实验目的:
掌握PIX接口的基本配置
静态路由默认路由的配置
NAT的配置
 

PIX初学_休闲

实验拓扑
说明:
我们到inside回环口配置静态路由
在outside接口配置默认路由
路由器连防火墙的接口都是E0/0
各种nat的实现在实验中说明
 
实施:
1.在路由器上配置接口,hostname,默认路由指向防火墙。**这里我就省略了**
2.重点讲PIX的基本配置
配置主机名:
pixfirewall# config t
pixfirewall(config)# hostname pix
配置接口
pix(config)# int e0
pix(config-if)# ip add 172.16.1.1 255.255.255.0
pix(config-if)# nameif inside (定义名字,inside默认的安全级别为100其他的都为0)
INFO: Security level for "inside" set to 100 by default.
pix(config-if)# no shut
 
pix(config)# int e1
pix(config-if)# ip add 150.100.1.1 255.255.255.0
pix(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pix(config-if)# security-level 50 (这里我们将DMZ的级别定为50)
pix(config-if)# no shut
 
pix(config)# int e2
pix(config-if)# ip add 202.100.1.1 255.255.255.0
pix(config-if)# no shut
pix(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default
 
默认情况下高安全级别的流量是允许到达低安全级别的
现在我们配置一条静态路由和一条默认路由使pix能够到达inside和outside的lo接口
pix(config)# route inside 2.2.2.2 255.255.255.255 172.16.1.10 (route 出口 目的网段 下一跳)
pix(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
pix(config)# route outside 0 0 202.100.1.10 (这里的默认路由原本路由器上的8个0这里可以简写成2个)
pix(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/40 ms
 
下面我们详细配置NAT
1.       静态ANT
我们将inside的172.16.1.2 映射成为202.100.1.100
pix(config)# static (inside,outside) 202.100.1.100 172.16.1.2 netmask 255.255.255.255
telnet 测试:
inside#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
User Access Verification
Password:
OUTSIDE>show user
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:03:52  
 130 vty 0                idle                 00:05:24 202.100.1.100
 
2.动态
pix(config)# nat (inside) 1 172.16.1.0 255.255.255.0 (定义inside需要转换的网段)
pix(config)# global (outside) 1 202.100.1.101-202.100.1.200 netmask 255.255.255.0(定义地址池,注意这里的数字1必须对应)
inside#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
 
 
User Access Verification
 
Password:
OUTSIDE>show user
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:09:52  
*130 vty 0                idle                 00:00:00 202.100.1.189
 
这里我把dmz也转换成outside的网段
pix(config)# nat (dmz) 1 150.100.1.0 255.255.255.0
dmz#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
 
 
User Access Verification
 
Password:
OUTSIDE>show user
    Line       User       Host(s)              Idle       Location
*130 vty 0                idle                 00:00:00 202.100.1.124
测试成功
在pix上有几条nat的查询命令
pix(config)# show xlate
2 in use, 2 most used
Global 202.100.1.124 Local 150.100.1.10
Global 202.100.1.189 Local 172.16.1.2
 
pix(config)# show run nat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (dmz) 1 150.100.1.0 255.255.255.0
 
show nat
 
2.       端口转换(PAT)
把之前的nat配置都no掉
pix(config)# nat (inside) 1 172.16.1.0 255.255.255.0
pix(config)# global (outside) 1 interface 
INFO: outside interface address added to PAT pool
测试:
inside#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
 
 
User Access Verification
 
Password:
OUTSIDE>show user
    Line       User       Host(s)              Idle       Location
*130 vty 0                idle                 00:00:00 202.100.1.1
 
pix(config)# show xlate
1 in use, 2 most used
PAT Global 202.100.1.1(24848) Local 172.16.1.2(48011)
 
Over!!
   idle                 00:00:00 202.100.1.1