【求助】請教CISCO PIX防火牆的設定

[windpp]

請教一下各位先進：

我公司內部有一台機器，想要開port出去，不知道指令該如何下？
比如說內部機器為 192.168.1.100，要開放25（SMTP）

另外要是全開放，也就是全部通透，內到外port全開，指令為何？

謝謝各位∼

[門神]

建議使用PDM最簡單

[windpp]

不好意思...小弟剛接觸PIX！
可以說的詳細一點嗎？

若是用指令，該如何去下呢？

[popeye]

要先建ACCESS-LIST
如
access-list 1 permit tcp any host X.X.X.X eq 25
不過X.X.X.X要用PUBLIC IP吧??!!
然後再套用入INTERFACE中
如
access-group 1 in interface outside
(outbound名稱)
剛開始真的用PDM比較容易，PDM就是PIX的WEB介面，不過也是要先指定給哪個IP用PDM
如
pdm location 192.168.1.100 255.255.255.255 inside
(inbound name)
這是指只有192.168.1.100才能用PDM連入
我懂得也不多，說的不對，請勿見怪!!!

[windpp]

嗯....謝謝popeye兄的回覆！
我再試試！

[bv2eq]

最初由 windpp 發表
請教一下各位先進：

我公司內部有一台機器，想要開port出去，不知道指令該如何下？
比如說內部機器為 192.168.1.100，要開放25（SMTP）

另外要是全開放，也就是全部通透，內到外port全開，指令為何？

謝謝各位∼

Sorry I can only use English.

For better PIX OS support, you better post your config file. And let people know your PIX OS version/PIX model. Different version/model has different functions to complete your job.

Let me assume you are using 6.1(x). If you want to open an smtp port 25 to a host IP 192.168.2.10 and you have a static IP 24.44.44.44(I make it up.) doing PAT for you.

First, you permit smtp type packets come in.

access-list 102 permit tcp any any eq smtp

Second, you static packets to the host you want.

static (inside,outside) tcp 24.44.44.44 host smtp 192.168.2.10 smtp netmask 255.255.255.255 0 0

Don't forget make access-list effect by using following command.

nat (inside) 0 access-list 102

It's a good practice to use access-list and static rather than access-list and conduit due to CISCO tend to phase out conduit command support(It's no longer availabe in PIX OS 6.3(x) as I recalled.)

If your PIX has DMZ zone, you can also use DMZ to put your host so you can make your box open.(You need to at least has a 3 NIC interface cards PIX to do that.)


After you test it. Don't forget write config to memory!!

I'm no CCNE guy, but this is based on my field exp. So it may not accurate but idea is good.

Best regards


Calvin

[windpp]

Thanks for your reply.....