Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | Email

第 13 章 Firewall

目錄

13.1. Cisco PIX Firewall
13.1.1. cisco PIX 515E的全部數據與配置
13.1.2. 清除所有配置
13.1.3. 配置防火牆的用戶信息
13.1.4. 介面設置
13.1.5. 配置NAT配置映射
13.1.5.1. 連接埠映射
13.1.5.2. IP 映射
13.1.6. 配置路由
13.1.7. 策略
13.1.7.1. Ping
13.1.7.2. SSH
13.1.8. ACL
13.1.9. 配置遠程telnet訪問
13.1.10. 配置DHCP
13.1.11. VPN
13.1.12. 防止DDOS攻擊
13.1.13. SNMP
13.1.14. 開啟WEB管理
13.1.15. 保存
13.1.15.1. 備份及恢復
13.1.16. clear
13.1.16.1. NAT映射更改後仍然指向之前的IP
13.1.16.2. reload
13.2. Cisco ASA Firewall
13.2.1. Console 登錄
13.2.1.1. 清除配置檔案
13.2.2. Management0/0
13.2.3. 介面配置
13.2.3.1. 子介面
13.2.4. route
13.2.5. ACL
13.2.5.1. Blacklist
13.2.5.2. Whitelist
13.2.5.3. object-group
13.2.5.4. Example
13.2.6. 配置NAT映射
13.2.6.1. IP 映射
13.2.6.2. 連接埠映射
13.2.7. timeout
13.2.8. DHCP
13.2.8.1. management
13.2.8.2. inside
13.2.9. SNMP
13.2.10. 用戶登錄
13.2.10.1. Telnet
13.2.10.2. SSH
13.2.11. VPN
13.2.11.1. site to site
13.2.11.2. webvpn
13.2.12. service-policy
13.2.13. failover
13.2.14. 透明防火牆(transparent)
13.2.15. logging
13.2.16. ntp
13.2.17. asdm
13.2.18. 備份配置檔案
13.3. 查看命令
13.3.1. show interface
13.3.2. show static
13.3.3. show ip
13.3.4. show cpu usage
13.3.5. show conn count
13.3.6. show blocks
13.3.7. show mem
13.3.8. show traffic
13.3.9. show xlate
13.4. FAQ
13.4.1. inside 不能到達 outside
13.5. Example
13.5.1. ASA Firewall

13.1. Cisco PIX Firewall

Cisco PIX 515E

過程 13.1. Login Pix515E

  1. 登陸

    1.、telnet 192.168.0.1
       User Access Verification
       Password:(輸入密碼出現如下信息:)
       Type help or '?' for a list of available commands.
       weibo>
       (此時是PIX 515E的無特權模式,此模式只能查看,並且只能查看防火牆的系統信息)
      /**************chase*********************/
    			
  2. Then do this.

    2.、enable(進入特權模式,出現如下信息)
       password:(輸入密碼進入特權模式)
       weibo#(weibo>變為weibo#)
       (在特權模式下只能查看放火牆的配置不能修改防火牆的配置,用disable退出特權模式返回無特權模式)
      /*************chase*********************/
    			
  3. And now do this.

    conf t(進入配置模式,出現如下信息)
    firewall(config)#(weibo#變為weibo(config)#)
       (在配置模式才能修改防火牆的配置,用exit、quit退出配置模式到特權模式)
    			

13.1.1. cisco PIX 515E的全部數據與配置

show tech-support

firewall(config)# show tech-support

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

firewall up 36 mins 41 secs

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 001c.58b5.6e80, irq 10
1: ethernet1: address is 001c.58b5.6e81, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 810323551 (0x304c8e5f)
Running Activation Key: 0x1512d3bb 0xdbb4b468 0xb28e1dc9 0x1b826959
Configuration last modified by enable_15 at 23:06:10.370 UTC Thu Sep 2 2010

------------------ show clock ------------------

23:08:58.073 UTC Thu Sep 2 2010

------------------ show memory ------------------

Free memory:        79151528 bytes
Used memory:        55066200 bytes
-------------     ----------------
Total memory:      134217728 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550    933    667    676

