address inside
\n      10.1.1.1 255.0.0.0<\/FONT><\/P>
\n      
ip address outside
\n      204.31.17.10 255.255.255.0<\/FONT><\/P>
\n      
logging
\n      on<\/FONT><\/P>
\n      
logging host
\n      10.1.1.11<\/FONT><\/P>
\n      
logging trap
\n      7<\/FONT><\/P>
\n      
logging facility
\n      20<\/FONT><\/P>
\n      
no logging
\n      console<\/FONT><\/P>
\n      
arp timeout
\n      600<\/FONT><\/P>
\n      
nat (inside) 1 10.0.0.0
\n      255.0.0.0<\/FONT><\/P>
\n      
nat (inside) 2
\n      192.168.3.0 255.255.255.0<\/FONT><\/P>
\n      
global (outside) 1
\n      204.31.1.25-204.31.17.27<\/FONT><\/P>
\n      
global (outside) 1
\n      204.31.1.24<\/FONT><\/P>
\n      
global (outside) 2
\n      192.159.1.1-192.159.1.254<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
conduit permit icmp any
\n      any<\/FONT><\/P>
\n      
outbound 10 deny
\n      192.168.3.3 255.255.255.255 1720<\/FONT><\/P>
\n      
outbound 10 deny 0 0
\n      80<\/FONT><\/P>
\n      
outbound 10 permit
\n      192.168.3.3 255.255.255.255 80<\/FONT><\/P>
\n      
outbound 10 deny
\n      192.168.3.3 255.255.255.255 java<\/FONT><\/P>
\n      
outbound 10 permit
\n      10.1.1.11 255.255.255.255 80<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
apply (inside) 10
\n      outgoing_src<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
no rip outside
\n      passive<\/FONT><\/P>
\n      
no rip outside
\n      default<\/FONT><\/P>
\n      
rip inside
\n      passive<\/FONT><\/P>
\n      
rip inside
\n      default<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
route outside 0 0
\n      204.31.17.1.1<\/FONT><\/P>
\n      
tacacs-server host
\n      10.1.1.12 lq2w3e<\/FONT><\/P>
\n      
aaa authentication any
\n      inside 192.168.3.0 255.255.255.0 0 0 tacacs+<\/FONT><\/P>
\n      
aaa authentication any
\n      inside 192.168.3.0 255.255.255.0 0 0<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
static (inside,outside)
\n      204.31.19.0 192.168.3.0 netmask 255.255.255.0<\/FONT><\/P>
\n      
conduit permit tcp
\n      204.31.19.0 255.255.255.0 eg h323 any<\/FONT><\/P>
\n      
static (inside,outside)
\n      204.31.17.29 10.1.1.11<\/FONT><\/P>
\n      
conduit permit tcp host
\n      204.31.17.29 eq 80 any<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
conduit permit udp host
\n      204.31.17.29 eq rpc host 204.31.17.17<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
conduit permit udp host
