Cisco PIX 两界面多服务配置

　　结构图如下:

　　PIX 520

　　Two Interface Multiple ServerConfiguration

　　nameif ethernet0 outside security0

　　nameif ethernet0 inside security100

　　interface ethernet0 auto

　　interface ethernet1 auto

　　ip address inside 10.1.1.1 255.0.0.0

　　ip address outside 204.31.17.10 255.255.255.0

　　logging on

　　logging host 10.1.1.11

　　logging trap 7

　　logging facility 20

　　no logging console

　　arptimeout 600

　　nat(inside) 1 10.0.0.0 255.0.0.0

　　nat (inside) 2 192.168.3.0 255.255.255.0

　　global (outside) 1 204.31.1.25-204.31.17.27

　　global (outside) 1 204.31.1.24

　　global (outside) 2 192.159.1.1-192.159.1.254

　　conduit permit icmp any any

　　outbound 10 deny 192.168.3.3 255.255.255.255 1720

　　outbound 10 deny 0 0 80

　　outbound 10 permit 192.168.3.3 255.255.255.255 80

　　outbound 10 deny 192.168.3.3 255.255.255.255 java

　　outbound 10 permit 10.1.1.11 255.255.255.255 80

　　apply (inside) 10 outgoing_src

　　no ripoutside passive

　　no rip outside default

　　rip inside passive

　　rip inside default

　　route outside 0 0 204.31.17.1.1

　　tacacs-server host 10.1.1.12 lq2w3e

　　aaa authentication any inside 192.168.3.0 255.255.255.0 0 0 tacacs+

　　aaa authentication any inside 192.168.3.0 255.255.255.0 0 0

　　static (inside,outside) 204.31.19.0 192.168.3.0 netmask 255.255.255.0

　　conduit permit tcp 204.31.19.0 255.255.255.0 eg h323 any

　　static (inside,outside) 204.31.17.29 10.1.1.11

　　conduit permit tcp host 204.31.17.29 eq 80 any

　　conduit permit udp host 204.31.17.29 eq rpc host 204.31.17.17

　　conduit permit udp host 204.31.17.29 eq 2049 host 204.31.17.17

　　static (inside.outside) 204.31.1.30 10.1.1.3 netmask 255.255.255.255 10 10

　　conduit permit tcp host 204.31.1.30 eq smtp any

　　conduit permit tcp host 204.31.1.30 eq 113 any

　　snmp-server host 192.168.3.2

　　snmp-server location building 42

　　snmp-server contact polly hedra

　　snmp-server community ohwhatakeyisthee

　　telnet10.1.1.11 255.255.255.255

　　telnet 192.168.3.0 255.255.255.0