防止内网用户乱该ip地址，用户只能用给定的ip，如果改ip地址，则无法访问网络资源。

　　例如：做了下述配置后(arp inside 10.64.64.29 000f.b0d8.a504)，mac地址为000f.b0d8.a504的pc只能使用ip10.64.64.29来访问网络资源，如果该ip则无法访问。

　　pix515e# sh run

　　: Saved

　　:

　　PIX Version 7.2(1)

　　!

　　hostname pix515e

　　domain-name cisco

　　enable password N7FecZuSHJlVZC2P encrypted

　　做名字解析

　　****************************************************

　　names

　　name 10.64.64.113 chengxiaojie

　　name 10.64.64.13 dhcp

　　name 10.64.64.71 liuyongjun

　　name 10.64.64.72 liuyongjun-ibm

　　name 10.64.64.39 lixiaoliang

　　name 10.64.64.103 lixuesong

　　name 10.64.64.17 lulianying

　　name 10.64.64.92 qizuomeng

　　name 10.64.64.69 wangzhili

　　name 10.64.64.105 xingzhonghe

　　name 10.64.64.45 tanjun

　　name 10.64.64.108 zhangyi

　　name 10.64.64.178 hujian

　　name 10.64.64.93 ibm220

　　name 10.64.64.62 jiling

　　name 10.64.64.111 yangliu

　　name 10.64.64.112 wangsishen

　　name 10.64.64.158 wangyuguo

　　name 10.64.64.52 lishihai

　　name 10.64.64.78 office-teacher

　　name 10.64.64.48 yangjin

　　name 10.64.64.104 wutao

　　name 10.64.64.63 zangdong

　　name 10.64.64.80 xiaoguangyue

　　name 10.64.64.14 ibm235

　　name 10.64.64.222 lixuesong-dell

　　name 10.64.64.75 maxiaopeng

　　name 10.64.64.215 lintao

　　name 10.64.64.199 machi

　　name 10.64.64.216 liuxuesong

　　name 10.64.64.246 jiachangjing

　　name 10.64.64.61 chufw

　　****************************************************

　　!

　　interface Ethernet0

　　nameif outside

　　security-level 0

　　ip address X.X.76.26 255.255.255.0

　　!

　　interface Ethernet1

　　nameif inside

　　security-level 100

　　ip address 10.64.64.2 255.255.240.0

　　!

　　interface Ethernet2

　　nameif dmz

　　security-level 80

　　ip address 192.168.0.1 255.255.255.0

　　!

　　passwd N7FecZuSHJlVZC2P encrypted

　　!

　　time-range worktime

　　periodic daily 8:00 to 17:00

　　!

　　ftp mode passive

　　clock timezone CST 8

　　dns domain-lookup outside

　　dns server-group DefaultDNS

　　name-server 219.150.32.132

　　domain-name cisco

　　做object-group以便在acl里被调用（注：object-group是个好东东，可以大大简化acl的配置）

　　****************************************************

　　object-group network www

　　network-object host xingzhonghe

　　network-object host chengxiaojie

　　network-object host dhcp

　　network-object host liuxuesong

　　network-object host wangzhili

　　network-object host liuyongjun

　　network-object host liuyongjun-ibm

　　network-object host lulianying

　　network-object host chufw

　　network-object host jiachangjing

　　network-object host maxiaopeng

　　network-object host 10.64.64.255

　　object-group network guest

　　network-object 10.64.66.112 255.255.255.240

　　object-group network caiwu

　　network-object 10.64.66.0 255.255.255.224

　　object-group service netmeeting tcp

　　port-object range 1503 1503

　　port-object range h323 h323

　　object-group network worktime

　　network-object host wutao

　　network-object host zhangyi

　　network-object host yangliu

　　network-object host wangsishen

　　network-object host wangyuguo

　　network-object host 10.64.64.169

　　network-object host 10.64.64.18

　　network-object host machi

　　network-object host lintao

　　network-object host liuxuesong

　　network-object host lixuesong-dell

　　network-object host 10.64.64.247

　　network-object host 10.64.64.29

　　network-object host 10.64.64.30

　　network-object host yangjin

　　network-object host lishihai

　　network-object host 10.64.64.55

　　network-object host jiling

　　network-object host office-teacher

　　****************************************************

　　access-list outside_access_in extended permit icmp any any echo-reply

　　access-list outside_access_in extended permit tcp any any object-group netmeeting