\n      204.31.17.29 eq 2049 host 204.31.17.17<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
static (inside.outside)
\n      204.31.1.30 10.1.1.3 netmask 255.255.255.255 10 10<\/FONT><\/P>
\n      
conduit permit tcp host
\n      204.31.1.30 eq smtp any<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
conduit permit tcp host
\n      204.31.1.30 eq 113 any<\/FONT><\/P>
\n      
snmp-server host
\n      192.168.3.2<\/FONT><\/P>
\n      
snmp-server location
\n      building 42<\/FONT><\/P>
\n      
snmp-server contact
\n      polly hedra<\/FONT><\/P>
\n      
snmp-server community
\n      ohwhatakeyisthee<\/FONT><\/P>
\n      
\u3000<\/FONT><\/P>
\n      
telnet 10.1.1.11
\n      255.255.255.255<\/FONT><\/P>
\n      
telnet 192.168.3.0
\n      255.255.255.0<\/FONT><\/P><\/TD><\/TR><\/TBODY><\/TABLE>

\n
CISCO PIX \u9632 \u706b \u5899 \u914d \u7f6e \u5b9e \u8df5 —- \u4ecb \u7ecd \u4e00 \u4e2aPIX \u9632 \u706b \u5899 \u5b9e \u9645
\n\u914d \u7f6e \u6848 \u4f8b\uff0c \u56e0 \u4e3a \u8def \u7531 \u5668 \u7684 \u914d \u7f6e\u5728 \u5b89 \u5168 \u6027 \u65b9 \u9762 \u548cPIX \u9632 \u706b \u5899 \u662f \u76f8 \u8f85 \u76f8 \u6210 \u7684\uff0c \u6240 \u4ee5 \u8def \u7531 \u5668\u7684 \u914d \u7f6e \u5b9e \u4f8b \u4e5f
\n\u4e00 \u5e76 \u5217 \u51fa\u3002<\/P>
\n
<\/P>
\n
 <\/P>
\n
<\/P>
\n
PIX \u9632 \u706b \u5899<\/P>
\n
<\/P>
\n
\u8bbe \u7f6ePIX \u9632 \u706b \u5899 \u7684 \u5916 \u90e8 \u5730\u5740\uff1a<\/P>
\n
<\/P>
\n
ip address outside 131.1.23.2<\/P>
\n
<\/P>
\n
\u8bbe \u7f6ePIX \u9632 \u706b \u5899 \u7684 \u5185 \u90e8 \u5730\u5740\uff1a<\/P>
\n
<\/P>
\n
ip address inside 10.10.254.1<\/P>
\n
<\/P>
\n
\u8bbe \u7f6e \u4e00 \u4e2a \u5185 \u90e8 \u8ba1 \u7b97 \u673a\u4e0eInternet \u4e0a \u8ba1 \u7b97 \u673a \u8fdb \u884c \u901a \u4fe1 \u65f6 \u6240 \u9700 \u7684
\n\u5168 \u5c40 \u5730 \u5740 \u6c60\uff1a<\/P>
\n
<\/P>
\n
global 1 131.1.23.10-131.1.23.254<\/P>
\n
<\/P>
\n
\u5141 \u8bb8 \u7f51 \u7edc \u5730 \u5740 \u4e3a10.0.0.0 \u7684 \u7f51\u6bb5 \u5730 \u5740 \u88abPIX \u7ffb \u8bd1 \u6210 \u5916 \u90e8 \u5730
\n\u5740\uff1a<\/P>
\n
<\/P>
\n
nat 1 10.0.0.0<\/P>
\n
<\/P>
\n
\u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u56fa \u5b9a \u4f7f \u7528 \u7684 \u5916 \u90e8\u5730 \u5740 \u4e3a131.1.23.11\uff1a<\/P>
\n
<\/P>
\n
static 131.1.23.11 10.14.8.50<\/P>
\n
<\/P>
\n
\u5141 \u8bb8 \u4eceRTRA \u53d1 \u9001 \u5230 \u5230 \u7f51 \u7ba1 \u5de5\u4f5c \u7ad9 \u7684 \u7cfb \u7edf \u65e5 \u5fd7 \u5305 \u901a \u8fc7PIX \u9632 \u706b
\n\u5899\uff1a<\/P>
\n
<\/P>
\n
