实验二:基本设置:配置pix接口ip、连通性。
一.实验目的:
1. 掌握手工对PIX防火墙进行初始配置的步骤和方法
二.实验要点:
1. 通过运行GNS3中,利用超级终端软件对PIX防火墙进行手工初始配置。
三.实验设备:
1. GNS3工具,路由器Cisco 3600三台,Cisco PIX804 一台 2. Real PC 一台,虚拟机一台
四、实验环境
说明:PIX防火墙采用804版本IOS,接口、ip设置如图所示。实验采用PIX804模拟器,LAN、DMZ、WAN 分别为三台3600 路由器,其中路由器LAN 和本机(真实PC)连到一起,路由器WAN 和虚拟机连到一起。
五.实验步骤:
1.查看防火墙功能和许可证
防火墙出厂的时候自带有一些基本的功能,如果需要增加一些额外的功能,那么就需要购买许可证(license) 激活 key。可以使用 show vsersion 命令查看目前防火墙所拥有的功能的列表: pixfirewall# show version ??
Licensed features for this platform:
Maximum Physical Interfaces : 6 Maximum VLANs : 25
Inside Hosts : Unlimited Failover : Disabled VPN-DES : Disabled VPN-3DES-AES : Disabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 0
GTP/GPRS : Disabled VPN Peers : Unlimited
This platform has a Restricted (R) license. ??
从上图中可以看出,该防火墙运行的许可证类型为限制版。 防火墙的许可证类型有:
? Unrestricted (UR)——无限制的许可证使得该防火墙所能支持的所有特性全部打开,比如:无限制的 活动连接数、打开防火墙支持的所有的接口、支持 Failover 等;
? Restricted (R)——限制版,限制防火墙开启的特性,比如限制活动连接数、使防火墙不支持 Failover、 限制防火墙支持的最大接口数等;
? Failover (FO)——该版本使得防火墙可以作为 Secondary 设备参与 Failover;
? FailoverActive/Active (FOAA)——该版本使得防火墙可以作为 Secondary 设备参与 active/activeFailover,同时,还要求另一个防火墙使用 UR 版;
2.配置防火墙
pixfirewall> en Password:
pixfirewall# write erase/清除防火墙上的配置 Erase configuration in flash memory? [confirm] [OK]/重启防火墙 pixfirewall> en Password:
pixfirewall# conf t
pixfirewall(config)# hostname PIX PIX(config)# interface e0
PIX(config-if)# nameif outside//将E0口配置为外口 INFO: Security level for \
PIX(config-if)# security-level 0//将E0口安全级别设置为0 PIX(config-if)# ip address 220.171.1.2 255.255.255.0
PIX(config-if)#no shutdown PIX(config-if)# exit
PIX(config)# interface e1
PIX(config-if)# nameif inside//将E1口配置为内口 INFO: Security level for \
PIX(config-if)# security-level 100//将E1口安全级别设置为100 PIX(config-if)# ip address 10.0.1.1 255.255.255.0 PIX(config-if)#no shutdown PIX(config-if)# exit
PIX(config)# interface e2
PIX(config-if)# nameif dmz//将E2口配置为DMZ INFO: Security level for \
PIX(config-if)# security-level 50//将E2口安全级别设置为50 PIX(config-if)# ip address 172.16.1.1 255.255.255.0 PIX(config-if)#no shutdown PIX(config-if)# exit
pixfirewall(config)# show nameif
Interface Name Security Ethernet0 outside 0 Ethernet1 inside 100 Ethernet2 dmz 50
PIX(config)# show interface/pix 防火墙outside、inside、dmz已开启,ip 地址也已配置,与对端协商为全双工,带宽100Mbps
Interface Ethernet0 \Hardware is i82559, BW 100 Mbps, DLY 100 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0000.abf0.1e00, MTU 1500
IP address 220.171.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/max packets): hardware (1/0) software (0/0)
Interface Ethernet1 \Hardware is i82559, BW 100 Mbps, DLY 100 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0000.abf2.d101, MTU 1500
IP address 10.0.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/max packets): hardware (1/0) software (0/0)
Interface Ethernet2 \Hardware is i82559, BW 100 Mbps, DLY 100 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0000.ab4b.ae02, MTU 1500
IP address 172.16.1.1, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/max packets): hardware (1/0) software (0/0)
PIX (config)# ping 10.0.1.2 /测试到LAN路由器接口的连通性 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms PIX (config)# ping 172.16.1.2 /测试到DMZ 路由器接口的连通性 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms PIX (config)# ping 220.171.1.1 /测试到WAN路由器接口的连通性 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.171.1.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms PIX(config)#
PIX(config)# show running-config /查看内存中的配置文件,同write terminal PIX(config)# show startup-config /查看闪存中的配置文件
PIX(config)# show memory /查看内存使用
PIX(config)# show version /查看设备、授权、版本等等 PIX(config)# show history /查看历史输入命令 PIX(config)# show ip address /查看接口ip 地址 PIX(config)# show interface /查看接口信息 PIX(config)#show logging /查看日志
PIX(config)# show cpu usage /查看cpu占用 PIX(config)# show clock /查看设备时钟
PIX(config)#show conn /查看当前处于活跃的连接 PIX(config)# write erase /清除闪存中配置文件
PIX(config)# write memory /保存内存中的配置文件到闪存中
PIX(config)# write net /把当前内存中的配置文件copy到tftp服务器上 PIX(config)# configure net /把tftp 服务器上的配置文件copy 到内存中 PIX(config)# names /启用命名功能
PIX(config)# name /给某个ip和字符建立对应,必须先启用names PIX(config)# reload /重启设备