PIX(config)# route inside 10.0.2.0 255.255.255.0 10.0.1.2 /手动指定到达10.0.2.0的静态路由 PIX(config)#show route
1.0.0.0 255.255.255.255 is subnetted, 1 subnets O 1.1.1.1 [110/11] via lan, 0:02:09, inside
172.16.0.0 255.255.255.0 is subnetted, 1 subnets C 172.16.1.0 is directly connected, dmz
172.26.0.0 255.255.255.0 is subnetted, 1 subnets O 172.26.26.0 [110/11] via wan, 0:02:09, outside 10.0.0.0 255.255.255.0 is subnetted, 2 subnets S 10.0.2.0 [1/0] via lan, inside
C 10.0.1.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
PIX(config)# access-list kkk permit host 10.0.2.0 /是host 10.0.2.0 PIX(config)# route-map kkk
PIX(config-route-map)# match ip add kkk PIX(config-route-map)# exit PIX(config)# router ospf 1
PIX(config-router)# redistribute static metric 64 route-map kkk subnet PIX(config-router)# exit PIX(config)#
则在WAN路由器上: WAN#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/12] via 192.168.1.2, 00:03:47, FastEthernet0/0 172.16.0.0/24 is subnetted, 1 subnets
O 172.16.1.0 [110/11] via 192.168.1.2, 00:03:47, FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets
O E2 10.0.2.0 [110/64] via 192.168.1.2, 00:03:47, FastEthernet0/0 O 10.0.1.0 [110/11] via 192.168.1.2, 00:03:47, FastEthernet0/0 WAN#
3:配置区域认证 LAN路由器上:
LAN(config)#router ospf 1
LAN(config-router)#area 0 authentication message-digest /启用认证 LAN(config-router)#interface fa0/0
LAN(config-if)#ip ospf message-digest-key 1 md5 cisco /在接口上认证,key id为1,密钥cisco. LAN(config-if)# WAN路由器上:
WAN(config)#router ospf 1
WAN(config-router)#area 0 authentication message-digest /启用认证 WAN(config-router)#interface fa0/0
WAN(config-if)#ip ospf message-digest-key 1 md5 cisco /在接口上认证,key
id为1,密钥cisco. WAN(config-if)# PIX防火墙上:
PIX(config)# router ospf 1
PIX(config-router)# area 0 authentication message-digest /启用认证 PIX(config-router)# routing interface inside
PIX(config-routing)# ospf message-digest-key 1 md5 cisco/接口上ospf认证id为1,md5密钥cisco
PIX(config-routing)# exit
PIX(config)# routing interface outside
PIX(config-routing)# ospf message-digest-key 1 md5 cisco PIX(config-routing)# exit PIX(config)#
4:结合object-group 给穿越流量做nat Object-group network IN
Network-object 10.0.2.0 255.255.255.0 Network-object 10.0.1.0 255.255.255.0 Object-group network OUT
Network-object 192.168.1.0 255.255.255.0 Network-object 172.26.0.0 255.255.0.0 Object-group icmp ICMP Icmp-object echo
Icmp-object echo-reply Icmp-object unrea
Access-list kkk permit ip object-group IN object-group OUT Nat (inside) 0 access-list kkk
Access-list ccc permit icmp object-group OUT object-group IN object-group ICMP
Access-group ccc in interface outside
实验十四:综合实验----防火墙篇 实验要求:
1、 2、 3、 4、 5、
用防火墙划分内网,外网,DMZ区域。 防火墙的静态路由配置。
防火墙上的NAT配置,实现内网访问外网。 实现外网访问DMZ区域的web服务器. 防火墙流量限制配置。
试验拓扑:
实验步骤:
1、 用防火墙划分内网,外网,DMZ区域,配好接口ip地址以及安全级别。 pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# nameif outside ///给接口做描述/// INFO: Security level for \pixfirewall(config-if)# security-level 0
安全级别默认outside就是0
pixfirewall(config-if)# ip address 202.101.1.1 255.255.255.0 pixfirewall(config-if)# no shut pixfirewall(config)# int e1
pixfirewall(config-if)# nameif dmz
INFO: Security level for \
pixfirewall(config-if)# security-level 50 ///一般习惯给dmz安全级别为50/// pixfirewall(config-if)#
pixfirewall(config-if)# ip add 10.1.1.1 255.255.255.0 pixfirewall(config)# int e2 pixfirewall(config-if)#
pixfirewall(config-if)# nameif inside
INFO: Security level for \
pixfirewall(config-if)# security-level 100 /// 默认inside安全级别为100/// pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0 pixfirewall(config-if)# no shut
配好ip地址之后,注意ping一下直连!注意底层错误! pixfirewall# ping 202.101.1.2 PING R1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.101.1.2, timeout is 2 seconds: !!!!!
