防火牆的基本配置
一 實驗拓撲
二 實驗步驟
FW4(config)# sh ver
Cisco PIX Security Appliance Software Version 8.0(3)19
Compiled on Mon 16-Jun-08 11:30 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
FW4 up 23 mins 31 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 0000.abea.1d00, irq 9
1: Ext: Ethernet1 : address is 0000.abcd.ef01, irq 11
2: Ext: Ethernet2 : address is 0000.abea.1d02, irq 11
3: Ext: Ethernet3 : address is 0000.abea.1d03, irq 11
4: Ext: Ethernet4 : address is 0000.abcd.ef04, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
***-DES : Enabled
***-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
*** Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 807211225
Running Activation Key: 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57
Configuration last modified by enable_15 at 07:46:44.561 UTC Wed Oct 10 2012
2.防火牆的基本配置
FW4(config)# int e0
FW4(config-if)# ip add 192.168.1.2 255.255.255.0
FW4(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
FW4(config-if)# no shu
FW4(config-if)# int e2
FW4(config-if)# ip add 192.168.2.2 255.255.255.0
FW4(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
FW4(config-if)# no shu
FW4(config-if)# int e3
FW4(config-if)# ip add 192.168.3.2 255.255.255.0
FW4(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
FW4(config-if)# sec
FW4(config-if)# security-level 50
FW4(config-if)# no shu
FW4(config-if)# end
FW4# sh int ip bri
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.1.2 YES manual up up
Ethernet1 unassigned YES unset administratively down up
Ethernet2 192.168.2.2 YES manual up up
Ethernet3 192.168.3.2 YES manual up up
Ethernet4 unassigned YES unset administratively down up
3.路由配置
FW4(config)# router ospf 1
FW4(config-router)# router-id 4.4.4.4
FW4(config-router)# net 192.168.1.0 0.0.0.255 area 0
ERROR: OSPF: Invalid address/mask combination (discontiguous mask)
FW4(config-router)# net 192.168.1.0 255.255.255.0 area 0
FW4(config-router)# default-information originate metric 1000 metric-type 1//外部路由以1類缺省路由重發布出去①
FW4(config-router)# redistribute rip subnets //將全局路由表中的OSPF路由重發布到RIP ②
FW4(config-router)# exi
FW4(config)# router rip
FW4(config-router)# ver 2
FW4(config-router)# no auto-summary
FW4(config-router)# net 192.168.3.0
FW4(config-router)# default-information originate //向RIP區域的路由器發佈一條默認路由 ③
FW4(config-router)# redistribute ospf 1 metric 5 //將全局路由表中的RIP路由重發布到OSPF ④
FW4(config-router)# exi
FW4(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.1 ⑤
注 :default-information originate 在FW4上配置這條命令,會自動地向R3注入一條默認路由,並且路由器會很智能地改變下一跳的地址。
在哪個路由進程裏發佈,屬於該路由域的路由器纔會收到這條缺省路由。
FW4# sh rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
R 192.168.30.0 255.255.255.0 [120/1] via 192.168.3.1, 0:00:02, dmz 發佈到了R1
O 192.168.10.1 255.255.255.255 [110/11] via 192.168.1.1, 0:21:37, inside 發佈到了R3
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, outside
C 192.168.3.0 255.255.255.0 is directly connected, dmz
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside 對應⑤
注意:重發布是先到了對應的路由進程裏,再到對應的該路由域的路由器
R1#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
O E2 192.168.30.0/24 [110/20] via 192.168.1.2, 00:00:57, Ethernet1/0 爲什麼是2類?對應④
C 192.168.10.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Ethernet1/0
O E2 192.168.3.0/24 [110/20] via 192.168.1.2, 00:22:46, Ethernet1/0 怎麼來的?
O*E1 0.0.0.0/0 [110/1010] via 192.168.1.2, 00:20:54, Ethernet1/0 對應①
R3#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.3.2 to network 0.0.0.0
C 192.168.30.0/24 is directly connected, Ethernet1/1
192.168.10.0/32 is subnetted, 1 subnets
R 192.168.10.1 [120/5] via 192.168.3.2, 00:00:15, Ethernet1/0 對應②
R 192.168.1.0/24 [120/5] via 192.168.3.2, 00:00:15, Ethernet1/0 怎麼來的?
