【硬件】How to set DMZ in pix 501 ?

主题内容：How to set DMZ in pix 501 ?

小弟想架一个web server在DMZ中，
有人知详细的command吗？
新手发问，谢谢

---

底下是我好几年前做的,是初步介绍pix设定的步骤啦
分享给你哟~
不过也不知道对不对合不合你用
好几年没摸cisco的东西了 :|||:
(有错不要告诉我了 我可能不太会碰到了啦 :corkysm: )
--------------------
<<Step by step for cisco PIX Firewall Configurations>>
<step1-before you begin>

.draw down the netwrok architecture
.list security policy
.configure network routing
.check for all
.put pix into network architecture
.demo lab with the security policy


<step2-installing the pix firewall>



<step3-get a console terminal>
.9600/8/none/1/hardware



<step4-start configuring pix firewall>

firewall>enable /进入设定状态
firewall>password /键入密码
firewall#>configuring terminal /进入terminal设定状态
firewall(config)#> /提示改成terminal设定状态了

^^^可以设定PIX Firewall了
<step5-identify each interface>

.name interfaces. /首先为每一个介面命名
firewall(config)#>
nameif etherner0 outside security0 /outside介面
nameif etherner1 inside security100 /inside介面
nameif ethernet2 perimeter security50 /perimeter介面

.identify IP address for pix firewall. /设定介面的IP
firewall(config)#>
ip address outside 163.29.129.252 255.255.255.128 /outside IP
ip address inside 192.168.1.3 255.255.255.0 /inside IP
interface e0 auto /enable e0
interface e1 auto /enable e1
interface e2 auto /enable e2


<step6-let users start connections> /设定一般的NAT对应(for client)
/security高存取低使用
.associate a network with a pool of global IP address./先设定要做NAT对应的内部IP
firewall(config)#> /此NAT对应编号使用nat 1
nat(inside) 1 0.0.0.0 0.0.0.0 0 0 /此为内部IP全部作NAT对应
nat(inside) 1 192.168.1.0 255.255.255.0 /此为内部IP范围192.168.1.0这个class c 作NAT对应

.create entries from a pool of global address. /再设定要做NAT对应的外部IP pool群
firewall(config)#>
global(outside) 1 163.29.129.129-163.29.129.250 /外部要给对应的pool群IP范围
netmask 255.255.255.128 /此为用163.29.129.129~250给内部IP对应

^^^Dynamic NAT完成(nat及global要并用)
<step7-create a default route>

.static route for specified interface. /设定特定介面default route
firewall(config)#>
route outside 0.0.0.0 0.0.0.0 163.29.129.254 1 /此为介面一一律以163.29.129.254为gateway


<step8-permit ping access>

firewall(config)#> /可设定是否允许使用ping指令
conduit permit icmp any any /此为允许内外部都能用ping指令


^^^第一阶段完成,使用show指令及ping PIX各介面(及从PIX ping router)测试一下!正常才能继续下一步骤!
^^^以上由security高的存取security低防火墙设定的部分已完成,接下来是security低存取security高的部分

<step9-add server access>

.map local IP address to a global IP address. /设定特定的NAT对应(for server)
firewall(config)#> /security低存取高使用
static(internal,external) global_ip local_ip
static(inside,outside) 163.29.129.170 192.168.1.1 netmask 255.255.255.255
static(inside,outside) 163.29.129.170 192.168.1.2 netmask 255.255.255.255
static(inside,outside) 163.29.129.170 192.168.1.4 netmask 255.255.255.255

.add conduit through firewall for incoming connections./为特定的service留"通道"
firewall(config)#>
conduit permit tcp host 163.29.129.170 eq www any /留Web server163.29.129.170的通道
conduit permit tcp host 163.29.129.171 eq smtp any /留送信mail server163.29.129.171的通道
conduit permit tcp host 163.29.129.171 eq pop3 any /留收信mail server163.29.129.171的通道
conduit permit tcp host 163.29.129.171 eq 23 host 203.74.223.38 /让203.74.223.38可以Telnet到163.29.129.171

^^^static NAT完成(static及conduit要并用)
^^^特定server可以正常对外运作
^^^注意!!!某些service的conduit要开两条才能正常运作(通常一条TCP一条UDP)
.enable,change a pix firewall application protocol feature.
firewall(config)#> /可更改service使用的port,以策安全!
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521


<step10-create access lists>

.create an access list for controlling Internet use. /设定一些packet filter的动作
firewall(config)#>
outbound 1 deny 0.0.0.0 0.0.0.0 tcp
outbound 1 permit 192.168.1.1 255.255.255.255
outbound 1 permit 192.168.1.11 255.255.255.255
outbound 1 permit 192.168.1.241 255.255.255.255

.apply outbound access list to IP address. /将上述的packet filter指定到介面(inside or outside)
firewall(config)#> /并订定检查的是Destnation or Source IP/port
apply(inside) 1 outgoing_src
apply(inside) 10 outgoing_dest
apply(outside) 11 outgoing_src
apply(outside) 21 outgoing_dest

^^^增加了规划的security policy(outbound及apply要并用)
<step11-add telnet console access>

.allow to the pix console over telnet /设定可以Telnet上PIX Firewall的IP及密码
firewall(config)#>
telnet 192.168.1.11 255.255.255.255
passwd xxxxxxx

^^^为MIS留一条方便之门
<step12-check the configuration>

.view the curring configuration /再次确认设定是否正确
firewall#>write terminal


<step13-store the image in flash memory and reboot>

.write to memory and relord /存到FLASH内存中,并重开机
firewall#>write memory
firewall#>reload

^^^别忘了此步骤否则以上步骤不会生效!!!

<Troubleshooting:> /一些可用来看设定的指令
.show ip address
.show nat
.show global
.show route




<Advanced configuration>


.enable syslog /启动syslog错误通知

1.enable the syslog facility /进入syslog设定状态
>logging on
2.specify a host to receive the syslog message /设定要接收错误通知的主机
>logging host inside ip_address
3.set syslog message facility to 20(default) /设定讯息的笔数
>logging facility 20
4.instruct to send message /启动错误通知
>logging trap warnings
5.test it /测试错误通知是否正常
>show logging


.add user authentication /使用者认证

1.for inbound authentication,static and conduit statements required to
permit outside hosts to access servers on the inside network.
/用static和conduit允许outside host access
2.specify which server handles authenticaton or authorization with the
radius-server or the tacacs-server commands.
/以radius-server,tacacs-server指定用来做
/认证的server
3.enable authentication with the aaa authentication command.
/用aaa authentication来启动认证动作的server
>aaa authorization any outbound 0 0 0 0 tacacs+
>aaa authorization any inbound 0 0 0 0 tacacs+
4.enable authorization with the aaa authorization command.
/用aaa authorization来启动认证动作
>aaa enthorization any outbound 0 0 0 0
>aaa enthorization any inbound 0 0 0 0

---

501只有两个Interface吧！一个对内，一个对外...

---