Shulou(Shulou.com)06/01 Report--

Use cisco pix Firewall

1.interface command

We often hear proper terms about interfaces when configuring user interfaces

Hardware_id means ethernet 0meme 1m e 2.

Interface_name means outside,inside,DMZ

Hardware_speed, production is set to automatic, but cisco recommends that we configure the speed manually. The speed is related to the network transmission medium of your choice.

No shutdown activates this port on router. In pix, there is no no shutdown command, only the parameter shutdown is used, which is mainly used to manage the shutdown interface.

Interface hardware_id hardware_speed [shutdown]

Interface e0 auto

Interface e1 auto

Interface e2 auto

2.nameif command

Nameif is mainly used to command an interface and assign it a security value from 1 to 99, because the outside interface and the inside interface are default, 0 and 100, respectively. By default, e0 is the outside interface and E1 is the inside interface.

Nameif hardware_id if_name security_level

Nameif e0 outside 0

Nameif e1 inside 100

Nameif e2 DMZ 50

Use show nameif to view the configuration

About the difference between security_level, please take a look at what I wrote before. How to go from the flow in the high security section to the traffic in the low security section, how to let it go, and what conditions are needed to flow in and out.

3.ip address command

The ip address of the cisco pix interface can be obtained from two places, manual and dhcp

Ip address is used to manually configure ip address on an interface by adding a logical address to a hardware ID.

Ip address if_name ip_address [netmask]

Ip address inside 192.168.10.0 255.255.255.0

Remove the currently configured ip address

Pix (config) # clear ip address (clear ip address all)

Pix (config) # no ip address inside 192.168.10.0 255.255.255.0 (clear ip address for this interface)

4.Nat command

Used to convert one group of ip addresses into another set of ip addresses. Yesterday I saw that version 6.2 supports nat outside ip address. I don't know in what environment this is used, hehe.

There is a special note when using the nat command: nat 0 has a special meaning, and then nat is always used with global.

Nat (if_name) nat_id local_ip [netmas]

Nat (inside) 1 192.168.10.0 255.255.255.0

5.Global command

The global command is used to define the address or address range translated by the nat command. Note that the nat_id in the global command needs to be the same as the nat_id in the nat command you configure.

Global (if_name) nat_id global_ipglobal_ip-global_ip [netmask]

Global (outside) 1 10.0.0.1 255.0.0.0 (PAT conversion, when you use this command, CLI will give you a warning message indicating that pix wants all addresses of PAT)

Global (outside) 1 10.0.0.1mm 10.0.0.254 255.0.0.0

There is such a command in the pix check conversion table to see if you have an entry for this particular ip. Show xlate. Generally, the default time for a converted ip address to be saved in the conversion table is 3 hours. You can change this setting through timeout xlate hh:ss.

You also need to understand how PAT works here, and you should know that PAT also has limitations that cannot support H.323 and caching name servers, and to be honest, I don't know what these two things are: (

6.route command,very important!!!

Route tells us to forward on that specific interface and specify that specific network address. Use the route command to add a static route to pix.

Route if_name ip_address netmask gateway_ip [metric]

Explain that if_name refers to the port where your data is leaving.

Ip address to which the ip_address is routed

Network mask of the routed ip address of the netmask

Ip address for the next hop of gateway_ip

Number of hops from metric to the next device

The most commonly used on pix is to configure a default route

Route outside 0 0192.168.1.3 1, where 0 means that all ip address in the network segment go out from outside ip address to 192.168.1.3

If you want to test the new routing configuration, use clear arp to clear pix firewall's arp cache is a good idea.

7.RIP command

Do not say, do not want to know, do not know, have not seen that person in the configuration of PIX has used the RIP protocol

Check books for those who need to know. If you have experience in this field, you can share it out.)

8. Test your configuration, there are generally several, first check whether your configuration command is correct, show xxxxx to check. Show interface,show nameif,show ip address,show route,show nat,show global and so on. Second, use the ping command, as long as you need to use icmp permit any any outside, because by default pix denies all input traffic from the external interface, unless you use conduit permit icmp any any, but this command prevents you from ping the ip address of the external interface. Finally, with the debug command, debug icmp trace, it is suggested that you can take a look, but after reading it, it is best to turn it off in order to affect the performance of pix.

9. Configuring each pix command is immediately reflected in pix, so you can try to configure it, but don't configure it. Save wr m when you are sure, but if you configure it incorrectly, you can reload it.

10.pix supports dhcp

First of all, you can configure pix so that the dhcp server.PIX dhcp server can only be activated on the internal interface of pix, and you need to find information, because some of them, such as 506 client ip address 506e, support different numbers of client ip address due to different versions of client ip address.

Dhcpd enable inside

Dhcpd address 192.168.10.0-192.168.10.200 255.255.255.0

Dhcpd lease 2700 (length of lease for authorized users, default time is 3600s)

Dhcpd dns 61.177.7.1

Dhcpd wins 61.177.7.1

Dhcpd domain testing.cn

10.2 the external interface of pix can be configured to receive an address from ISP

Ip address outside dhcp [setroute] [retry retry_cnt]

Setroute tells the pix firewall to use the default route returned by the DHCP server set by the default gateway parameter, and the default route is no longer configured when the setroute option is used

You can also use ip address dhcp to release and rebuild the ip address of an external interface

View current lease information through show ip address dhcp.

11. Time setting and NTP support

Manually configure and obtain system time through the NTP server.

Manual configuration of clock set hh:mm:ss month day year, on the configuration through NTP, check the information, we have not seen anyone else to do, the security requirement is too high.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.