关于PIX的配置及注解完全手册(1)_中国IT运维网www.cnitom.com

: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto 设定端口0 速率为自动
interface ethernet1 100full 设定端口1 速率为100兆全双工
interface ethernet2 auto 设定端口2 速率为自动
nameif ethernet0 outside security0 设定端口0 名称为 
outside 安全级别为0
nameif ethernet1 inside security100 设定端口1 名称为 
inside 安全级别为100
nameif ethernet2 dmz security50 设定端口2 名称为 
dmz 安全级别为50
enable password Dv0yXUGPM3Xt7xVs encrypted 特权密码
passwd 2KFQnbNIdI.2KYOU encrypted 登陆密码
hostname hhyy 设定防火墙名称
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。

names
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0

建立访问列表，允许特定网段的地址访问某些网段

access-list 120 deny icmp 192.168.2.0 255.255.255.0 any
access-list 120 deny icmp 192.168.3.0 255.255.255.0 any
access-list 120 deny icmp 192.168.4.0 255.255.255.0 any
access-list 120 deny icmp 192.168.5.0 255.255.255.0 any
access-list 120 deny icmp 192.168.6.0 255.255.255.0 any
access-list 120 deny icmp 192.168.7.0 255.255.255.0 any
access-list 120 deny icmp 192.168.8.0 255.255.255.0 any
access-list 120 deny icmp 192.168.9.0 255.255.255.0 any
access-list 120 deny icmp 192.168.10.0 255.255.255.0 any
access-list 120 deny icmp 192.168.11.0 255.255.255.0 any
access-list 120 deny icmp 192.168.12.0 255.255.255.0 any
access-list 120 deny icmp 192.168.13.0 255.255.255.0 any
access-list 120 deny icmp 192.168.14.0 255.255.255.0 any
access-list 120 deny icmp 192.168.15.0 255.255.255.0 any
access-list 120 deny icmp 192.168.16.0 255.255.255.0 any
access-list 120 deny icmp 192.168.17.0 255.255.255.0 any
access-list 120 deny icmp 192.168.18.0 255.255.255.0 any
access-list 120 deny icmp 192.168.19.0 255.255.255.0 any
access-list 120 deny icmp 192.168.20.0 255.255.255.0 any
access-list 120 deny icmp 192.168.21.0 255.255.255.0 any
access-list 120 deny icmp 192.168.22.0 255.255.255.0 any
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 4444
access-list 120 deny udp any any eq 1205
access-list 120 deny udp any any eq 1209
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any range 135 netbios-ssn
access-list 120 permit ip any any

建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信（主要防止冲击波病毒）

access-list 110 permit ip 192.168.99.0 255.255.255.0 
192.168.101.0 255.255.255.0

pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 10.1.1.4 255.255.255.224 设定外端口地址
ip address inside 192.168.1.254 255.255.255.0 设定内端口地址
ip address dmz 192.168.19.1 255.255.255.0 设定DMZ端口地址
ip audit info action alarm
ip audit attack action alarm
ip local pool hhyy 192.168.170.1-192.168.170.254

建立名称为hhyy的地址池，起始地址段为：192.168.170.1-192.168.170.254

ip local pool yy 192.168.180.1-192.168.180.254

建立名称为yy 的地址池，起始地址段为：192.168.180.1-192.168.180.254

no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no pdm history enable
arp timeout 14400

共3页: 1 [2] [3] 下一页