pix实验指南.doc

PIX实验指南
PIX的基本使用
拓扑图
需求
PIX采用三向外围结构，DMZ区域采用静态IP，inside区域采用DHCP方式获取IP，PIX充当DHCP服务器，Client需要采用PAT方式访问互联网，Client访问内部服务器采用直接路由的方式，，并拒绝外部到outside接口的任何ICMP通信，内部inside到DMZ和互联网可以采用ICMP测试联通性。
配置
PIX Version (1)
!
hostname pixfirewall
interface Ethernet0
nameif outside//将E0口配置为外口
security-level 0//将E0口安全级别设置为0
ip address
!
interface Ethernet1
nameif inside//将E1口配置为内口
security-level 100//将E1口安全级别设置为100
ip address
!
interface Ethernet2
nameif dmz//将E2口配置为DMZ
security-level 50//将E2口安全级别设置为50
ip address
!
access-list outsidelist extended permit tcp any interface outside eq //允许外部向outside接口发起TCP80端口的连接
access-list outsidelist extended permit icmp any interface outside echo-reply //允许外部向outside接口发送icmp-reply报文
access-list outsidelist extended deny ip any any //拒绝其他所有报文
access-list nonat extended permit ip //从1网段去往2网段的所有报文不进行NAT/PAT处理
access-list dmzlist extended permit ip
access-list dmzlist extended permit tcp host any eq
icmp deny any outside//拒绝任何地址向outside接口发送ICMP报文
icmp permit any inside//允许任何地址向inside接口发送ICMP报文
icmp permit any dmz//允许任何地址向DMZ接口发送ICMP报文
nat-control//开启NAT功能
global (outside) 1 interface//在outside接口上启动PAT
nat (inside) 0 access-list nonat//从1网段去往2网段的所有报文不进行NAT/PAT处理
nat (inside) 1 //
static (dmz,outside) tcp interface netmask //
access-group outsidelist in interface outside//在outside接口绑定outsidelist访问列表
access-group dmzlist in interface dmz//在dmz接口绑定dmzlist访问列表
route outside 1//建立默认路由
ssh timeout 5
dhcpd dns //配置DHCP分配的DNS地址
!
dhcpd address - inside//配置DHCP分配的IP地址X围
dhcpd enable