conduit 131.1.23.11 514 udp 131.1.23.1
\n255.255.255.255<\/P>
\n
<\/P>
\n
\u5141 \u8bb8 \u4ece \u5916 \u90e8 \u53d1 \u8d77 \u7684 \u5bf9 \u90ae \u4ef6 \u670d\u52a1 \u5668 \u7684 \u8fde \u63a5\uff08131.1.23.10\uff09\uff1a<\/P>
\n
<\/P>
\n
mailhost 131.1.23.10 10.10.254.3<\/P>
\n
<\/P>
\n
\u5141 \u8bb8 \u7f51 \u7edc \u7ba1 \u7406 \u5458 \u901a \u8fc7 \u8fdc \u7a0b \u767b\u5f55 \u7ba1 \u7406IPX \u9632 \u706b \u5899\uff1a<\/P>
\n
<\/P>
\n
telnet 10.14.8.50<\/P>
\n
<\/P>
\n
\u5728 \u4f4d \u4e8e \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u4e0a \u7684 \u65e5 \u5fd7\u670d \u52a1 \u5668 \u4e0a \u8bb0 \u5f55 \u6240 \u6709 \u4e8b \u4ef6 \u65e5
\n\u5fd7\uff1a<\/P>
\n
syslog facility 20.7<\/P>
\n
syslog host 10.14.8.50<\/P>
\n
<\/P>
\n
\u8def \u7531 \u5668 RTRA<\/P>
\n
<\/P>
\n
—-RTRA \u662f \u5916 \u90e8 \u9632 \u62a4 \u8def \u7531 \u5668\uff0c\u5b83 \u5fc5 \u987b \u4fdd \u62a4PIX \u9632 \u706b \u5899 \u514d \u53d7 \u76f4
\n\u63a5 \u653b \u51fb\uff0c \u4fdd \u62a4FTP\/HTTP \u670d \u52a1\u5668\uff0c \u540c \u65f6 \u4f5c \u4e3a \u4e00 \u4e2a \u8b66 \u62a5 \u7cfb \u7edf\uff0c \u5982 \u679c \u6709 \u4eba \u653b \u5165 \u6b64 \u8def \u7531\u5668\uff0c \u7ba1 \u7406 \u53ef \u4ee5 \u7acb \u5373 \u88ab
\n\u901a \u77e5\u3002<\/P>
\n
\u963b \u6b62 \u4e00 \u4e9b \u5bf9 \u8def \u7531 \u5668 \u672c \u8eab \u7684 \u653b\u51fb\uff1a<\/P>
\n
no service tcp small-servers<\/P>
\n
\u5f3a \u5236 \u8def \u7531 \u5668 \u5411 \u7cfb \u7edf \u65e5 \u5fd7 \u670d \u52a1\u5668 \u53d1 \u9001 \u5728 \u6b64 \u8def \u7531 \u5668 \u53d1 \u751f \u7684 \u6bcf \u4e00 \u4e2a
\n\u4e8b \u4ef6\uff0c \u5305 \u62ec \u88ab \u5b58 \u53d6 \u5217\u8868 \u62d2 \u7edd \u7684 \u5305 \u548c \u8def \u7531 \u5668 \u914d \u7f6e \u7684 \u6539 \u53d8\uff1b \u8fd9 \u4e2a \u52a8 \u4f5c \u53ef \u4ee5 \u4f5c \u4e3a\u5bf9 \u7cfb \u7edf \u7ba1 \u7406 \u5458 \u7684 \u65e9 \u671f \u9884
\n\u8b66\uff0c \u9884 \u793a \u6709 \u4eba \u5728 \u8bd5 \u56fe \u653b \u51fb \u8def \u7531\u5668\uff0c \u6216 \u8005 \u5df2 \u7ecf \u653b \u5165 \u8def \u7531 \u5668\uff0c \u6b63 \u5728 \u8bd5 \u56fe \u653b \u51fb \u9632 \u706b \u5899\uff1a<\/P>
\n
logging trap debugging<\/P>
\n
<\/P>
\n
\u6b64 \u5730 \u5740 \u662f \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u7684 \u5916 \u90e8\u5730 \u5740\uff0c \u8def \u7531 \u5668 \u5c06 \u8bb0 \u5f55 \u6240 \u6709 \u4e8b \u4ef6 \u5230
\n\u6b64 \u4e3b \u673a \u4e0a\uff1a<\/P>
\n
logging 131.1.23.11<\/P>
\n