C 192.168.3.0/24 is directly connected, Ethernet1/0
R* 0.0.0.0/0 [120/1] via 192.168.3.2, 00:00:15, Ethernet1/0 對應③
R2#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
C 192.168.20.0/24 is directly connected, Loopback0
C 192.168.2.0/24 is directly connected, Ethernet1/0
S 192.168.0.0/16 [1/0] via 192.168.2.2
小結:
重發布的概念:將一種路由協議獲知的路由告知給另一路由協議的過程。
連通性測試:
R1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
藍色部分可以省,ping是雙向的,第一個測試不成功,自然下面兩個測試也不成功!!
Pix防火牆的基本訪問規則
1)默認情況下,高安全級別可以訪問低安全級別區域
2)默認情況下,低安全級別不可以訪問高安全級別區域
3)默認情況下,相同安全級別不能相互訪問
4)默認情況下,防火牆總是在執行地址轉換前檢查ACL
問題:本實驗R1爲什麼不能ping通R2和R3?
難道是因爲ping是雙向?
解答:因爲默認情況下,高安全級別可以訪問低安全級別,所以R1 的ping包的request包可以出去,但是來自對方的reply包卻不能回來,因爲默認情況下,低安全級別的不可以訪問高安全級別。
防火牆ACL
1 高安全級別訪問低安全級別
1)防火牆對ICMP包進行審查
FW4(config)# fixup protocol icmp//這裏沒有配置其他的,所以給與通過
INFO: converting 'fixup protocol icmp ' to MPF commands
當有數據報文要通過防火牆的時候,防火牆檢查是不是有能匹配的ACL,如果有則根據ACL來轉發數據,如果沒有,則在狀態數據庫中查找是否存在狀態連接表項,有則放通數據,沒有則丟棄數據。
2)通過ACL放通ICMP返回流量
FW4(config)# no fixup protocol icmp //禁用了ICMP協議,通過ACL來放通數據
FW4(config)# access-list inside-outside extended permit icmp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 echo-reply //允許來自20網段到10網段的ICMP迴應包通過。
FW4(config)# access-group inside-outside in int outside //應用到outside 這個接口,用到intside不可以嗎?確實!!!爲什麼??還有同時用到inside和outside 也不可以,,爲什麼?
以上配置使得R1可以ping通R2--------實驗不成功。。。。因爲造成了干擾,看小結
FW4(config)#access-list dmz-outside extended permit icmp 192.168.20.0 255.255.255.255.0 192.168.30.0 255.255.255.0 echo-reply
FW4(config)# access-group dmz-outside in int outside //一定要應用到這個接口嗎?應用到dmz不行?確實!!爲什麼呢???
以上配置使得R3可以ping通R2-------實驗不成功。。。。 改了之後就可以了。。。。
2 低安全級別訪問高安全級別
FW4(config)# access-list dmz-inside extended permit icmp 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 //允許30網段到10網段的ICMP包通過,即包括request和reply包
FW4(config)# access-group dmz-inside in int dmz//如果應用到inside則不通,爲什麼?
以上配置使得R3可以ping通R1
注意:ACL該應用到哪個接口???
疑問:使用上面方法1)高安全級別可以ping通,即R1可以ping 通R2和R3,R3可以ping通R2,即回來的reply包可以通過FW4,反之不成立即,低安全級別無法訪問高安全級別,第一個包都無法通過。但是在這個方法的基礎上,再加上面的第三條ACL就可以使得低安全級別訪問高安全級別,即R3可以ping通R1.
使用方法2)就都行不通了(R1不能ping通R2,R3不能ping通R2)。。。。。。R1可以ping通R3,R3可以ping通R1(在有配置2的情況下,沒有配置的話就都不通)
我明白了。。。。造成以上疑問是因爲2與上面的同時配了,會干擾!!!
小結:
1)不要有不同的ACL應用到同一個接口上,會被覆蓋!!
2)不要有同一個ACL應用到不同的接口上,這個ACL會在不同的接口上同時生效!!所以會干擾!!!