　　调用上述的object-group到acl

　　****************************************************

　　access-list inside_access_in extended deny ip any 192.168.0.0 255.255.255.0

　　access-list inside_access_in extended permit ip object-group caiwu 192.168.0.0 255.255.255.0

　　access-list inside_access_in extended permit ip object-group www any

　　access-list inside_access_in extended permit ip object-group guest any inactive

　　access-list inside_access_in extended deny tcp any any eq 1863

　　access-list inside_access_in extended permit ip host lixiaoliang host 211.147.77.98

　　access-list inside_access_in extended permit ip host qizuomeng host 211.147.77.98

　　access-list inside_access_in extended permit ip object-group worktime any time-range worktime

　　access-list inside_access_in extended permit ip host ibm235 any time-range worktime inactive

　　****************************************************

　　access-list remote_splitTunnelAcl standard permit 10.64.64.0 255.255.240.0

　　access-list inside_nat0_outbound extended permit ip 10.64.64.0 255.255.240.0 1.1.1.0 255.255.255.0

　　access-list outside_cryptomap extended permit ip any 1.1.1.0 255.255.255.0

　　access-list caiwu_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

　　access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.0

　　access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0

　　pager lines 24

　　mtu outside 1500

　　mtu inside 1500

　　mtu dmz 1500

　　ip local pool remote 1.1.1.1-1.1.1.254 mask 255.255.255.0

　　ip local pool caiwu 2.2.2.1-2.2.2.254 mask 255.255.255.0

　　no failover

　　asdm image flash:/asdm.bin

　　no asdm history enable

　　把ip和mac绑定

　　****************************************************

　　arp inside 10.64.64.29 000f.b0d8.a504

　　arp inside 10.64.64.247 000b.2f04.7dd8

　　arp inside 10.64.64.169 0016.17f2.2eb3

　　arp inside lintao 000a.e6b2.c4c6

　　arp inside liuxuesong 00e0.4c58.b7cd

　　arp inside lishihai 000a.e69b.f4dc

　　arp inside ibm235 0009.6ba5.49c5

　　arp inside maxiaopeng 000c.764d.6aa8

　　arp inside xiaoguangyue 0011.09b4.6f25

　　arp inside zangdong 00e0.4cc1.2a14

　　arp inside wutao 0013.d47d.0c36

　　arp inside office-teacher 0090.9626.7da7

　　arp inside yangjin 00e0.4d01.6b1b

　　arp inside wangyuguo 00e0.4c21.471d

　　arp inside wangsishen 0015.c50f.92a5

　　arp inside yangliu 0015.f299.7f6c

　　arp inside jiling 00e0.4cc1.2a34

　　arp inside hujian 0011.252f.8613

　　arp inside ibm220 0002.556d.0037

　　arp inside jiachangjing 00e0.4d01.6b30

　　arp inside tanjun 0013.7222.5fe5

　　arp inside wangzhili 000d.6004.c197

　　arp inside lixiaoliang 0014.782f.b989

　　arp inside liuyongjun-ibm 0010.c6de.2686

　　arp inside lulianying 0016.3563.db1b

　　arp inside liuyongjun 0000.e25a.8580

　　arp inside lixuesong 0017.3152.8e78

　　arp inside chengxiaojie 0016.3564.8a6b

　　arp inside xingzhonghe 00e0.4c60.a8da

　　arp inside dhcp 0014.5e2b.77b5

　　arp inside zhangyi 0013.7222.4819

　　arp inside lixuesong-dell 0018.8ba2.d1c5

　　arp inside machi 000a.e6b5.0600

　　arp inside 10.64.64.18 0015.c510.12d4

　　****************************************************

　　arp timeout 14400

　　global (outside) 1 interface

　　nat (inside) 0 access-listinside_nat0_outbound

　　nat (inside) 1 10.64.64.0 255.255.240.0

　　nat (dmz) 0 access-list dmz_nat0_outbound

　　static (inside,outside) tcp interface 1503 chufw 1503 netmask 255.255.255.255

