秀脫linux筆記之PIX501防火牆實戰篇

環境：
--------------------------------------------
pix501防火牆，內核：PIX OS 6.3
pppoe撥號上網，
公網ip自動得到，路由自動分配
私網ip：192.168.1.254
啓動dhcp，
dhcp地址池：192.168.1.2-192.168.1.128
啓用ssh，內外網均可以登入
啓用telnet，能夠內網登入
內網能夠自由訪問外網，
外網能夠經過訪問內網192.168.1.153的8080端口
************
若是是靜態外網ip，須要設置公網ip和路由，具體步驟
a.在第4節那裏增長外網ip：
ip address outside WAN_IP WAN_NETMASK
其中：
//WAN_IP爲isp給的公網ip，
//WAN_NETMASK爲isp給的公網的子網掩碼
b.在第5接裏增長一條路由：
route outside 0.0.0.0 0.0.0.0 WAN_GATEWAY 1
其中
//WAN_GATEWAY是下一條的ip，就是isp那邊的網關ip
c.去掉第12節--pppoe撥號那一段
*************
++++++++++++++++++++++++++++++++++++++++++++++

----------------------------------------------
//1.定義網絡接口

interface ethernet0 auto
interface ethernet1 100full

nameif ethernet0 outside security0
nameif ethernet1 inside security100

----------------------------------------------
//2.設置密碼：telnet密碼和特權模式enable密碼

password cisco
enable password cisco

----------------------------------------------
//3.設置pix主機名和域名
hostname test
domain-name test.com

----------------------------------------------
//4.設置網絡接口ip：內網和外網

ip address inside 192.168.1.254 255.255.255.0

----------------------------------------------
//5.設置nat：讓內網自由訪問外網

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

----------------------------------------------
//6.端口映射：讓外網訪問內網機器192.168.1.153的8080端口

static (inside,outside) tcp 59.42.191.97 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//靜態公網ip
static (inside,outside) tcp interface 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//動態公網ip

----------------------------------------------
//7.定義訪問規則

//.a.定義內網訪問規則
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-group inside_access_in in interface inside

//.b.定義外網訪問規則
access-list outside_access_in permit tcp any host 59.42.191.97 eq 8080
//靜態公網ip
access-list outside_access_in permit tcp any interface outside eq 8080
//動態公網ip
access-group outside_access_in in interface outside

icmp permit any outside
icmp permit any inside

------------------------------------------------------
//8.配置pdm

pdm location 192.168.2.0 255.255.255.255 inside
pdm history enable

------------------------------------------------------
//9.配置telnet：內部全部機器均可以telnet到pix防火牆

telnet 0.0.0.0 0.0.0.0 inside

------------------------------------------------------
//10.配置dhcp

dhcpd address 192.168.1.2-192.168.1.128 inside
dhcpd dns 61.144.56.100 202.96.128.166
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside

------------------------------------------------------
//11.ssh

//.a. aaa本地認證：增長了test用戶，密碼cisco，LOCAL必定要大寫
username test password cisco

ca generate rsa key 1024
ca save all
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ca zeroize rsa 清空之前配置

//.b.非aaa本地認證,默認用戶是pix，密碼cisco
ca gen rsa key 1024
ca save all
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
passwd cisco

----------------------------------------------
//12.pppoe

//pppoe配置---isp給的撥號賬號：gzDSL47558340@163.gd 密碼12345678
vpdn group pppoex request dialout pppoe                 //指定組
ip address outside pppoe setroute                       //指定pppoe外網ip和路由
vpdn group pppoex localname gzDSL47558340@163.gd        //指定isp分配的賬號
vpdn group pppoex ppp authentication pap                //指定協議
vpdn username gzDSL47558340@163.gd password 12345678    //指定isp分配pppoe密碼