3)應用到不用的接口有什麼區別?爲什麼實現的效果是不一樣的?
當:用方案1)和2一起使用時,R3不能ping通R2,原因是在dmz接口上只允許了R3訪問R1。。。。這就是干擾!!!
附:
FW4(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
FW4(config)# access-list inside-outside ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
命名以上用的是ACL嗎?
DHCP的配置
FW4(config)# dhcpd address 192.168.1.20-192.168.1.100 inside
FW4(config)# dhcpd dns 59.51.78.211
FW4(config)# dhcpd ?
configure mode commands/options:
address Configure the IP pool address range after this keyword
auto_config Enable auto configuration from client
dns Configure the IP addresses of the DNS servers after this
keyword
domain Configure DNS domain name after this keyword
enable Enable the DHCP server
lease Configure the DHCPD lease length after this keyword
option Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
update Configure dynamic updates
wins Configure the IP addresses of the NETBIOS servers after this
keyword
FW4(config)# dhcpd wins 192.168.20.1
FW4(config)# dhcpd lease 300
FW4(config)# dhcpd domain xunbo.cn
FW4(config)# dhcpd ping_timeout 750
FW4(config)# dhcpd enable inside
測試:
R1(config)#int e1/0
R1(config-if)#no ip add
R1(config-if)#
*Mar 1 00:46:45.039: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-if)#ip addres dhcp
R1(config-if)#end
R1#sh
*Mar 1 00:47:01.399: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip i
*Mar 1 00:47:02.047: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.20, mask 255.255.255.0, hostname R1
R1#s
*Mar 1 00:47:41.527: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done
FW4(config)# sh dhcpd binding //特權模式也可以
IP address Hardware address Lease expiration Type
192.168.1.20 0063.6973.636f.2d63. 274 seconds Automatic
6330.302e.3034.3330.
2e30.3031.302d.4574.
312f.30
FW4(config)# sh dhcpd state
Context Configured as DHCP Server
Interface inside, Configured for DHCP SERVER
Interface outside, Not Configured for DHCP
Interface dmz, Not Configured for DHCP
FW4(config)# sh dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 0
配置防火牆爲DHCP中繼
FW4(config)# no dhcpd enable inside
FW4(config)# no dhcpd address 192.168.1.20-192.168.1.100 inside
R3(config)#ip dhcp pool R1
R3(dhcp-config)#net 192.168.1.0 255.255.255.0
% Ambiguous command: "net 192.168.1.0 255.255.255.0"
R3(dhcp-config)#network 192.168.1.0 255.255.255.0
FW4(config)# dhcprelay server 192.168.3.1 dmz
FW4(config)# dhcprelay enable inside
測試:
R1(config)#int e1/0
R1(config-if)#ip add dhcp
R1(config-if)#s
*Mar 1 01:03:09.295: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-if)#shu
R1(config-if)#no shu
R1(config-if)#
*Mar 1 01:03:21.123: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
*Mar 1 01:03:22.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down
R1(config-if)#
*Mar 1 01:03:24.871: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
*Mar 1 01:03:25.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
R1(config-if)#
*Mar 1 01:03:26.391: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname R1
R1(config-if)#
*Mar 1 01:04:08.355: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done
成功!!
FW4# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 3
DHCPREQUEST 8
DHCPDECLINE 0
DHCPRELEASE 3
DHCPINFORM 0
BOOTREPLY 0
DHCPOFFER 3
DHCPACK 8
DHCPNAK 0
FW4# sh dhcprelay state
Context Configured as DHCP Relay
Interface inside, Configured for DHCP RELAY SERVER
Interface outside, Not Configured for DHCP
Interface dmz, Configured for DHCP RELAY
遠程登錄
FW4(config)# telnet 0 0 inside
FW4(config)# passwd xunbo
FW4(config)# telnet timeout 60
測試:
R1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
FW4> en
Password:
FW4# conf t
FW4(config)#
成功!!
日誌信息
FW4(config)# logging host dmz 192.168.30.100
WARNING: interface Ethernet3 security level is 50.
FW4(config)# logging trap 7
FW4(config)# logging timestamp
FW4(config)# logging device-id hostname
FW4(config)# logging on