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 001c.58b5.6e80
  IP address 172.16.0.30, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        2 packets output, 120 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        2 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 001c.58b5.6e81
  IP address 172.16.1.254, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        3 packets output, 180 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        3 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001f02c9 00953044 0056ed50          0 009520bc 3916/4096 arp_timer
Lsi 001f5a95 009f623c 0056ed50          0 009f52c4 3928/4096 FragDBGC
Lwe 0011a13f 00a0236c 005724b8          0 00a01504 3688/4096 dbgtrace
Lwe 003fb2fd 00a044fc 00567688          0 00a025b4 8008/8192 Logger
Hwe 003ff4b8 00a075f4 00567938          0 00a0567c 8024/8192 tcp_fast
Hwe 003ff431 00a096a4 00567938          0 00a0772c 8024/8192 tcp_slow
Lsi 00314885 028e9924 0056ed50          0 028e899c 3916/4096 xlate clean
Lsi 00314793 028ea9c4 0056ed50          0 028e9a4c 3884/4096 uxlate clean
Mwe 0030be5f 02d7edc4 0056ed50          0 02d7ce2c 7908/8192 tcp_intercept_timer_process
Lsi 00452ee5 02e2b79c 0056ed50          0 02e2a814 3900/4096 route_process
Hsi 002fb6fc 02e2c82c 0056ed50         20 02e2b8c4 3780/4096 PIX Garbage Collector
Hwe 0021e529 02e36d5c 0056ed50          0 02e32df4 16048/16384 isakmp_time_keeper
Lsi 002f929c 02e5069c 0056ed50          0 02e4f714 3944/4096 perfmon
Mwe 00214d39 02e7aacc 0056ed50          0 02e78b54 7860/8192 IPsec timer handler
Hwe 003b105b 02e8ee14 00591c90          0 02e8cecc 7000/8192 qos_metric_daemon
Mwe 0026d0dd 02ea996c 0056ed50          0 02ea5a04 15592/16384 IP Background
Lwe 0030cad6 02f5c2bc 00585368          0 02f5b444 3704/4096 pix/trace
Lwe 0030cd0e 02f5d36c 00585a98          0 02f5c4f4 3704/4096 pix/tconsole
H*  0011fa67 0009ff2c 0056ed38       1310 02f63784 13136/16384 ci/console
Csi 003048fb 02f6878c 0056ed50          0 02f67834 3432/4096 update_cpu_usage
Hwe 002ef791 03019534 0054e100          0 030156ac 15884/16384 uauth_in
Hwe 003fdf05 0301b634 00892508          0 0301975c 7896/8192 uauth_thread
Hwe 0041553a 0301c784 00567c88          0 0301b80c 3960/4096 udp_timer
Hsi 001e7d4e 0301e444 0056ed50          0 0301d4cc 3800/4096 557mcfix
Crd 001e7d03 0301f504 0056f1c8    1638450 0301e57c 3632/4096 557poll
Lsi 001e7dbd 030205a4 0056ed50          0 0301f62c 3848/4096 557timer
Cwe 001e99a9 0332267c 007f1058          0 03320784 7928/8192 pix/intf0
Mwe 004152aa 0332378c 008dc6f8          0 03322854 3896/4096 riprx/0
Msi 003ba8a1 0332489c 0056ed50          0 03323924 3888/4096 riptx/0
Cwe 001e99a9 03426aa4 00779ae0          0 03424bac 7928/8192 pix/intf1
Mwe 004152aa 03427bb4 008dc6b0          0 03426c7c 3896/4096 riprx/1
Msi 003ba8a1 03428cc4 0056ed50          0 03427d4c 3888/4096 riptx/1
Hwe 003fe199 0344d67c 00868c90          0 0344d034 1196/2048 listen/telnet_1
Mwe 0038707e 0344f85c 0056ed50          0 0344d8e4 7960/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 2214.880 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 2214.880 secs):
                2 packets       120 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 2214.880 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 2214.880 secs):
                3 packets       180 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s

------------------ show running-config ------------------

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
firewall(config)#

		

13.1.2. 清除所有配置

pix# conf t
pix(config)# clear config all
pixfirewall(config)# quit
pixfirewall# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
pixfirewall#

		

13.1.3. 配置防火牆的用戶信息

enable password chen
hostname pix515
domain-name example.com

pixfirewall# conf t
pixfirewall(config)# enable password chen
pixfirewall(config)# hostname firewall
firewall(config)# domain-name example.com
firewall(config)#
		

13.1.4. 介面設置

激活以太連接埠

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto


firewall(config)# interface ethernet0 auto
firewall(config)# interface ethernet1 auto
		

