PIX506e防火墙配置

原创

yangnaldo521 2008-07-29 11:03:12 ©著作权

©著作权归作者所有：来自51CTO博客作者yangnaldo521的原创作品，请联系作者获取转载授权，否则将追究法律责任

请教大家一个问题,尤其是做过PIX506e的朋友们,请给我指点一下,我的路由器外挂了个PIX防火墙,路由用的华为AR18-20,内网有个数据库,我是希望通过外网能传输到数据库上信息,但是1433端口不能使用,其他的端口都可以使用,用内网都可以登陆上服务器的端口,但是外网登陆不上1433,其他的能登上,我想麻烦大家看一下,问题出现在哪?麻烦大家给我指点出来,顺便给我解释一下,谢谢.

PIX防火墙配置如下:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU25 encrypted
passwd 2KFQnbNIdI.2KYOE encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit udp host 192.168.2.253 any
access-list acl_in permit udp any host 192.168.2.253
access-list acl_in permit tcp any host 192.168.2.253
access-list acl_in permit tcp host 192.168.2.254 any
access-list acl_in permit udp host 192.168.2.254 any
access-list acl_in permit udp any host 192.168.2.254
access-list acl_in permit tcp any host 192.168.2.254
access-list acl_in permit tcp any host 192.168.2.5 eq www
access-list acl_in permit tcp any host 192.168.2.5 eq 2030
access-list acl_in permit tcp any host 192.168.2.5 eq 3389
access-list acl_in permit tcp any host 192.168.2.5 eq sqlnet
access-list acl_in permit tcp any host 192.168.2.6 eq sqlnet
access-list acl_in permit tcp any host 192.168.2.6 eq 3389
access-list acl_in permit tcp any host 192.168.2.6 eq 2030
access-list acl_in permit tcp any host 192.168.2.6 eq www
access-list acl_in permit tcp host 192.168.2.6 any eq www
access-list acl_in permit tcp host 192.168.2.6 any eq sqlnet
access-list acl_in permit tcp host 192.168.2.6 any eq 3389
access-list acl_in permit tcp host 192.168.2.6 any eq 2030
access-list acl_in permit tcp host 192.168.2.5 any eq www
access-list acl_in permit tcp host 192.168.2.5 any eq sqlnet
access-list acl_in permit tcp host 192.168.2.5 any eq 3389
access-list acl_in permit tcp host 192.168.2.5 any eq 2030
access-list acl_in permit udp host 192.168.2.5 any eq 8060
access-list acl_in permit udp host 192.168.2.5 any eq 6080
access-list acl_in permit udp host 192.168.2.5 any eq 7522
access-list acl_in permit udp host 192.168.2.6 any eq 7522
access-list acl_in permit udp host 192.168.2.6 any eq 6080
access-list acl_in permit udp host 192.168.2.6 any eq 8060
access-list acl_in permit udp host 192.168.2.6 any eq 7301
access-list acl_in permit udp any host 192.168.2.6 eq 7301
access-list acl_in permit udp any host 192.168.2.6 eq 8060
access-list acl_in permit udp any host 192.168.2.6 eq 6080
access-list acl_in permit udp any host 192.168.2.6 eq 7522
access-list acl_in permit udp any host 192.168.2.5 eq 7522
access-list acl_in permit udp any host 192.168.2.5 eq 6080
access-list acl_in permit udp any host 192.168.2.5 eq 8060
access-list acl_in permit udp any host 192.168.2.5 eq 7301
access-list acl_in permit udp any host 192.168.2.5 eq dnsix
access-list acl_in permit udp any host 192.168.2.6 eq dnsix
access-list acl_in permit udp host 192.168.2.6 any eq dnsix
access-list acl_in permit udp host 192.168.2.5 any eq dnsix
access-list acl_in permit udp host 192.168.2.5 any eq domain
access-list acl_in permit udp host 192.168.2.6 any eq domain
access-list acl_in permit udp any host 192.168.2.6 eq domain
access-list acl_in permit udp any host 192.168.2.5 eq domain
access-list acl_in permit tcp any host 192.168.2.5 eq 6080
access-list acl_in permit tcp any host 192.168.2.5 eq 7301
access-list acl_in permit udp host 192.168.2.5 any eq snmp
access-list acl_in permit udp host 192.168.2.5 any eq snmptrap
access-list acl_in permit udp any host 192.168.2.5 eq snmp
access-list acl_in permit udp any host 192.168.2.5 eq snmptrap
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 192.168.1.3
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.3 192.168.2.6 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.1.4 192.168.2.5 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.1.4 eq 3389 any
conduit permit tcp host 192.168.1.4 eq 7301 any
conduit permit tcp host 192.168.1.4 eq 8060 any
conduit permit tcp host 192.168.1.4 eq 6080 any
conduit permit tcp host 192.168.1.4 eq sqlnet any
conduit permit udp host 192.168.1.4 eq 3389 any
conduit permit udp host 192.168.1.4 eq 7301 any
conduit permit udp host 192.168.1.4 eq 8060 any
conduit permit udp host 192.168.1.4 eq 6080 any
conduit permit udp host 192.168.1.3 eq 1521 any
conduit permit tcp host 192.168.1.3 eq sqlnet any
conduit permit tcp host 192.168.1.3 eq 2332 any
conduit permit tcp host 192.168.1.3 eq 8001 any
conduit permit tcp host 192.168.1.3 eq 8002 any
conduit permit tcp host 192.168.1.3 eq 8014 any
conduit permit tcp host 192.168.1.3 eq 9002 any
conduit permit tcp host 192.168.1.3 eq www any
conduit permit tcp host 192.168.1.3 eq 8080 any
conduit permit tcp host 192.168.1.3 eq 1433 any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.20-192.168.2.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:61fe4a59e3cbff4e4e6c270b36e72353
: end

