jackyhero1220
2005-04-12, 05:54 PM
How to set DMZ in pix 501 ?
小弟想架一個web server在DMZ中,
有人知詳細的command嗎?
新手發問,謝謝
贊助商連結
小弟想架一個web server在DMZ中,
有人知詳細的command嗎?
新手發問,謝謝
贊助商連結
【硬體】How to set DMZ in pix 501 ? 贊助商連結 jackyhero1220 2005-04-12, 05:54 PM How to set DMZ in pix 501 ? 小弟想架一個web server在DMZ中, 有人知詳細的command嗎? 新手發問,謝謝 贊助商連結 不應有恨 2005-04-21, 10:29 AM 底下是我好幾年前做的,是初步介紹pix設定的步驟啦 分享給你喲~ 不過也不知道對不對合不合你用 好幾年沒摸cisco的東西了 :|||: (有錯不要告訴我了 我可能不太會碰到了啦 :corkysm: ) -------------------- <<Step by step for cisco PIX Firewall Configurations>> <step1-before you begin> .draw down the netwrok architecture .list security policy .configure network routing .check for all .put pix into network architecture .demo lab with the security policy <step2-installing the pix firewall> <step3-get a console terminal> .9600/8/none/1/hardware <step4-start configuring pix firewall> firewall>enable /進入設定狀態 firewall>password /鍵入密碼 firewall#>configuring terminal /進入terminal設定狀態 firewall(config)#> /提示改成terminal設定狀態了 ^^^可以設定PIX Firewall了 <step5-identify each interface> .name interfaces. /首先為每一個介面命名 firewall(config)#> nameif etherner0 outside security0 /outside介面 nameif etherner1 inside security100 /inside介面 nameif ethernet2 perimeter security50 /perimeter介面 .identify IP address for pix firewall. /設定介面的IP firewall(config)#> ip address outside 163.29.129.252 255.255.255.128 /outside IP ip address inside 192.168.1.3 255.255.255.0 /inside IP interface e0 auto /enable e0 interface e1 auto /enable e1 interface e2 auto /enable e2 <step6-let users start connections> /設定一般的NAT對應(for client) /security高存取低使用 .associate a network with a pool of global IP address./先設定要做NAT對應的內部IP firewall(config)#> /此NAT對應編號使用nat 1 nat(inside) 1 0.0.0.0 0.0.0.0 0 0 /此為內部IP全部作NAT對應 nat(inside) 1 192.168.1.0 255.255.255.0 /此為內部IP範圍192.168.1.0這個class c 作NAT對應 .create entries from a pool of global address. /再設定要做NAT對應的外部IP pool群 firewall(config)#> global(outside) 1 163.29.129.129-163.29.129.250 /外部要給對應的pool群IP範圍 netmask 255.255.255.128 /此為用163.29.129.129~250給內部IP對應 ^^^Dynamic NAT完成(nat及global要併用) <step7-create a default route> .static route for specified interface. /設定特定介面default route firewall(config)#> route outside 0.0.0.0 0.0.0.0 163.29.129.254 1 /此為介面一一律以163.29.129.254為gateway <step8-permit ping access> firewall(config)#> /可設定是否允許使用ping指令 conduit permit icmp any any /此為允許內外部都能用ping指令 ^^^第一階段完成,使用show指令及ping PIX各介面(及從PIX ping router)測試一下!正常才能繼續下一步驟! ^^^以上由security高的存取security低防火牆設定的部分已完成,接下來是security低存取security高的部分 <step9-add server access> .map local IP address to a global IP address. /設定特定的NAT對應(for server) firewall(config)#> /security低存取高使用 static(internal,external) global_ip local_ip static(inside,outside) 163.29.129.170 192.168.1.1 netmask 255.255.255.255 static(inside,outside) 163.29.129.170 192.168.1.2 netmask 255.255.255.255 static(inside,outside) 163.29.129.170 192.168.1.4 netmask 255.255.255.255 .add conduit through firewall for incoming connections./為特定的service留"通道" firewall(config)#> conduit permit tcp host 163.29.129.170 eq www any /留Web server163.29.129.170的通道 conduit permit tcp host 163.29.129.171 eq smtp any /留送信mail server163.29.129.171的通道 conduit permit tcp host 163.29.129.171 eq pop3 any /留收信mail server163.29.129.171的通道 conduit permit tcp host 163.29.129.171 eq 23 host 203.74.223.38 /讓203.74.223.38可以Telnet到163.29.129.171 ^^^static NAT完成(static及conduit要併用) ^^^特定server可以正常對外運作 ^^^注意!!!某些service的conduit要開兩條才能正常運作(通常一條TCP一條UDP) .enable,change a pix firewall application protocol feature. firewall(config)#> /可更改service使用的port,以策安全! fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 <step10-create access lists> .create an access list for controlling Internet use. /設定一些packet filter的動作 firewall(config)#> outbound 1 deny 0.0.0.0 0.0.0.0 tcp outbound 1 permit 192.168.1.1 255.255.255.255 outbound 1 permit 192.168.1.11 255.255.255.255 outbound 1 permit 192.168.1.241 255.255.255.255 .apply outbound access list to IP address. /將上述的packet filter指定到介面(inside or outside) firewall(config)#> /並訂定檢查的是Destnation or Source IP/port apply(inside) 1 outgoing_src apply(inside) 10 outgoing_dest apply(outside) 11 outgoing_src apply(outside) 21 outgoing_dest ^^^增加了規劃的security policy(outbound及apply要併用) <step11-add telnet console access> .allow to the pix console over telnet /設定可以Telnet上PIX Firewall的IP及密碼 firewall(config)#> telnet 192.168.1.11 255.255.255.255 passwd xxxxxxx ^^^為MIS留一條方便之門 <step12-check the configuration> .view the curring configuration /再次確認設定是否正確 firewall#>write terminal <step13-store the image in flash memory and reboot> .write to memory and relord /存到FLASH記憶體中,並重開機 firewall#>write memory firewall#>reload ^^^別忘了此步驟否則以上步驟不會生效!!! <Troubleshooting:> /一些可用來看設定的指令 .show ip address .show nat .show global .show route <Advanced configuration> .enable syslog /啟動syslog錯誤通知 1.enable the syslog facility /進入syslog設定狀態 >logging on 2.specify a host to receive the syslog message /設定要接收錯誤通知的主機 >logging host inside ip_address 3.set syslog message facility to 20(default) /設定訊息的筆數 >logging facility 20 4.instruct to send message /啟動錯誤通知 >logging trap warnings 5.test it /測試錯誤通知是否正常 >show logging .add user authentication /使用者認證 1.for inbound authentication,static and conduit statements required to permit outside hosts to access servers on the inside network. /用static和conduit允許outside host access 2.specify which server handles authenticaton or authorization with the radius-server or the tacacs-server commands. /以radius-server,tacacs-server指定用來做 /認證的server 3.enable authentication with the aaa authentication command. /用aaa authentication來啟動認證動作的server >aaa authorization any outbound 0 0 0 0 tacacs+ >aaa authorization any inbound 0 0 0 0 tacacs+ 4.enable authorization with the aaa authorization command. /用aaa authorization來啟動認證動作 >aaa enthorization any outbound 0 0 0 0 >aaa enthorization any inbound 0 0 0 0 movis 2005-04-27, 04:49 PM 501只有兩個Interface吧!一個對內,一個對外... |
|