下面兩句配置內外連接埠的安全級別

nameif ethernet0 outside security0
nameif ethernet1 inside security100

firewall(config)# nameif ethernet0 outside security0
firewall(config)# nameif ethernet1 inside security100

		

配置以太連接埠ip 地址

ip address outside 61.144.203.114 255.255.255.244
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
ip address e3 61.233.203.47 255.255.255.192
		

13.1.5. 配置NAT配置映射

global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
		

13.1.5.1. 連接埠映射

WAN IP:PORT --> LAN IP:PORT

static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.41 21 192.168.0.116 21 netmask 255.255.255.255 0 0
pix515(config)# static (inside,outside) tcp 61.144.23.50 22 192.168.0.11 22 netmask 255.255.255.255 0 0
			

13.1.5.2. IP 映射

WAN IP --> LAN IP

static (inside,outside) 120.13.14.28 172.16.1.28 netmask 255.255.255.255 0 0
			

13.1.6. 配置路由

配置outside使用的網關

route outside 0.0.0.0 0.0.0.0 120.13.14.1 1
route e3 0.0.0.0 0.0.0.0 61.233.203.1 2
		

13.1.7. 策略

conduit permit tcp host 公網IP eq ssh 信任IP 255.255.255.255 (這種寫法,是信任某個IP)

13.1.7.1. Ping

下面這句允許ping

pix515(config)#conduit permit icmp any any
			

13.1.7.2. SSH

pix515(config)# conduit permit tcp host 61.144.23.50 eq ssh any
			

13.1.8. ACL

1、配置內網到VPN不做NAT
   access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
  (建立內網-->VPN的訪問列表)
   nat (inside) 0 access-list 107 (內網-->VPN不做NAT,引用上一步access-list 107)

2、配置內網到DMZ 做NAT
   access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433
   access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125
   nat (inside) 2 access-list 102(內網-->DMZ做NAT,引用上一步access-list 102)

3、配置內網到Internet 做NAT
   access-list 101 permit ip 192.168.0.0 255.255.255.0 any
   nat (inside) 1 access-list 101 0 0

4、配置DMZ到VPN不做NAT
   access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
  (建立內網-->VPN的訪問列表)
   nat (DMZ) 0 access-list 107

4、配置VPN到DMZ不做NAT
   access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0
  (建立內網-->VPN的訪問列表)
   nat (e3) 0 access-list 150
		

13.1.9. 配置遠程telnet訪問

password chen (把telnet的密碼修改為chen)
telnet 192.168.0.1 255.255.255.255 inside(開啟內網口的telnet服務)
telnet 192.168.0.0 255.255.255.0 inside(允許所有內網用戶訪問telnet服務)
telnet 0.0.0.0 0.0.0.0 e3
telnet 61.144.203.41 255.255.255.255 e3
		

13.1.10. 配置DHCP

pix515(config)#ip address dhcp
pix515(config)#dhcpd enable inside
pix515(config)#dhcpd auto_config outside(自動配置外網DHCP服務參數)
pix515(config)#dhcpd address 172.16.0.20-172.16.0.200 inside (內網DHCP分配的IP地址範圍)
pix515(config)#dhcpd dns 208.67.222.222 208.67.220.220
pix515(config)#dhcpd domain example.com
		

13.1.11. VPN

PPTP

1、命令行方式直接在PIX上配置PPTP的VPN,即PIX作為PPTP方式VPDN的伺服器
    ip local pool pptp 10.0.0.1-10.0.0.50
    //定義一個pptp 方式的vpdn撥入後獲得的IP地址池,名字叫做pptp。此處地址段的定義範圍不要和撥入後內網其他計算機的IP衝突,並且要根據撥入用戶的數量來定義地址池的大小
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication pap
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    //以上為配置pptp的vpdn組的相關屬性
    vpdn group PPTP-VPDN-GROUP client configuration address local pptp
    //上面定義pptp的vpnd組使用本地地址池組pptp,為一開始定義的
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    //此處配置pptp的vpdn撥入用戶口令認證為本地認證,當然也可以選擇AAA伺服器認證,本地認證屬於比較方便的一種實現
    vpdn username test1 password *********
    vpdn username test2 password *********
    //上面為定義本地用戶認證的用戶帳號和密碼,可以定義多個
    vpdn enable outside
    //在pix防火牆的outside口起用vpdn功能,也可以在其他介面上應用
  2、使用pix防火牆內部的某個pptp的VPDN伺服器作為專門的VPN伺服器,只是在pix上開放相應的服務連接埠
  pptp使用1723連接埠,而通常pix裡面的伺服器對外都是做的靜態NAT轉換,但是光雙向開放1723連接埠仍舊無法建立pptp的vpn連接,那麼對於pix 6.3以上版本的pptp穿透可以用一條命令fixup protocol pptp 1723 來解決這個問題。
		

