科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道Cisco PIX 防火墙的问题集锦

Cisco PIX 防火墙的问题集锦

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

有客户想把服务器搬到dmz区,但是服务器地址不变,这样除了透明模式我还想不到其他办法,inside和outside的透明模式我知道,但是inside和dmz的透明模式怎么办?

作者:论坛整理 来源:zdnet网络安全 2008年3月31日

关键字: 防火墙 防火墙技术 硬件防火墙

  • 评论
  • 分享微博
  • 分享邮件

在本页阅读全文(共2页)

  为什么ping不通515E的outside地址?

  PIX的版本是6.3(4),设置了515E的outside地址和inside地址后,用网线将笔记本和515E的outside端口联起来,本本的地址和outside地址在一个网段内,但总是ping不通outside地址,但同样的配置在6.2版本的515E上使用时是没有问题的,好奇怪啊??

  icmp pemit any outside

  ========================================================

  pix vpn设置好了,DDN方式可以上,为什么家里的adsl不行?

  配置如下:pix520

  PIX Version 6.3(3)

  interface ethernet0 100full

  interface ethernet1 100full

  interface ethernet2 100full

  nameif ethernet0 Outside security0

  nameif ethernet1 inside security100

  nameif ethernet2 Outside-DMZ security50

  enable password GyBjREM5Y/fIjrzB encrypted

  passwd enO4Olec9w1AmAwd encrypted

  hostname PIX-yinhetech

  domain-name test.cn

  clock timezone CST 8

  fixup protocol dnsmaximum-length 512

  fixup protocol ftp21

  fixup protocol ftp 2121

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip5060

  fixup protocol sip udp 5060

  no fixup protocol skinny 2000

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names

  name 10.128.1.0 notebookpoolIP

  access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0

  access-list 101 permit ip 10.10.0.0 255.255.0.0 any

  access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

  access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any

  access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any

  access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0

  access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any

  pager lines 24

  logging on

  logging standby

  logging buffered debugging

  logging trap notifications

  icmp deny any Outside

  mtu Outside 1500

  mtu inside 1500

  mtu Outside-DMZ 1500

  ip address Outside ***.***.***.** 255.255.255.240

  ip address inside 10.127.1.253 255.255.255.0

  ip address Outside-DMZ 172.18.3.254 255.255.255.0

  ip verify reverse-path interface Outside

  ip verify reverse-path interface inside

  ip audit info action alarm

  ip audit attack action alarm

  ip local pool notebookpool 10.128.1.1-10.128.1.250

  no failover

  failover timeout 0:00:00

  failover poll 15

  no failover ip address Outside

  no failover ip address inside

  no failover ip address Outside-DMZ

  pdm history enable

  arp timeout 14400

  global (Outside) 1 ***.***.***.** netmask 255.255.255.240

  global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0

  nat (inside) 0 access-list nonat

  nat (inside) 1 10.0.0.0 255.128.0.0 0 0

  access-group 101 in interface inside

  route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1

  route inside 10.0.0.0 255.128.0.0 10.127.1.254 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol local

  http server enable

  http 10.10.10.74 255.255.255.255 inside

  http 10.10.10.88 255.255.255.255 inside

  snmp-server host inside 10.10.10.10

  snmp-server host inside 10.10.10.74

  snmp-server location soft_yuan_internet

  snmp-server contact bill

  snmp-server community public

  snmp-server enable traps

  tftp-server inside 10.10.10.74 /

  no floodguard enable

  sysopt connection permit-ipsec

  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

  crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

  crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5

  crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

  crypto map Outside_map interface Outside

  isakmp enable Outside

  isakmp identity address

  isakmp keepalive 60 5

  isakmp nat-traversal 120

  isakmp policy 20 authentication pre-share

  isakmp policy 20 encryption des

  isakmp policy 20 hash md5

  isakmp policy 20 group 2

  isakmp policy 20 lifetime 86400

  vpngroup notebookpc address-pool notebookpool

  vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68

  vpngroup notebookpc default-domain yhgroup.cn

  vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl

  vpngroup notebookpc idle-time 1800

  vpngroup notebookpc password ********

  telnet 10.0.0.0 255.128.0.0 inside

  telnet 10.10.10.110 255.255.255.255 inside

  telnet 10.10.10.110 255.255.255.255 Outside-DMZ

  telnet timeout 31

  ssh timeout 5

  console timeout 0

  terminal width 80

  Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35

  surf_qj (普通用户)

