| Home | Mirror | Search |
目錄
過程 7.1. Login Pix515E
登陸
1.、telnet 192.168.0.1 User Access Verification Password:(輸入密碼出現如下信息:) Type help or '?' for a list of available commands. weibo> (此時是PIX 515E的無特權模式,此模式只能查看,並且只能查看防火牆的系統信息) /**************chase*********************/
Then do this.
2.、enable(進入特權模式,出現如下信息) password:(輸入密碼進入特權模式) weibo#(weibo>變為weibo#) (在特權模式下只能查看放火牆的配置不能修改防火牆的配置,用disable退出特權模式返回無特權模式) /*************chase*********************/
And now do this.
conf t(進入配置模式,出現如下信息) firewall(config)#(weibo#變為weibo(config)#) (在配置模式才能修改防火牆的配置,用exit、quit退出配置模式到特權模式)
show tech-support
firewall(config)# show tech-support
Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by morlee
firewall up 36 mins 41 secs
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 001c.58b5.6e80, irq 10
1: ethernet1: address is 001c.58b5.6e81, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 810323551 (0x304c8e5f)
Running Activation Key: 0x1512d3bb 0xdbb4b468 0xb28e1dc9 0x1b826959
Configuration last modified by enable_15 at 23:06:10.370 UTC Thu Sep 2 2010
------------------ show clock ------------------
23:08:58.073 UTC Thu Sep 2 2010
------------------ show memory ------------------
Free memory: 79151528 bytes
Used memory: 55066200 bytes
------------- ----------------
Total memory: 134217728 bytes
------------------ show conn count ------------------
0 in use, 0 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 1600 1600 1600
80 400 400 400
256 500 499 500
1550 933 667 676
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 001c.58b5.6e80
IP address 172.16.0.30, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2 packets output, 120 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
2 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 001c.58b5.6e81
IP address 172.16.1.254, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 180 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
3 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001f02c9 00953044 0056ed50 0 009520bc 3916/4096 arp_timer
Lsi 001f5a95 009f623c 0056ed50 0 009f52c4 3928/4096 FragDBGC
Lwe 0011a13f 00a0236c 005724b8 0 00a01504 3688/4096 dbgtrace
Lwe 003fb2fd 00a044fc 00567688 0 00a025b4 8008/8192 Logger
Hwe 003ff4b8 00a075f4 00567938 0 00a0567c 8024/8192 tcp_fast
Hwe 003ff431 00a096a4 00567938 0 00a0772c 8024/8192 tcp_slow
Lsi 00314885 028e9924 0056ed50 0 028e899c 3916/4096 xlate clean
Lsi 00314793 028ea9c4 0056ed50 0 028e9a4c 3884/4096 uxlate clean
Mwe 0030be5f 02d7edc4 0056ed50 0 02d7ce2c 7908/8192 tcp_intercept_timer_process
Lsi 00452ee5 02e2b79c 0056ed50 0 02e2a814 3900/4096 route_process
Hsi 002fb6fc 02e2c82c 0056ed50 20 02e2b8c4 3780/4096 PIX Garbage Collector
Hwe 0021e529 02e36d5c 0056ed50 0 02e32df4 16048/16384 isakmp_time_keeper
Lsi 002f929c 02e5069c 0056ed50 0 02e4f714 3944/4096 perfmon
Mwe 00214d39 02e7aacc 0056ed50 0 02e78b54 7860/8192 IPsec timer handler
Hwe 003b105b 02e8ee14 00591c90 0 02e8cecc 7000/8192 qos_metric_daemon
Mwe 0026d0dd 02ea996c 0056ed50 0 02ea5a04 15592/16384 IP Background
Lwe 0030cad6 02f5c2bc 00585368 0 02f5b444 3704/4096 pix/trace
Lwe 0030cd0e 02f5d36c 00585a98 0 02f5c4f4 3704/4096 pix/tconsole
H* 0011fa67 0009ff2c 0056ed38 1310 02f63784 13136/16384 ci/console
Csi 003048fb 02f6878c 0056ed50 0 02f67834 3432/4096 update_cpu_usage
Hwe 002ef791 03019534 0054e100 0 030156ac 15884/16384 uauth_in
Hwe 003fdf05 0301b634 00892508 0 0301975c 7896/8192 uauth_thread
Hwe 0041553a 0301c784 00567c88 0 0301b80c 3960/4096 udp_timer
Hsi 001e7d4e 0301e444 0056ed50 0 0301d4cc 3800/4096 557mcfix
Crd 001e7d03 0301f504 0056f1c8 1638450 0301e57c 3632/4096 557poll