Ipsec VPN 配置

ip local pool pigpool 172.16.1.50-172.16.1.240  (建立VPN的地址空間)
sysopt connection permit-ipsec(開啟系統ipsec連接埠)
sysopt connection permit-pptp(開啟系統pptp連接埠)
sysopt connection permit-l2tp(開啟系統l2tp連接埠)

isakmp enable e3 (e3介面啟用isakmp)
isakmp policy 8 encryption des(定義phase 1協商用DES加密算法)
isakmp policy 8 hash md5(定義phase 1協商用MD5散列算法)
isakmp policy 8 authentication pre-share(定義phase 1使用pre-shared key進行認證)
isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定義使用共享密匙pix)
isakmp client configuration address-pool local pigpool e3(將VPN client地址池綁定到isakmp)
isakmp policy 8 group 2(isakmp policy 10 group 2)
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定義一個變換集strong-des)
crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到動態加密策略cisco)
crypto map partner-map 20 ipsec-isakmp dynamic cisco(把動態加密策略綁定到partner-map 加密圖)
crypto map partner-map client configuration address initiate(定義給每個客戶端分配IP地址)
crypto map partner-map client configuration address respond(定義PIX防火牆接受來自任何IP的請求)
crypto map partner-map interface e3(把動態加密圖vpnpeer綁定到e3口)
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication pap
vpdn group 2 client configuration address local pigpool
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 80
vpdn username pix password pix(設置vpn密碼,密碼必須與共享密匙一樣)
vpdn enable e3
		

vpn本地身份驗證

crypto map vpnpeer client authentication LOCAL
username whr password whr
no username whr
		

修改VPN撥入密碼


no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(刪除共享密匙)
isakmp key whr address 0.0.0.0 netmask 0.0.0.0     (設置共享密匙)
vpdn username chase (刪除chase用戶)
vpdn username chase password whr  (設置用戶名為chase;密碼為whr;密碼要與共享密匙相同)
		

13.1.12. 防止DDOS攻擊

網上找到的,我不確認是否可以起到效果:)

步驟1:開啟日誌功能,並確定系統日誌級別
logging on
logging trap 7(7為最高級別了)
步驟2:確定一台日誌伺服器(192.168.1.10),並把系統日誌輸出導系統日誌伺服器上
logging host inside 192.168.1.10
步驟3:配置入侵檢測(IDS) 為攻擊類特徵碼和信息類特徵碼創建策略
ip audit name attackpolicy attack action alarm reset
ip audit name infopolicy info action alarm reset
步驟4:在介面上啟用策略
ip audit interface outside attackpolicy
ip audit interface outside infopolicy
步驟5:在日誌伺服器上安裝日誌軟件(如果是LINUX可免了)
Kiwi_Syslogd2.exe
步驟6:大功告成了。
		

13.1.13. SNMP

firewall(config)# sh snmp
snmp-server host inside 172.16.0.5 		"安裝了MRTG和Cacti伺服器地址
snmp-server location 172.16.0.1 		"位置描述,可以寫內網連接埠地址,或者更直觀的描述如:gateway firewall
snmp-server contact netkiller@example.com
snmp-server community cisco 			"public
snmp-server enable traps 				"允許管理信息發送
		

PIX 515 僅支持snmp v1

neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 interfaces.ifTable.ifEntry.ifDescr
IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface
IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface


neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254
SNMPv2-MIB::sysDescr.0 = STRING: Cisco PIX Firewall Version 6.3(5)

