GNS3中如何进行PIX防火墙实验(8)

Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname PPPoE-Server

PPPoE-Server(config)#aaa new-model //启动 AAA 功能模块

PPPoE-Server(config)#aaa authentication ppp default local //针对PPP认证建立一条名字为default，方法为“local本地认证“的认证列表 PPPoE-Server(config)#vpdn enable //启动VPN拨号功能

PPPoE-Server(config)#username 131001 password 0 123qwe! //建立131001用户和密码

PPPoE-Server(config)#username 131002 password 0 123qwe! //建立131002用户和密码

PPPoE-Server(config)#bba-group pppoe global //建立PPPOE拨号组策略 PPPoE-Serve(config-bba-group)#virtual-template 1 //绑定1号虚拟拨号模板 PPPoE-Serve(config-bba-group)#sessions max limit 300 //设置PPPOE服务器最大接受的用户数量

PPPoE-Serve(config-bba-group)#sessions per-mac limit 1 //设置每MAC地址能同时发起的PPPOE连接数量

PPPoE-Serve(config-bba-group)#exit

PPPoE-Server(config)#interface Ethernet0/0

PPPoE-Server(config)#ip address 202.100.1.1 255.255.255.0 PPPoE-Server(config)#no shutdown PPPoE-Server(config)#half-duplex

PPPoE-Server(config)#pppoe enable group global //在E0/0接口上起开PPPOE会话侦听

PPPoE-Server(config)#interface Virtual-Template1 //创建1号虚拟模板

PPPoE-Server(config-if)#ip address 61.187.191.254 255.255.255.0 //设置模板IP（PPPOE网关IP）

PPPoE-Server(config-if)#peer default ip address pool vpnpool //设置PPPOE客户端IP地址来源于vpnpool池

PPPoE-Server(config-if)#ppp authentication pap //启动PPP的PAP认证

PPPoE-Server(config)#ip local pool vpnpool 61.187.191.1 61.187.191.100 //建立vpnpool地址池

PPPOE Client(Router):

Router>en Router#conf t

Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname PPPoE-Client PPPoE-Client(config)#interface Ethernet0/0 PPPoE-Client(config-if)#no ip address PPPoE-Client(config-if)#no shutdown

PPPoE-Client(config-if)#pppoe enable //在接口上开启PPPOE

PPPoE-Client(config-if)#pppoe-client dial-pool-number 1 //将E0/0物理接口放入1号拨号池，并作为拨号客户端接口 PPPoE-Client(config-if)#exit

PPPoE-Client(config)#interface Ethernet0/1

PPPoE-Client(config-if)#ip address 192.168.1.1 255.255.255.0 PPPoE-Client(config-if)#no shutdown PPPoE-Client(config-if)#ip nat inside PPPoE-Client(config-if)#exit

PPPoE-Client(config)#interface Dialer0 //建立0号模拟拨号接口 PPPoE-Client(config-if)#ip address negotiated //设置IP地址为“协商“ PPPoE-Client(config-if)#ip nat outside

PPPoE-Client(config-if)#encapsulation ppp //设置封装协议为PPP PPPoE-Client(config-if)#dialer in-band //启动DDR

PPPoE-Client(config-if)#dialer-group 1 //通过编号为1的dialer-list来感知兴趣流 PPPoE-Client(config-if)#dialer pool 1 //将0号拨号接口与1号拨号池绑定 PPPoE-Client(config-if)#exit

PPPoE-Client(config)#ppp pap sent-username 131001 password 0 123qwe! //设置PPP协议PAP认证时发送的用户名和密码

PPPoE-Client(config)#ip route 0.0.0.0 0.0.0.0 Dialer0 //建立一条通过0号拨号接口的默认路由

PPPoE-Client(config)#ip nat inside source list natlist interface Dialer0 overload//启动对0号拨号接口的PAT

PPPoE-Client(config)#ip access-list extended natlist

PPPoE-Server(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any PPPoE-Server(config-ext-nacl)#exit

PPPoE-Server(config)#dialer-list 1 protocol ip permit //建立编号为1的拨号列表，用于设置对具体的数据流产生兴趣，不满足该列表的数据包不会触发拨号

PPPoE Client(PIX):

PIX>en PIX#conf t

PIX(config)#hostname PPPOE-Client

PPPOE-Client(config)#interface Ethernet1 PPPOE-Client(config-if)#nameif inside PPPOE-Client(config-if)#security-level 100

PPPOE-Client(config-if)#ip address 192.168.1.1 255.255.255.0 PPPOE-Client(config-if)#no shutdown PPPOE-Client(config-if)#exit