pixfirewall# ping 10.1.1.2 PING DMZ Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!!
pixfirewall# ping 192.168.0.10 PING inside Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds: !!!!!
pixfirewall(config)# access-list dmz permit icmp any any
///允许DMZ区域的主机的ICMP协议的报文能够访问出去/// pixfirewall(config)# access-group dmz in interface dmz ///将策略应用在dmz接口上///
R3#ping 10.1.1.2 ///到R3上测试一下,ping一下dmz主机/// Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! OK! 没问题!
pixfirewall(config)# access-list outside permit icmp any any echo-reply / 同样允许外网接口ICMP的回包,记住,回包! 不然外网可以访问你的内网喽!
pixfirewall(config)# access-group outside in interface outside ///应用在接口///
R3#ping 202.101.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.101.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/45/112 ms
2、 防火墙静态路由配置
pixfirewall(config)# route dmz 2.2.2.0 255.255.255.0 10.1.1.2 1 pixfirewall(config)# dmz:表示接口名称。
2.2.2.0 255.255.255.0:表示目的网段
10.1.1.2:表示下个路由器的ip地址也就是下一跳地址。 1:[metric] 路由花费。缺省值是1。
R3#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/45/104 ms R3#
3、 防火墙上的NAT配置,实现内网访问外网。
pixfirewall(config)# nat (inside) 1 0 0 //内网所有主机// pixfirewall(config)# global (outside) 1 interface //PAT// INFO: outside interface address added to PAT pool nat命令配置语法:nat(if_name)nat_idlocal_ip[netmark] 其中:
(if_name):表示接口名称,一般为inside. nat_id:表示地址池,由global命令定义。
local_ip:表示内网的ip地址。对于0.0.0.0表示内网所有主机。 [netmark]:表示内网ip地址的子网掩码。
Global指定公网地址范围:定义地址池。 Global命令的配置语法:
global(if_name)nat_idip_address-ip_address[netmarkglobal_mask] 其中:
(if_name):表示外网接口名称,一般为outside。 nat_id:建立的地址池标识(nat要引用)。
ip_address-ip_address:表示一段ip地址范围。
[netmarkglobal_mask]:表示全局ip地址的网络掩码。
R3#ping 202.101.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.101.1.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/124 ms
pixfirewall(config)# sh xlate 1 in use, 1 most used
PAT Global 202.101.1.1(20380) Local 192.168.0.10 ICMP id 21 pixfirewall(config)#
4、 实现外网访问DMZ区域的web服务器,配置防火墙的反向NAT。
pixfirewall(config)# access-list 100 permit tcp any host 202.101.1.1 eq 80 /// 允许外网访问dmz的80 端口///
pixfirewall(config)# access-group 100 in interface outside
pixfirewall(config)#static (inside,outside) tcp interface www 10.1.1.2 www network 255.255.255.255
//将DMZ区域的web发布到公网上。//
5、 防火墙流量限制配置。
pixfirewall(config)# priority-queue outside
pixfirewall(config-priority-queue)# queue-limit 512
流量限制为512k/s