PIX525简单配置
//配置密码
enable password pix525 encrypted
passwd pix525 encrypted
//配置接口信息
int eth0 100auto
int eth1 100auot
nameif eth0 outside sec0
nameif eth1 inside sec100
ip add inside 218.249.x.33 255.255.255.224
ip add outside 218.249.y.33 255.255.255.252
//配置主机域名
host testpix525
domain testpix525.com
//产生rsa值,利用ssh连接
ca gen rsa key
ca save all
//配置路由转换和端口映射
nat(inside)0 218.249.x.32 255.255.255.224 0 0
static (inside,outside) 218.249.x.32 218.249.x.32 mask 255.255.255.224
//配置访问列表
access-list outside-acl per icmp any any
......
access-list outside-acl per tcp any host 218.249.x.34 eq www
access-group outside-acl in int outside
//设置静态路由
route outside 0.0.0.0 0.0.0.0 218.249.X.33 1
//设置ssh连接和Web连接
http server enable
http host host_ip outside/inside
ssh host host_ip outside/inside
ssh timeout 5
************************************************************
vpn配置部分
//设置vpn地址池
ip local pool vpnpool 218.249.x.34 netmask 255.255.255.224
//配置IPSEC,在PIX上设置加密算法,加密的接口
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authent local
crypto map mymap interface outside
//配置IKE,指定认证的方式为PRE-SHARE
isakmp enable outside
isakmp key **** address 0.0.0.0 netmask 0.0.0.0 ---vpncert
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpncert address-pool vpnpool
vpngroup vpncert idle-time 1800
vpngroup vpncert password vpncert
username name password pwd
//保存
wr me
ps:
若PIX内口接口IP和外口接口IP在同一网段时,则两接口的掩码不能一样,且外口掩码必须小于内口掩码
如:一公司分得IP为:218.249.X.32/25
对端接口为:218.249.X.33 (掩码不确定,可能为192) 外口为:218.249.X.36 内口为:218.249.X.37 38 39 40 刚分给了服务器
且对端口和外口不能换时,则外口掩码必须为254,内口掩则为192,
若外口掩码为192时,内口为0,在用static (inside,outside) 218.249.x.32 218.249.x.32 mask
255.255.255.192时断网
可能有问题,但在当时的应用中确实是正常的,没有进行后续跟进。
评论