Lsi 001e7dbd 030205a4 0056ed50 0 0301f62c 3848/4096 557timer
Cwe 001e99a9 0332267c 007f1058 0 03320784 7928/8192 pix/intf0
Mwe 004152aa 0332378c 008dc6f8 0 03322854 3896/4096 riprx/0
Msi 003ba8a1 0332489c 0056ed50 0 03323924 3888/4096 riptx/0
Cwe 001e99a9 03426aa4 00779ae0 0 03424bac 7928/8192 pix/intf1
Mwe 004152aa 03427bb4 008dc6b0 0 03426c7c 3896/4096 riprx/1
Msi 003ba8a1 03428cc4 0056ed50 0 03427d4c 3888/4096 riptx/1
Hwe 003fe199 0344d67c 00868c90 0 0344d034 1196/2048 listen/telnet_1
Mwe 0038707e 0344f85c 0056ed50 0 0344d8e4 7960/8192 Crypto CA
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
received (in 2214.880 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2214.880 secs):
2 packets 120 bytes
0 pkts/sec 0 bytes/sec
inside:
received (in 2214.880 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2214.880 secs):
3 packets 180 bytes
0 pkts/sec 0 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
firewall(config)#
pix# conf t pix(config)# clear config all pixfirewall(config)# quit pixfirewall# show run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 no ip address outside no ip address inside ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:00000000000000000000000000000000 : end pixfirewall#
enable password chen hostname pix515 domain-name example.com pixfirewall# conf t pixfirewall(config)# enable password chen pixfirewall(config)# hostname firewall firewall(config)# domain-name example.com firewall(config)#
激活以太連接埠
interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto firewall(config)# interface ethernet0 auto firewall(config)# interface ethernet1 auto
下面兩句配置內外連接埠的安全級別
nameif ethernet0 outside security0 nameif ethernet1 inside security100 firewall(config)# nameif ethernet0 outside security0 firewall(config)# nameif ethernet1 inside security100
配置以太連接埠ip 地址
ip address outside 61.144.203.114 255.255.255.244 ip address inside 192.168.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 ip address e3 61.233.203.47 255.255.255.192
global (outside) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0 0 0
WAN IP:PORT --> LAN IP:PORT
static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.144.203.41 21 192.168.0.116 21 netmask 255.255.255.255 0 0 pix515(config)# static (inside,outside) tcp 61.144.23.50 22 192.168.0.11 22 netmask 255.255.255.255 0 0
配置outside使用的網關
route outside 0.0.0.0 0.0.0.0 120.13.14.1 1 route e3 0.0.0.0 0.0.0.0 61.233.203.1 2
conduit permit tcp host 公網IP eq ssh 信任IP 255.255.255.255 (這種寫法,是信任某個IP)
1、配置內網到VPN不做NAT access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立內網-->VPN的訪問列表) nat (inside) 0 access-list 107 (內網-->VPN不做NAT,引用上一步access-list 107) 2、配置內網到DMZ 做NAT access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433 access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125 nat (inside) 2 access-list 102(內網-->DMZ做NAT,引用上一步access-list 102) 3、配置內網到Internet 做NAT access-list 101 permit ip 192.168.0.0 255.255.255.0 any nat (inside) 1 access-list 101 0 0 4、配置DMZ到VPN不做NAT access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立內網-->VPN的訪問列表) nat (DMZ) 0 access-list 107 4、配置VPN到DMZ不做NAT access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0 (建立內網-->VPN的訪問列表) nat (e3) 0 access-list 150
password chen (把telnet的密碼修改為chen) telnet 192.168.0.1 255.255.255.255 inside(開啟內網口的telnet服務) telnet 192.168.0.0 255.255.255.0 inside(允許所有內網用戶訪問telnet服務) telnet 0.0.0.0 0.0.0.0 e3 telnet 61.144.203.41 255.255.255.255 e3