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.451
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1899600400) 219 days, 20:40:04.00
SNMPv2-MIB::sysContact.0 = STRING: neo.chen@example.com
SNMPv2-MIB::sysName.0 = STRING: firewall.example.com
SNMPv2-MIB::sysLocation.0 = STRING: gw
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 2
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface
IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1500
IF-MIB::ifMtu.2 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 100000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifPhysAddress.1 = STRING: 0:1c:58:b5:6e:80
IF-MIB::ifPhysAddress.2 = STRING: 0:1c:58:b5:6e:81
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifAdminStatus.2 = INTEGER: up(1)
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.2 = INTEGER: up(1)
IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00
IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00
IF-MIB::ifInOctets.1 = Counter32: 4008321683
IF-MIB::ifInOctets.2 = Counter32: 4051905092
IF-MIB::ifInUcastPkts.1 = Counter32: 2797544526
IF-MIB::ifInUcastPkts.2 = Counter32: 2017238766
IF-MIB::ifInNUcastPkts.1 = Counter32: 38465473
IF-MIB::ifInNUcastPkts.2 = Counter32: 27783306
IF-MIB::ifInDiscards.1 = Counter32: 0
IF-MIB::ifInDiscards.2 = Counter32: 0
IF-MIB::ifInErrors.1 = Counter32: 16601
IF-MIB::ifInErrors.2 = Counter32: 32841
IF-MIB::ifInUnknownProtos.1 = Counter32: 0
IF-MIB::ifInUnknownProtos.2 = Counter32: 0
IF-MIB::ifOutOctets.1 = Counter32: 2947292253
IF-MIB::ifOutOctets.2 = Counter32: 3544827218
IF-MIB::ifOutUcastPkts.1 = Counter32: 1968227296
IF-MIB::ifOutUcastPkts.2 = Counter32: 2414528344
IF-MIB::ifOutNUcastPkts.1 = Counter32: 0
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 0
IF-MIB::ifOutErrors.1 = Counter32: 0
IF-MIB::ifOutErrors.2 = Counter32: 0
IF-MIB::ifOutQLen.1 = Gauge32: 0
IF-MIB::ifOutQLen.2 = Gauge32: 0
IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero
IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero
IP-MIB::ipAdEntAddr.120.13.14.30 = IpAddress: 120.13.14.30
IP-MIB::ipAdEntAddr.172.16.1.254 = IpAddress: 172.16.1.254
IP-MIB::ipAdEntIfIndex.120.13.14.30 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.172.16.1.254 = INTEGER: 2
IP-MIB::ipAdEntNetMask.120.13.14.30 = IpAddress: 255.255.255.192
IP-MIB::ipAdEntNetMask.172.16.1.254 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntBcastAddr.120.13.14.30 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.172.16.1.254 = INTEGER: 0
IP-MIB::ipAdEntReasmMaxSize.120.13.14.30 = INTEGER: 65535
IP-MIB::ipAdEntReasmMaxSize.172.16.1.254 = INTEGER: 65535
		

如果你使用snmp v2版本嘗試連接pix防火牆將會提示

neo@monitor:~$ snmpwalk -v2c -c public 172.16.1.254
Timeout: No Response from 172.16.1.254
		

13.1.14. 開啟WEB管理

http server enable
http 172.16.0.1 255.255.255.255 inside
		

172.16.0.1 是from ip,或者允許一個IP段

http 172.16.0.0 255.255.255.0 inside
		

http 登錄密碼

username admin password ysCf4HUXoqIPDu1 privilege 15
		

https://172.16.0.254

13.1.15. 保存

write memory
pix515(config)# write mem
Building configuration...
Cryptochecksum: 5641ca9c 2ef4c53c 0dc8a8f9 75d47f09
[OK]
pix515(config)#

		

13.1.15.1. 備份及恢復

備份

pix515(config)# write net 192.168.2.111:pix515.rtf
Building configuration...
TFTP write 'pix515.rtf' at 192.168.2.111 on interface 1
[OK]
		

恢復

pix515(config)# clear config all  是清除所有配置
如何想要通過tftp恢復,得要先配置一下inside介面地址:
pixfirewall(config)# ip add inside 192.168.2.1 255.255.255.0
pixfirewall(config)# ping 192.168.2.111  測試一下到TFTP伺服器是否通
        192.168.2.111 response received -- 0ms
        192.168.2.111 response received -- 0ms
        192.168.2.111 response received -- 0ms
pix515(config)# configure net 192.168.2.111:pix515.rtf
Global 10.6.6.151 will be Port Address Translated
Global 10.6.6.150 will be Port Address Translated
Global 10.6.6.211 will be Port Address Translated
.
Cryptochecksum(unchanged): ead0c833 1ed19938 b863ace2 4902f21b
Config OK
		

13.1.16. clear

clear xlate
clear arp
clear local-host
		

13.1.16.1. NAT映射更改後仍然指向之前的IP

clear xlate
			

13.1.16.2. reload

fix515(config)# reload