\u4fdd \u62a4PIX \u9632 \u706b \u5899 \u548cHTTP\/FTP \u670d \u52a1\u5668 \u4ee5 \u53ca \u9632 \u536b \u6b3a \u9a97 \u653b \u51fb\uff08 \u89c1 \u5b58 \u53d6
\n\u5217 \u8868\uff09\uff1a<\/P>
\n
\u3000\u3000\u3000 enable secret xxxxxxxxxxx<\/P>
\n
\u3000\u3000\u3000 interface Ethernet 0<\/P>
\n
\u3000\u3000\u3000  ip address 131.1.23.1 255.255.255.0<\/P>
\n
\u3000\u3000\u3000 interface Serial 0<\/P>
\n
\u3000\u3000\u3000  ip unnumbered ethernet 0<\/P>
\n
\u3000\u3000\u3000  ip access-group 110 in<\/P>
\n
\u7981 \u6b62 \u4efb \u4f55 \u663e \u793a \u4e3a \u6765 \u6e90 \u4e8e \u8def \u7531\u5668RTRA \u548cPIX \u9632 \u706b \u5899 \u4e4b \u95f4 \u7684 \u4fe1 \u606f
\n\u5305\uff0c \u8fd9 \u53ef \u4ee5 \u9632 \u6b62 \u6b3a \u9a97 \u653b\u51fb\uff1a<\/P>
\n
access-list 110 deny ip 131.1.23.0 0.0.0.255 any
\nlog<\/P>
\n
\u9632 \u6b62 \u5bf9PIX \u9632 \u706b \u5899 \u5916 \u90e8 \u63a5 \u53e3 \u7684\u76f4 \u63a5 \u653b \u51fb \u5e76 \u8bb0 \u5f55 \u5230 \u7cfb \u7edf \u65e5 \u5fd7 \u670d
\n\u52a1 \u5668 \u4efb \u4f55 \u4f01 \u56fe \u8fde \u63a5PIX \u9632 \u706b \u5899 \u5916 \u90e8 \u63a5 \u53e3 \u7684 \u4e8b \u4ef6\uff1a<\/P>
\n
access-list 110 deny ip any host 131.1.23.2
\nlog<\/P>
\n
<\/P>
\n
\"shijian.jpg <\/P>
\n
\u5141 \u8bb8 \u5df2 \u7ecf \u5efa \u7acb \u7684TCP \u4f1a \u8bdd \u7684 \u4fe1\u606f \u5305 \u901a \u8fc7\uff1a<\/P>
\n
access-list 110 permit tcp any 131.1.23.0 0.0.0.255
\nestablished<\/P>
\n
\u5141 \u8bb8 \u548cFTP\/HTTP \u670d \u52a1 \u5668 \u7684FTP \u8fde\u63a5\uff1a<\/P>
\n
access-list 110 permit tcp any host 131.1.23.3 eq
\nftp<\/P>
\n
\u5141 \u8bb8 \u548cFTP\/HTTP \u670d \u52a1 \u5668 \u7684FTP \u6570\u636e \u8fde \u63a5\uff1a<\/P>
\n
access-list 110 permit tcp any host 131.1.23.2 eq
\nftp-data<\/P>
\n
\u5141 \u8bb8 \u548cFTP\/HTTP \u670d \u52a1 \u5668 \u7684HTTP \u8fde\u63a5\uff1a<\/P>
\n
access-list 110 permit tcp any host 131.1.23.2 eq
\nwww<\/P>
\n
\u7981 \u6b62 \u548cFTP\/HTTP \u670d \u52a1 \u5668 \u7684 \u522b \u7684\u8fde \u63a5 \u5e76 \u8bb0 \u5f55 \u5230 \u7cfb \u7edf \u65e5 \u5fd7 \u670d \u52a1 \u5668
\n\u4efb \u4f55 \u4f01 \u56fe \u8fde \u63a5FTP\/HTTP \u7684\u4e8b \u4ef6\uff1a<\/P>
\n
access-list 110 deny ip any host 131.1.23.2
\nlog<\/P>
\n
\u5141 \u8bb8 \u5176 \u4ed6 \u9884 \u5b9a \u5728PIX \u9632 \u706b \u5899 \u548c\u8def \u7531 \u5668RTRA \u4e4b \u95f4 \u7684 \u6d41 \u91cf\uff1a<\/P>
\n
access-list 110 permit ip any 131.1.23.0
\n0.0.0.255<\/P>
\n
\u9650 \u5236 \u53ef \u4ee5 \u8fdc \u7a0b \u767b \u5f55 \u5230 \u6b64 \u8def \u7531\u5668 \u7684IP \u5730 \u5740\uff1a<\/P>
\n
\u3000\u3000\u3000  line vty 0 4<\/P>