pix515(config)#ip address dhcp pix515(config)#dhcpd enable inside pix515(config)#dhcpd auto_config outside(自動配置外網DHCP服務參數) pix515(config)#dhcpd address 172.16.0.20-172.16.0.200 inside (內網DHCP分配的IP地址範圍) pix515(config)#dhcpd dns 208.67.222.222 208.67.220.220 pix515(config)#dhcpd domain example.com
PPTP
1、命令行方式直接在PIX上配置PPTP的VPN,即PIX作為PPTP方式VPDN的伺服器
ip local pool pptp 10.0.0.1-10.0.0.50
//定義一個pptp 方式的vpdn撥入後獲得的IP地址池,名字叫做pptp。此處地址段的定義範圍不要和撥入後內網其他計算機的IP衝突,並且要根據撥入用戶的數量來定義地址池的大小
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
//以上為配置pptp的vpdn組的相關屬性
vpdn group PPTP-VPDN-GROUP client configuration address local pptp
//上面定義pptp的vpnd組使用本地地址池組pptp,為一開始定義的
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
//此處配置pptp的vpdn撥入用戶口令認證為本地認證,當然也可以選擇AAA伺服器認證,本地認證屬於比較方便的一種實現
vpdn username test1 password *********
vpdn username test2 password *********
//上面為定義本地用戶認證的用戶帳號和密碼,可以定義多個
vpdn enable outside
//在pix防火牆的outside口起用vpdn功能,也可以在其他介面上應用
2、使用pix防火牆內部的某個pptp的VPDN伺服器作為專門的VPN伺服器,只是在pix上開放相應的服務連接埠
pptp使用1723連接埠,而通常pix裡面的伺服器對外都是做的靜態NAT轉換,但是光雙向開放1723連接埠仍舊無法建立pptp的vpn連接,那麼對於pix 6.3以上版本的pptp穿透可以用一條命令fixup protocol pptp 1723 來解決這個問題。
Ipsec VPN 配置
ip local pool pigpool 172.16.1.50-172.16.1.240 (建立VPN的地址空間) sysopt connection permit-ipsec(開啟系統ipsec連接埠) sysopt connection permit-pptp(開啟系統pptp連接埠) sysopt connection permit-l2tp(開啟系統l2tp連接埠) isakmp enable e3 (e3介面啟用isakmp) isakmp policy 8 encryption des(定義phase 1協商用DES加密算法) isakmp policy 8 hash md5(定義phase 1協商用MD5散列算法) isakmp policy 8 authentication pre-share(定義phase 1使用pre-shared key進行認證) isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定義使用共享密匙pix) isakmp client configuration address-pool local pigpool e3(將VPN client地址池綁定到isakmp) isakmp policy 8 group 2(isakmp policy 10 group 2) crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定義一個變換集strong-des) crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到動態加密策略cisco) crypto map partner-map 20 ipsec-isakmp dynamic cisco(把動態加密策略綁定到partner-map 加密圖) crypto map partner-map client configuration address initiate(定義給每個客戶端分配IP地址) crypto map partner-map client configuration address respond(定義PIX防火牆接受來自任何IP的請求) crypto map partner-map interface e3(把動態加密圖vpnpeer綁定到e3口) vpdn group 2 accept dialin l2tp vpdn group 2 ppp authentication pap vpdn group 2 client configuration address local pigpool vpdn group 2 client authentication local vpdn group 2 l2tp tunnel hello 80 vpdn username pix password pix(設置vpn密碼,密碼必須與共享密匙一樣) vpdn enable e3
vpn本地身份驗證
crypto map vpnpeer client authentication LOCAL username whr password whr no username whr
修改VPN撥入密碼
no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(刪除共享密匙) isakmp key whr address 0.0.0.0 netmask 0.0.0.0 (設置共享密匙) vpdn username chase (刪除chase用戶) vpdn username chase password whr (設置用戶名為chase;密碼為whr;密碼要與共享密匙相同)
網上找到的,我不確認是否可以起到效果:)
步驟1:開啟日誌功能,並確定系統日誌級別 logging on logging trap 7(7為最高級別了) 步驟2:確定一台日誌伺服器(192.168.1.10),並把系統日誌輸出導系統日誌伺服器上 logging host inside 192.168.1.10 步驟3:配置入侵檢測(IDS) 為攻擊類特徵碼和信息類特徵碼創建策略 ip audit name attackpolicy attack action alarm reset ip audit name infopolicy info action alarm reset 步驟4:在介面上啟用策略 ip audit interface outside attackpolicy ip audit interface outside infopolicy 步驟5:在日誌伺服器上安裝日誌軟件(如果是LINUX可免了) Kiwi_Syslogd2.exe 步驟6:大功告成了。
firewall(config)# sh snmp snmp-server host inside 172.16.0.5 "安裝了MRTG和Cacti伺服器地址 snmp-server location 172.16.0.1 "位置描述,可以寫內網連接埠地址,或者更直觀的描述如:gateway firewall snmp-server contact netkiller@example.com snmp-server community cisco "public snmp-server enable traps "允許管理信息發送
PIX 515 僅支持snmp v1
neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 interfaces.ifTable.ifEntry.ifDescr IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 SNMPv2-MIB::sysDescr.0 = STRING: Cisco PIX Firewall Version 6.3(5) SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.451 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1899600400) 219 days, 20:40:04.00 SNMPv2-MIB::sysContact.0 = STRING: neo.chen@example.com SNMPv2-MIB::sysName.0 = STRING: firewall.example.com SNMPv2-MIB::sysLocation.0 = STRING: gw SNMPv2-MIB::sysServices.0 = INTEGER: 4 IF-MIB::ifNumber.0 = INTEGER: 2 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifMtu.1 = INTEGER: 1500 IF-MIB::ifMtu.2 = INTEGER: 1500 IF-MIB::ifSpeed.1 = Gauge32: 100000000 IF-MIB::ifSpeed.2 = Gauge32: 100000000 IF-MIB::ifPhysAddress.1 = STRING: 0:1c:58:b5:6e:80 IF-MIB::ifPhysAddress.2 = STRING: 0:1c:58:b5:6e:81 IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00 IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00 IF-MIB::ifInOctets.1 = Counter32: 4008321683 IF-MIB::ifInOctets.2 = Counter32: 4051905092 IF-MIB::ifInUcastPkts.1 = Counter32: 2797544526 IF-MIB::ifInUcastPkts.2 = Counter32: 2017238766 IF-MIB::ifInNUcastPkts.1 = Counter32: 38465473 IF-MIB::ifInNUcastPkts.2 = Counter32: 27783306 IF-MIB::ifInDiscards.1 = Counter32: 0 IF-MIB::ifInDiscards.2 = Counter32: 0 IF-MIB::ifInErrors.1 = Counter32: 16601 IF-MIB::ifInErrors.2 = Counter32: 32841 IF-MIB::ifInUnknownProtos.1 = Counter32: 0 IF-MIB::ifInUnknownProtos.2 = Counter32: 0 IF-MIB::ifOutOctets.1 = Counter32: 2947292253 IF-MIB::ifOutOctets.2 = Counter32: 3544827218 IF-MIB::ifOutUcastPkts.1 = Counter32: 1968227296 IF-MIB::ifOutUcastPkts.2 = Counter32: 2414528344 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutDiscards.1 = Counter32: 0 IF-MIB::ifOutDiscards.2 = Counter32: 0 IF-MIB::ifOutErrors.1 = Counter32: 0 IF-MIB::ifOutErrors.2 = Counter32: 0 IF-MIB::ifOutQLen.1 = Gauge32: 0 IF-MIB::ifOutQLen.2 = Gauge32: 0 IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero IP-MIB::ipAdEntAddr.120.13.14.30 = IpAddress: 120.13.14.30 IP-MIB::ipAdEntAddr.172.16.1.254 = IpAddress: 172.16.1.254 IP-MIB::ipAdEntIfIndex.120.13.14.30 = INTEGER: 1 IP-MIB::ipAdEntIfIndex.172.16.1.254 = INTEGER: 2 IP-MIB::ipAdEntNetMask.120.13.14.30 = IpAddress: 255.255.255.192 IP-MIB::ipAdEntNetMask.172.16.1.254 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntBcastAddr.120.13.14.30 = INTEGER: 0 IP-MIB::ipAdEntBcastAddr.172.16.1.254 = INTEGER: 0 IP-MIB::ipAdEntReasmMaxSize.120.13.14.30 = INTEGER: 65535 IP-MIB::ipAdEntReasmMaxSize.172.16.1.254 = INTEGER: 65535
如果你使用snmp v2版本嘗試連接pix防火牆將會提示
neo@monitor:~$ snmpwalk -v2c -c public 172.16.1.254 Timeout: No Response from 172.16.1.254
http server enable http 172.16.0.1 255.255.255.255 inside
172.16.0.1 是from ip,或者允許一個IP段
http 172.16.0.0 255.255.255.0 inside
http 登錄密碼
username admin password ysCf4HUXoqIPDu1 privilege 15
https://172.16.0.254
pix515(config)# write mem Building configuration... Cryptochecksum: 5641ca9c 2ef4c53c 0dc8a8f9 75d47f09 [OK] pix515(config)#
備份
pix515(config)# write net 192.168.2.111:pix515.rtf Building configuration... TFTP write 'pix515.rtf' at 192.168.2.111 on interface 1 [OK]
恢復
pix515(config)# clear config all 是清除所有配置
如何想要通過tftp恢復,得要先配置一下inside介面地址:
pixfirewall(config)# ip add inside 192.168.2.1 255.255.255.0
pixfirewall(config)# ping 192.168.2.111 測試一下到TFTP伺服器是否通
192.168.2.111 response received -- 0ms
192.168.2.111 response received -- 0ms
192.168.2.111 response received -- 0ms
pix515(config)# configure net 192.168.2.111:pix515.rtf
Global 10.6.6.151 will be Port Address Translated
Global 10.6.6.150 will be Port Address Translated
Global 10.6.6.211 will be Port Address Translated
.
Cryptochecksum(unchanged): ead0c833 1ed19938 b863ace2 4902f21b
Config OK