路由器配置如下:

sysname Quidway
#
service modem-callback
#
local-user ccc password simple 222222
local-user ccc level 3
local-user gsgl password simple gsgl
local-user gsgl service-type telnet
#
nat address-group 1 222.142.24.24 222.142.24.24
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet2/0
speed 10
duplex full
ip address 222.142.24.24 255.255.255.240
nat outbound 2010 address-group 1
nat server protocol tcp global 222.142.24.24 8060 inside 192.168.1.4 8060
nat server protocol udp global 222.142.24.24 7301 inside 192.168.1.4 7301
nat server protocol tcp global 222.142.24.24 7301 inside 192.168.1.4 7301
nat server protocol udp global 222.142.24.24 6080 inside 192.168.1.4 6080
nat server protocol udp global 222.142.24.24 8060 inside 192.168.1.4 8060
nat server protocol tcp global 222.142.24.24 3389 inside 192.168.1.4 3389
nat server protocol udp global 222.142.24.24 3389 inside 192.168.1.4 3389
nat server protocol tcp global 222.142.24.24 6080 inside 192.168.1.4 6080
nat server protocol tcp global 222.142.24.24 1521 inside 192.168.1.3 1521
nat server protocol udp global 222.142.24.24 1521 inside 192.168.1.3 1521
nat server protocol tcp global 222.142.24.24 2332 inside 192.168.1.3 2332
nat server protocol tcp global 222.142.24.24 8001 inside 192.168.1.3 8001
nat server protocol tcp global 222.142.24.24 8002 inside 192.168.1.3 8002
nat server protocol tcp global 222.142.24.24 8014 inside 192.168.1.3 8014
nat server protocol tcp global 222.142.24.24 9002 inside 192.168.1.3 9002
nat server protocol tcp global 222.142.24.24 8653 inside 192.168.1.4 8653
nat server protocol tcp global 222.142.24.24 7001 inside 192.168.1.4 7001
nat server protocol udp global 222.142.24.24 snmp inside 192.168.1.4 snmp
nat server protocol udp global 222.142.24.24 snmptrap inside 192.168.1.4 snmptrap
nat server protocol tcp global 222.142.24.24 www inside 192.168.1.4 www
nat server protocol tcp global 222.142.24.24 1433 inside 192.168.1.3 1433
#
interface NULL0
#
acl number 2010
rule 0 permit source 192.168.2.0 0.0.0.255
rule 1 permit source 192.168.0.0 0.0.255.255
#
ip route-static 0.0.0.0 0.0.0.0 222.142.24.18 preference 60
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 preference 60
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password simple huawei
#
return