\n
\u3000\u3000\u3000\u3000  login<\/P>
\n
\u3000\u3000\u3000\u3000  password xxxxxxxxxx<\/P>
\n
\u3000\u3000\u3000\u3000  access-class 10 in<\/P>
\n
\u53ea \u5141 \u8bb8 \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u8fdc \u7a0b \u767b \u5f55\u5230 \u6b64 \u8def \u7531 \u5668\uff0c \u5f53 \u4f60 \u60f3 \u4eceInternet
\n\u7ba1 \u7406 \u6b64 \u8def \u7531 \u5668 \u65f6\uff0c \u5e94 \u5bf9\u6b64 \u5b58 \u53d6 \u63a7 \u5236 \u5217 \u8868 \u8fdb \u884c \u4fee \u6539\uff1a<\/P>
\n
access-list 10 permit ip 131.1.23.11<\/P>
\n
<\/P>
\n
\u8def \u7531 \u5668 RTRB<\/P>
\n
<\/P>
\n
—-RTRB \u662f \u5185 \u90e8 \u7f51 \u9632 \u62a4 \u8def \u7531\u5668\uff0c \u5b83 \u662f \u4f60 \u7684 \u9632 \u706b \u5899 \u7684 \u6700 \u540e \u4e00 \u9053
\n\u9632 \u7ebf\uff0c \u662f \u8fdb \u5165 \u5185 \u90e8 \u7f51\u7684 \u5165 \u53e3\u3002<\/P>
\n
\u8bb0 \u5f55 \u6b64 \u8def \u7531 \u5668 \u4e0a \u7684 \u6240 \u6709 \u6d3b \u52a8\u5230 \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u4e0a \u7684 \u65e5 \u5fd7 \u670d \u52a1 \u5668\uff0c
\n\u5305 \u62ec \u914d \u7f6e \u7684 \u4fee \u6539\uff1a<\/P>
\n
logging trap debugging<\/P>
\n
logging 10.14.8.50<\/P>
\n
\u5141 \u8bb8 \u901a \u5411 \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u7684 \u7cfb \u7edf\u65e5 \u5fd7 \u4fe1 \u606f\uff1a<\/P>
\n
\u3000\u3000\u3000 interface Ethernet 0<\/P>
\n
\u3000\u3000\u3000 ip address 10.10.254.2 255.255.255.0<\/P>
\n
\u3000\u3000\u3000 no ip proxy-arp<\/P>
\n
\u3000\u3000\u3000 ip access-group 110 in<\/P>
\n
  \u3000\u3000 access-list 110 permit udp host 10.10.254.0
\n0.0.0.255<\/P>
\n
\u7981 \u6b62 \u6240 \u6709 \u522b \u7684 \u4ecePIX \u9632 \u706b \u5899 \u53d1\u6765 \u7684 \u4fe1 \u606f \u5305\uff1a<\/P>
\n
access-list 110 deny ip any host 10.10.254.2
\nlog<\/P>
\n
\u5141 \u8bb8 \u90ae \u4ef6 \u4e3b \u673a \u548c \u5185 \u90e8 \u90ae \u4ef6 \u670d\u52a1 \u5668 \u7684SMTP \u90ae \u4ef6 \u8fde \u63a5\uff1a<\/P>
\n
access-list permit tcp host 10.10.254.3 10.0.0.0
\n0.255.255.255 eq smtp<\/P>
\n
\u7981 \u6b62 \u522b \u7684 \u6765 \u6e90 \u4e0e \u90ae \u4ef6 \u670d \u52a1 \u5668\u7684 \u6d41 \u91cf\uff1a<\/P>
\n
access-list deny ip host 10.10.254.3 10.0.0.0
\n0.255.255.255<\/P>
\n
\u9632 \u6b62 \u5185 \u90e8 \u7f51 \u7edc \u7684 \u4fe1 \u4efb \u5730 \u5740 \u6b3a\u9a97\uff1a<\/P>
\n
access-list deny ip any 10.10.254.0 0.0.0.255<\/P>
\n
\u5141 \u8bb8 \u6240 \u6709 \u522b \u7684 \u6765 \u6e90 \u4e8ePIX \u9632 \u706b\u5899 \u548c \u8def \u7531 \u5668RTRB \u4e4b \u95f4 \u7684 \u6d41