　　static (inside,outside) tcp interface h323 chufw h323 netmask 255.255.255.255

　　access-group outside_access_in in interface outside

　　应用acl到inside端口

　　****************************************************

　　access-group inside_access_in in interface inside

　　****************************************************

　　route outside 0.0.0.0 0.0.0.0 X.X.76.25 1

　　timeout xlate 3:00:00

　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

　　timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

　　timeout sip0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

　　timeout uauth 0:05:00 absolute

　　group-policy caiwu internal

　　group-policy caiwu attributes

　　dns-server value 219.150.32.132

　　vpn-tunnel-protocol IPSec

　　split-tunnel-policy tunnelspecified

　　split-tunnel-network-list value caiwu_splitTunnelAcl

　　group-policy remote internal

　　group-policy remote attributes

　　dns-server value 219.150.32.132

　　vpn-tunnel-protocol IPSec

　　split-tunnel-policy tunnelspecified

　　split-tunnel-network-list value remote_splitTunnelAcl

　　username chufw password hs6C0g7Y0Zza/dVN encrypted privilege 15

　　username chufw attributes

　　vpn-group-policy remote

　　vpn-framed-ip-address 1.1.1.111 255.255.255.0

　　http server enable

　　http chufw 255.255.255.255 inside

　　http 219.148.242.228 255.255.255.255 outside

　　http 219.148.242.227 255.255.255.255 outside

　　http 1.1.1.111 255.255.255.255 outside

　　no snmp-server location

　　no snmp-server contact

　　snmp-server enable traps snmp authentication linkup linkdown coldstart

　　crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

　　crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

　　crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

　　crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

　　crypto map outside_map interface outside

　　crypto isakmp enable outside

　　crypto isakmp policy 10

　　authentication pre-share

　　encryption 3des

　　hash sha

　　group 2

　　lifetime 86400

　　crypto isakmp policy 65535

　　authentication pre-share

　　encryption 3des

　　hash sha

　　group 2

　　lifetime 86400

　　crypto isakmp nat-traversal 20

　　tunnel-group remote type ipsec-ra

　　tunnel-group remote general-attributes

　　address-pool remote

　　default-group-policy remote

　　tunnel-group remote ipsec-attributes

　　pre-shared-key *

　　tunnel-group caiwu type ipsec-ra

　　tunnel-group caiwu general-attributes

　　address-pool remote

　　default-group-policy caiwu

　　tunnel-group caiwu ipsec-attributes

　　pre-shared-key *

　　telnet chufw 255.255.255.255 inside

　　telnet timeout 5

　　ssh 0.0.0.0 0.0.0.0 outside

　　ssh timeout 5

　　console timeout 0

　　!

　　class-map inspection_default

　　match default-inspection-traffic

　　!

　　!

　　policy-map type inspect dns preset_dns_map

　　parameters

　　message-length maximum 512

　　policy-map global_policy

　　class inspection_default

　　inspect dns preset_dns_map

　　inspect ftp

　　inspect h323 h225

　　inspect h323 ras

　　inspect netbios

　　inspect rsh

　　inspect rtsp

　　inspect skinny

　　inspect esmtp

　　inspect sqlnet

　　inspect sunrpc

　　inspect tftp

　　inspect sip

　　inspect xdmcp

　　!

　　service-policy global_policy global

　　ntp server 207.46.130.100 source outside

　　tftp-server inside chufw pix

　　prompt hostname context

　　Cryptochecksum:c02e836587f08fa6ce4699df28408774

　　: end

　　pix515e#