  对了,是使用ciscosystem VPN Client 4.01登录的,家里adsl可以连上VPN,但是不能访问,DDN就可以其实,不光是PIX问题,我用2620做的和你的也一样,用一般的ADSL是不行的,但如果是用带路由功能ADSL就可以。

  isakmp nat-traversal 120

  还有客户端NAT打开,估计是NAT穿透的问题吧。

  ========================================================

  pix515的问题

  具体现象是,DMZ和inside各接一台单机,DMZ的单机能用上网,其他不能,inside的机器什么都干不了。单机保证无问题。请各位帮忙看看配置吧。 outside的地址和global的地址不同,有影响么?(没有空闲的连续地址了,只能用两个不同地址表示一下)

  PIX Version 6.2(2)

  nameif ethernet0 outside security0

  nameif ethernet1 inside security100

  nameif ethernet2 dmz security50

  enable password O53fPNRgHkA6IEsY encrypted

  passwd TWjtI1emvjruV4SY encrypted

  hostname jygatewall

  domain-name 219.2.2.2

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol ils 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  no fixup protocol skinny 2000

  no fixup protocol smtp 25

  names

  access-list dmz_jygate_acl deny icmp any any

  access-list dmz_jygate_acl permit udp any any eq domain

  access-list dmz_jygate_acl permit tcp any any eq www

  access-list dmz_jygate_acl permit udp any any eq 20

  access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 20817

  access-list dmz_jygate_acl permit tcp any host 219.150.1..1eq 20820

  access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8080

  access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8383

  access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 32002

  pager lines 24

  interface ethernet0 100full

  interface ethernet1 100full

  interface ethernet2 100full

  mtu outside 1500

  mtu inside 1500

  mtu dmz 1500

  ip address outside 219.150.1.2 255.255.255.224

  ip address inside 192.168.168.1 255.255.255.0

  ip address dmz 172.172.172.1 255.255.0.0

  ip audit info action alarm

  ip audit attack action alarm

  no failover

  failover timeout 0:00:00

  failover poll 15

  failover ip address outside 0.0.0.0

  failover ip address inside 0.0.0.0

  failover ip address dmz 0.0.0.0

  pdm history enable

  arp timeout 14400

  global (outside) 1 219.150.1.2

  nat (inside) 1 0.0.0.0 0.0.0.0 0 0

  static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 0 0

  static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0

  access-group dmz_jygate_acl in interface outside

  access-group dmz_jygate_acl in interface dmz

  route outside 0.0.0.0 0.0.0.0 219.150.1.3 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

  p 0:30:00 sip_media 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  aaa-server LOCAL protocol local

  no snmp-server location

  no snmp-server contact

  snmp-server community public

  no snmp-server enable traps

  floodguard enable

  sysopt security fragguard

  no sysopt route dnat

  telnet timeout 5

  ssh timeout 5

  terminal width 80

  Cryptochecksum:594b9bbf77abf8a342afee1764e4f7cd

  : end

  nyb0319 (普通用户)

  no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0

  改为static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0

  加一条

  static (inside,outside)

  219.150.1.2 192.168.168.0

  netmask 255.255.255.0 0 0

  no access-group dmz_jygate_acl in interface dmz

  crazytank (普通用户)

  按照上面的提示改了,结果提示global address overlaps with mask 请各位大侠再帮忙看看啊

  lcschina (活跃用户) ip address outside 219.150.1.2 255.255.255.224

  global (outside) 1 219.150.1.2

  地址重叠!!!

  加上 global (outside) 1 interface 去掉你的那个global

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章