nameif e0 outside sec0nameif e1 outside sec100nameif e2 dmz sec50int e0 autoint e1 autoint e2 autoip address outside 192.168.0.2 255.255.255.0ip address inside 10.0.0.1 255.255.255.0ip address dmz 172.16.0.1 255.255.255.0exitshow interfaceshow ip address-------------------nat------------------------------cont fnat(inside) 1 0.0.0.0 0.0.0.0目的位址不變,,1來源會變global ip pool.............會記錄global (outside) 1 192.168.0.20 -192.168.0.254xlate-----------開始二個網段nat(inside) 1 10.0.0.0 255.255.255.0global(outside) 1 192.168.0.20-192.168.0.24 netmask 255.255.255.240nat(inside) 2 10.1.0.0 255.255.255.0global (outside) 2 192.168.0.27-192.168.0.30 netmask 255.255.255.240---------------------------------------------------------------1111 0000nat(inside) 1 10.0.0.0 255.255.255.0global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240nat(dmz) 1 172.16.0.0 255.255.255.0(pc:172.16.0.2--------pix:172.16.0.1)global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0(192.168.0.1------out)route outside 0.0.0.0 0.0.0.0 192.168.0.1 1(metric=1)--------------------------------------------------------------------------------------------------------udp----檢查------------------10.0.0.3-------pix-------------------172.30.0.50----------ip headersource port:1026--------------destination port :23-------tcp headerinitial sequence number(隨機)----次序號-----------udp沒有asa(演算法)-------udp沒有payload---------本體flag......------------------------------------------translation vs. connectionstranslation (3)ip---ip----65536connections(4)tcp or udp windows----netstat-----------------------------------------------static (inside,outside)192.168.0.18 10.0.0.10 global local ip(global ip 192.168.0.18)(ftp server)conduit permit tcp host 192.168.0.10 eq ftp any 外部電腦--------------------------------ftp--------------------------------------------------pat------------------------------------------port會變----global ip不變----------------source address 10.0.0.2 192.168.0.15 source addressdestination addresss 172.30.0.50 172.30.0.50 destination addresssource port 49090 2000 source portdestination port 23 23 destination port---------------------------------------------------------------ip address(inside) 10.0.0.1 255.255.255.0ip address(outside) 192.168.0.2 255.255.255.0route(outside) 0.0.0.0 0.0.0.0 192.168.0.1nat (inside) 1 10.0.0.0 255.255.255.0global (outside) 1 192.168.0.9 netmask 255.255.255.0(pix:192.168.0.9)-----------------------------------------------------------------------nat(inside) 1 10.0.0.0 255.255.255.0global(outside) 1 192.168.0.8 netmask 255.255.255.0nat(inside) 2 10.0.1.0 255.255.255.0global(outside) 2 192.168.0.9 netmask 255.255.255.0-----------------65536 port--------------------------------------------------------nat(inside) 1 10.0.1.0 255.255.255.0global (outside) 1 192.168.0.8 netmask 255.255.255.0global (outside) 1 192.168.0.9 netmask 255.255.255.0show xlate3 in use , 3 most usedpat global 192.168.0.20(0) local 10.0.0.15 icmp id 340pat global 192.168.0.20(1024) local 10.0.0.15 (1028)pat global 192.168.0.20(1024 local 10.0.0.15 (516)-----------------------------no nat pat-----------------nat (inside) 0 192.168.0.9 255.255.255.255show nat------------------------acl-------------------------------------外流入access-list dmz1 deny tcp 192.168.1.0 255.255.255.0 host 168.168.0.1 lt 1025(lt,eq,gt port)(若為網段,須加上subnet mask)access-group dmz1 in interface dmz
內流出show access-listaccesslist acl_lout deny tcp any any eq wwwaccess-list acl_out permit any anyaccess-group ---------------------------------------------------------外部網站httpwrite terninalip address outside 192.168.0.2 255.255.255.0ip address dmz 172.16.0.1 255.255.255.0static (dmz,outside) 192.168.0.11 172.16.0.2access-list acl_out_dmz permit tcp any host 192.168.0.11 eq wwwaccess-list acl_out_dmz deny ip any anyaccess-group acl_out_dmz in interface outside----------------------------------------------------------------partnernet devel=40--->dmz web serverdmz可以存取inside的mail server
write terninalnameif ethernet0 outside sec0nameif ethernet1 inside sec100nameif ethernet2 dmz sec50nameif ethernet3 partnernet sec40static (dmz,partnernet) 172.26.26.11 172.16.0.2static (inside,dmz) 172.16.0.1 10.0.0.4access-list acl_partner permit tcp 172.26.26.0 255.255.255.240 host 172.16.0.2 eq wwwaccess_group acl_partnet in interface partnernetaccess-list acl_dmz_in permit tcp host 172.16.0.4 host 172.16.0.11 eq smtpaccess-group acl_dmz_in in interface dmz-------------------------------------------------------------------------ping -icmp無法使用(dos)echo replay-------echo requesticmp deny any echo-reply outside------------------------------------------------------active x blockingactive x filter惡恴的程式碼在active x中filter activex 80 0.0.0.0 0.0.0.0 0.0.0.03組0----------------------------------------------------------遠端連線
password xxxxxshow passwdtelnet 10.0.0.2 inside(pc)exitshow telnet
telnet 10.0.0.1(pix)--------------------------------pix v 5.2---可sshputty host 192.168.0.2 port 22user:pixpass:
@ca generate rsa key 1024des======7683des====1024ssh 172.26.26.50 255.255.255.255 outside(外可連內)------------------------------------------------syslog messages~~~~inside host 10.0.0.5 sysloglogging onlogging buffered debuggingshow loggingclear logging~~~~~~logging host inside 10.0.0.5logging trap debugginglogging timestamplogging on---------------------------------------URL Filtering無法進大陸網站~~~~~~websense enterpriseurl-server (dmz) host 172.16.0.3 protocol TCP version 4filter url http 0 0 0 0 allow(0 0 0 0 為內外都要過濾)(allow指功能失效則都允許)
沒有留言:
張貼留言