【硬體】How to set DMZ in pix 501 ?

[jackyhero1220]

How to set DMZ in pix 501 ?

小弟想架一個web server在DMZ中，
有人知詳細的command嗎？
新手發問，謝謝

[不應有恨]

底下是我好幾年前做的,是初步介紹pix設定的步驟啦
分享給你喲~
不過也不知道對不對合不合你用
好幾年沒摸cisco的東西了
(有錯不要告訴我了 我可能不太會碰到了啦 )
--------------------
<<Step by step for cisco PIX Firewall Configurations>>
<step1-before you begin>

.draw down the netwrok architecture
.list security policy
.configure network routing
.check for all
.put pix into network architecture
.demo lab with the security policy


<step2-installing the pix firewall>



<step3-get a console terminal>
.9600/8/none/1/hardware



<step4-start configuring pix firewall>

firewall>enable /進入設定狀態
firewall>password /鍵入密碼
firewall#>configuring terminal /進入terminal設定狀態
firewall(config)#> /提示改成terminal設定狀態了

^^^可以設定PIX Firewall了
<step5-identify each interface>

.name interfaces. /首先為每一個介面命名
firewall(config)#>
nameif etherner0 outside security0 /outside介面
nameif etherner1 inside security100 /inside介面
nameif ethernet2 perimeter security50 /perimeter介面

.identify IP address for pix firewall. /設定介面的IP
firewall(config)#>
ip address outside 163.29.129.252 255.255.255.128 /outside IP
ip address inside 192.168.1.3 255.255.255.0 /inside IP
interface e0 auto /enable e0
interface e1 auto /enable e1
interface e2 auto /enable e2


<step6-let users start connections> /設定一般的NAT對應(for client)
/security高存取低使用
.associate a network with a pool of global IP address./先設定要做NAT對應的內部IP
firewall(config)#> /此NAT對應編號使用nat 1
nat(inside) 1 0.0.0.0 0.0.0.0 0 0 /此為內部IP全部作NAT對應
nat(inside) 1 192.168.1.0 255.255.255.0 /此為內部IP範圍192.168.1.0這個class c 作NAT對應

.create entries from a pool of global address. /再設定要做NAT對應的外部IP pool群
firewall(config)#>
global(outside) 1 163.29.129.129-163.29.129.250 /外部要給對應的pool群IP範圍
netmask 255.255.255.128 /此為用163.29.129.129~250給內部IP對應

^^^Dynamic NAT完成(nat及global要併用)
<step7-create a default route>

.static route for specified interface. /設定特定介面default route
firewall(config)#>
route outside 0.0.0.0 0.0.0.0 163.29.129.254 1 /此為介面一一律以163.29.129.254為gateway


<step8-permit ping access>

firewall(config)#> /可設定是否允許使用ping指令
conduit permit icmp any any /此為允許內外部都能用ping指令


^^^第一階段完成,使用show指令及ping PIX各介面(及從PIX ping router)測試一下!正常才能繼續下一步驟!
^^^以上由security高的存取security低防火牆設定的部分已完成,接下來是security低存取security高的部分

<step9-add server access>

.map local IP address to a global IP address. /設定特定的NAT對應(for server)
firewall(config)#> /security低存取高使用
static(internal,external) global_ip local_ip
static(inside,outside) 163.29.129.170 192.168.1.1 netmask 255.255.255.255
static(inside,outside) 163.29.129.170 192.168.1.2 netmask 255.255.255.255
static(inside,outside) 163.29.129.170 192.168.1.4 netmask 255.255.255.255

.add conduit through firewall for incoming connections./為特定的service留"通道"
firewall(config)#>
conduit permit tcp host 163.29.129.170 eq www any /留Web server163.29.129.170的通道
conduit permit tcp host 163.29.129.171 eq smtp any /留送信mail server163.29.129.171的通道
conduit permit tcp host 163.29.129.171 eq pop3 any /留收信mail server163.29.129.171的通道
conduit permit tcp host 163.29.129.171 eq 23 host 203.74.223.38 /讓203.74.223.38可以Telnet到163.29.129.171

^^^static NAT完成(static及conduit要併用)
^^^特定server可以正常對外運作
^^^注意!!!某些service的conduit要開兩條才能正常運作(通常一條TCP一條UDP)
.enable,change a pix firewall application protocol feature.
firewall(config)#> /可更改service使用的port,以策安全!
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521


<step10-create access lists>

.create an access list for controlling Internet use. /設定一些packet filter的動作
firewall(config)#>
outbound 1 deny 0.0.0.0 0.0.0.0 tcp
outbound 1 permit 192.168.1.1 255.255.255.255
outbound 1 permit 192.168.1.11 255.255.255.255
outbound 1 permit 192.168.1.241 255.255.255.255

.apply outbound access list to IP address. /將上述的packet filter指定到介面(inside or outside)
firewall(config)#> /並訂定檢查的是Destnation or Source IP/port
apply(inside) 1 outgoing_src
apply(inside) 10 outgoing_dest
apply(outside) 11 outgoing_src
apply(outside) 21 outgoing_dest

^^^增加了規劃的security policy(outbound及apply要併用)
<step11-add telnet console access>

.allow to the pix console over telnet /設定可以Telnet上PIX Firewall的IP及密碼
firewall(config)#>
telnet 192.168.1.11 255.255.255.255
passwd xxxxxxx

^^^為MIS留一條方便之門
<step12-check the configuration>

.view the curring configuration /再次確認設定是否正確
firewall#>write terminal


<step13-store the image in flash memory and reboot>

.write to memory and relord /存到FLASH記憶體中,並重開機
firewall#>write memory
firewall#>reload

^^^別忘了此步驟否則以上步驟不會生效!!!

<Troubleshooting:> /一些可用來看設定的指令
.show ip address
.show nat
.show global
.show route




<Advanced configuration>


.enable syslog /啟動syslog錯誤通知

1.enable the syslog facility /進入syslog設定狀態
>logging on
2.specify a host to receive the syslog message /設定要接收錯誤通知的主機
>logging host inside ip_address
3.set syslog message facility to 20(default) /設定訊息的筆數
>logging facility 20
4.instruct to send message /啟動錯誤通知
>logging trap warnings
5.test it /測試錯誤通知是否正常
>show logging


.add user authentication /使用者認證

1.for inbound authentication,static and conduit statements required to
permit outside hosts to access servers on the inside network.
/用static和conduit允許outside host access
2.specify which server handles authenticaton or authorization with the
radius-server or the tacacs-server commands.
/以radius-server,tacacs-server指定用來做
/認證的server
3.enable authentication with the aaa authentication command.
/用aaa authentication來啟動認證動作的server
>aaa authorization any outbound 0 0 0 0 tacacs+
>aaa authorization any inbound 0 0 0 0 tacacs+
4.enable authorization with the aaa authorization command.
/用aaa authorization來啟動認證動作
>aaa enthorization any outbound 0 0 0 0
>aaa enthorization any inbound 0 0 0 0

[movis]

501只有兩個Interface吧！一個對內，一個對外...