\n\u91cf\uff1a<\/P>
\n
access-list permit ip 10.10.254.0 0.0.0.255 10.0.0.0
\n0.255.255.255<\/P>
\n
\u9650 \u5236 \u53ef \u4ee5 \u8fdc \u7a0b \u767b \u5f55 \u5230 \u6b64 \u8def \u7531\u5668 \u4e0a \u7684IP \u5730 \u5740\uff1a<\/P>
\n
\u3000\u3000\u3000  line vty 0 4<\/P>
\n
\u3000\u3000\u3000\u3000  login<\/P>
\n
\u3000\u3000\u3000\u3000  password xxxxxxxxxx<\/P>
\n
\u3000\u3000\u3000\u3000  access-class 10 in<\/P>
\n
\u53ea \u5141 \u8bb8 \u7f51 \u7ba1 \u5de5 \u4f5c \u7ad9 \u8fdc \u7a0b \u767b \u5f55\u5230 \u6b64 \u8def \u7531 \u5668\uff0c \u5f53 \u4f60 \u60f3 \u4eceInternet
\n\u7ba1 \u7406 \u6b64 \u8def \u7531 \u5668 \u65f6\uff0c \u5e94 \u5bf9\u6b64 \u5b58 \u53d6 \u63a7 \u5236 \u5217 \u8868 \u8fdb \u884c \u4fee \u6539\uff1a<\/P>
\n
access-list 10 permit ip 10.14.8.50<\/P>
\n
—-\u6309 \u4ee5 \u4e0a \u8bbe \u7f6e \u914d \u7f6e \u597dPIX \u9632\u706b \u5899 \u548c \u8def \u7531 \u5668 \u540e\uff0cPIX \u9632 \u706b \u5899 \u5916
\n\u90e8 \u7684 \u653b \u51fb \u8005 \u5c06 \u65e0 \u6cd5 \u5728 \u5916\u90e8 \u8fde \u63a5 \u4e0a \u627e \u5230 \u53ef \u4ee5 \u8fde \u63a5 \u7684 \u5f00 \u653e \u7aef \u53e3\uff0c \u4e5f \u4e0d \u53ef \u80fd \u5224 \u65ad \u51fa\u5185 \u90e8 \u4efb \u4f55 \u4e00 \u53f0 \u4e3b \u673a
\n\u7684IP \u5730 \u5740\uff0c \u5373 \u4f7f \u544a \u8bc9 \u4e86 \u5185 \u90e8 \u4e3b \u673a\u7684IP \u5730 \u5740\uff0c \u8981 \u60f3 \u76f4 \u63a5 \u5bf9 \u5b83 \u4eec \u8fdb \u884cPing \u548c \u8fde \u63a5 \u4e5f \u662f \u4e0d \u53ef \u80fd\u7684\u3002 \u8fd9 \u6837 \u5c31
\n\u53ef \u4ee5 \u5bf9 \u6574 \u4e2a \u5185 \u90e8 \u7f51 \u8fdb \u884c \u6709 \u6548 \u7684 \u4fdd \u62a4\u3002<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
1. \u5c06PIX\u5b89\u653e\u81f3\u673a\u67b6\uff0c\u7ecf\u68c0\u6d4b\u7535\u6e90\u7cfb\u7edf\u540e\u63a5\u4e0a\u7535\u6e90\uff0c\u5e76\u52a0\u7535\u4e3b\u673a\u3002 2. \u5c06CONSOLE\u53e3\u8fde\u63a5\u5230PC\u7684\u4e32\u53e3\u4e0a\uff0c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/178"}],"collection":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=178"}],"version-history":[{"count":1,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/178\/revisions"}],"predecessor-version":[{"id":179,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=\/wp\/v2\/posts\/178\/revisions\/179"}],"wp:attachment":[{"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=178"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.microwolf.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}