秀脱linux笔记之PIX501防火墙实战篇

环境：
--------------------------------------------
pix501防火墙，内核：PIX OS 6.3
pppoe拨号上网，
公网ip自动得到，路由自动分配
私网ip：192.168.1.254
启动dhcp，
dhcp地址池：192.168.1.2-192.168.1.128
启用ssh，内外网均可以登入
启用telnet，能够内网登入
内网能够自由访问外网，
外网能够经过访问内网192.168.1.153的8080端口
************
若是是静态外网ip，须要设置公网ip和路由，具体步骤
a.在第4节那里增长外网ip：
ip address outside WAN_IP WAN_NETMASK
其中：
//WAN_IP为isp给的公网ip，
//WAN_NETMASK为isp给的公网的子网掩码
b.在第5接里增长一条路由：
route outside 0.0.0.0 0.0.0.0 WAN_GATEWAY 1
其中
//WAN_GATEWAY是下一条的ip，就是isp那边的网关ip
c.去掉第12节--pppoe拨号那一段
*************
++++++++++++++++++++++++++++++++++++++++++++++

----------------------------------------------
//1.定义网络接口

interface ethernet0 auto
interface ethernet1 100full

nameif ethernet0 outside security0
nameif ethernet1 inside security100

----------------------------------------------
//2.设置密码：telnet密码和特权模式enable密码

password cisco
enable password cisco

----------------------------------------------
//3.设置pix主机名和域名
hostname test
domain-name test.com

----------------------------------------------
//4.设置网络接口ip：内网和外网

ip address inside 192.168.1.254 255.255.255.0

----------------------------------------------
//5.设置nat：让内网自由访问外网

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

----------------------------------------------
//6.端口映射：让外网访问内网机器192.168.1.153的8080端口

static (inside,outside) tcp 59.42.191.97 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//静态公网ip
static (inside,outside) tcp interface 8080 192.168.1.153 8080 netmask 255.255.255.255 0 0
//动态公网ip

----------------------------------------------
//7.定义访问规则

//.a.定义内网访问规则
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-group inside_access_in in interface inside

//.b.定义外网访问规则
access-list outside_access_in permit tcp any host 59.42.191.97 eq 8080
//静态公网ip
access-list outside_access_in permit tcp any interface outside eq 8080
//动态公网ip
access-group outside_access_in in interface outside

icmp permit any outside
icmp permit any inside

------------------------------------------------------
//8.配置pdm

pdm location 192.168.2.0 255.255.255.255 inside
pdm history enable

------------------------------------------------------
//9.配置telnet：内部全部机器均可以telnet到pix防火墙

telnet 0.0.0.0 0.0.0.0 inside

------------------------------------------------------
//10.配置dhcp

dhcpd address 192.168.1.2-192.168.1.128 inside
dhcpd dns 61.144.56.100 202.96.128.166
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside

------------------------------------------------------
//11.ssh

//.a. aaa本地认证：增长了test用户，密码cisco，LOCAL必定要大写
username test password cisco

ca generate rsa key 1024
ca save all
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ca zeroize rsa 清空之前配置

//.b.非aaa本地认证,默认用户是pix，密码cisco
ca gen rsa key 1024
ca save all
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
passwd cisco

----------------------------------------------
//12.pppoe

//pppoe配置---isp给的拨号账号：gzDSL47558340@163.gd 密码12345678
vpdn group pppoex request dialout pppoe                 //指定组
ip address outside pppoe setroute                       //指定pppoe外网ip和路由
vpdn group pppoex localname gzDSL47558340@163.gd        //指定isp分配的账号
vpdn group pppoex ppp authentication pap                //指定协议
vpdn username gzDSL47558340@163.gd password 12345678    //指定isp分配pppoe密码