Shulou(Shulou.com)06/01 Report--

R1 and R2 are configured with basic interfaces and default routes!

PIX Configuration:

pixfirewall> en

Password: Enter directly

pixfirewall#

pixfirewall# conf t

pixfirewall(config)# hostname PIX

PIX(config)# int e0

PIX(config-if)# ip address 220.171.1.2 255.255.255.0

PIX(config-if)# security-level 0 External interface, security level 0

PIX(config-if)# nameif outside

PIX(config-if)# no sh

PIX(config-if)# int e1

PIX(config-if)# ip ad 10.0.1.1 255.255.255.0

PIX(config-if)# security-level 100 Internal interface, security level 100

PIX(config-if)# nameif inside

PIX(config-if)# no sh

By default, internal devices can ping internal interfaces; similarly, external devices can ping external interfaces! As shown in the figure:

Set now to deny internal and external host pings to firewall internal and external interfaces!

PIX

PIX(config)# icmp deny 0 0 outside or icmp deny any outside

PIX(config)# icmp deny 0 0 inside or icmp deny any inside

Ping again, the result is as follows:

You can see that the ping is not working!

The previous refusal command can also be used as follows:

PIX(config)# icmp deny 0 0 echo outside /Block echo packets from external hosts

PIX(config)# icmp deny 0 0 echo inside/Block echo packets from inside hosts

Same effect! Because when you use the PING command, you send out an echo packet, which is used to get the destination network to respond to see if the network is open and fast! Also known as echo data, it is generally used to determine that the connection is normal!

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Next: icmp crossing pix experiment

PIX

PIX(config)# access-list k1 permit icmp any any internal traffic filtering, allowing any internal traffic (ICMP packets can be sent out but not returned at this moment, and can be returned after configuring the route)

PIX(config)# access-group k1 in interface outside lets the traffic specified by k1 in interface outside

PIX(config)# nat (inside) 1 0 0

PIX(config)# global (outside) 1 interface Port address translation using the outside interface IP

INFO: outside interface address added to PAT pool

PIX(config)# route inside 10.0.2.0 10.0.1.2 route to internal network, next hop 10.0.1.2, otherwise pix does not know how to return packet 255.255.255.0

Note: Packets sent from inside, labeled nat1, are translated to outside by the outside interface. The ping packet from the inside out, the source address will also be replaced, but the ping packet goes out, but when it comes back, it is blocked by the outside interface.

You can see from the inside out can ping the same! Of course, you can also ping the PIX interface! if so configured

PIX(config)# global (outside) 1 220.171.1.3-220.171.1.3 255.255.255.0

PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0

only 10.1.1.0/24 network traffic for internal PCs is allowed to use address pools or PAT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.