PPPOE-Client(config)#access-list outlist extended permit icmp any interface outside echo-reply //建立一条用于PING测试的ACL PPPOE-Client(config)#nat-control //启动NAT

PPPOE-Client(config)#global (outside) 1 interface //设置对 192.168.1.0的地址到outside接口上的PAT

PPPOE-Client(config)#nat (inside) 1 192.168.1.0 255.255.255.0 //设置对192.168.1.0网段在INSIDE接口上启动NAT

PPPOE-Client(config)#access-group outlist in interface outside //绑定用于PING测试的ACL

PPPOE-Client(config)#vpdn group pppoe request dialout pppoe//建立一个名字为pppoe的VPDN策略组，并设置该策略组用于pppoe的“拨出请求“

PPPOE-Client(config)#vpdn group pppoe localname 131002 //设置PPPOE的本地用户名，该名称和拨号时的发送用户名可以不同，主要用于本地统计时显示，即拨号用户名的显示名

PPPOE-Client(config)#vpdn group pppoe ppp authentication pap //设置PPPOE拨号时启动PAP认证

PPPOE-Client(config)#vpdn username 131002 password ********* //设置PPPOE拨号时发送的用户名和密码

PPPOE-Client(config)#interface Ethernet0 PPPOE-Client(config-if)#nameif outside PPPOE-Client(config-if)#security-level 0

PPPOE-Client(config-if)#pppoe client vpdn group pppoe //设置该物理接口用于PPPOE拨号，并与pppoe拨号组策略绑定

PPPOE-Client(config-if)#ip address pppoe setroute //设置该接口的IP地址通过PPPOE获取，并生成默认路由 PPPOE-Client(config-if)#exit

实验十三：OSPF路由协议

一．实验目的

1. 掌握理解PIX防火墙ＯＳＰＦ路由协议。 2. 结合object-group 给穿越流量做nat

二．实验要点

1．掌握PIX防火墙高级配置命令。

2．PIX能够向内部或者外部RIP注入一条默认路由。

三．实验设备

1. GNS3工具，路由器Cisco 3600二台 2. Cisco PIX804 一台，Real PC 二台

四、实验环境

使用tftp-server恢复pix 防火墙的基本配置

五. 实验步骤

1：OSPF基本实验 LAN路由器：

LAN(config)#no ip route 0.0.0.0 0.0.0.0 10.0.1.1 LAN(config)#router ospf 1

LAN(config-router)#network 10.0.2.0 0.0.0.255 area 0 LAN(config-router)#network 10.0.1.0 0.0.0.255 area 0 LAN(config-router)# WAN路由器：

WAN(config)#no ip route 0.0.0.0 0.0.0.0 220.171.1.2

WAN(config)#router ospf 1

WAN(config-router)#network 220.171.1.0 0.0.0.255 area 0 WAN(config-router)#network 192.168.1.0 0.0.0.255 area 0 WAN(config-router)#end WAN#

PIX(config)# router ospf 1

PIX(config-router)# network 10.0.1.0 255.255.255.0 area 0 ／注意是正掩码，不是

反掩码

PIX(config-router)# network 172.16.1.0 255.255.255.0 area 0 PIX(config-router)# network 220.171.1.0 255.255.255.0 area 0 PIX(config-router)#

PIX(config)# show ospf nei

Neighbor ID Pri State Dead Time Address Interface 192.168.1.1 1 FULL/DR 0:00:37 192.168.1.1 outside 10.0.2.1 1 FULL/DR 0:00:39 10.0.1.2 inside

PIX(config)# show ospf

Routing Process \Supports only single TOS(TOS0) routes Does not support opaque LSA

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x 0 Number of opaque AS LSA 0. Checksum Sum 0x 0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0

Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0)

Number of interfaces in this area is 3 Area has no authentication

。。。。。。。。。

通过设置路由器、pix防火墙设置ospf，LAN、WAN路由器则都可以学习到路由。

如：LAN路由器

O 172.16.1.0 [110/11] via 10.0.1.1, 00:17:36, FastEthernet0/0 172.26.0.0/24 is subnetted, 1 subnets

O 172.26.26.0 [110/12] via 10.0.1.1, 00:17:36, FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets

C 10.0.2.0 is directly connected, FastEthernet0/1 C 10.0.1.0 is directly connected, FastEthernet0/0

O 192.168.1.0/24 [110/11] via 10.0.1.1, 00:17:36, FastEthernet0/0 LAN#

2：使用OSPF实现路由10.0.2.0 的重分布 LAN(config)#router ospf 1

LAN(config-router)#no network 10.0.2.0 0.0.0.255 area 0 ／去除fa0/1 上ospf