Shulou(Shulou.com)06/01 Report--

Basic configuration of firewall

One experimental topology

Two experimental steps

FW4 (config) # sh ver

Cisco PIX Security Appliance Software Version 8.0 (3) 19

Compiled on Mon 16-Jun-08 11:30 by builders

System p_w_picpath file is "Unknown, monitor mode tftp booted p_w_picpath"

Config file at boot was "startup-config"

FW4 up 23 mins 31 secs

Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0: address is 0000.abea.1d00, irq 9

1: Ext: Ethernet1: address is 0000.abcd.ef01, irq 11

2: Ext: Ethernet2: address is 0000.abea.1d02, irq 11

3: Ext: Ethernet3: address is 0000.abea.1d03, irq 11

4: Ext: Ethernet4: address is 0000.abcd.ef04, irq 11

Licensed features for this platform:

Maximum Physical Interfaces: 10

Maximum VLANs: 100

Inside Hosts: Unlimited

Failover: Active/Active

* × ×-DES: Enabled

* × ×-3DES-AES: Enabled

Cut-through Proxy: Enabled

Guards: Enabled

URL Filtering: Enabled

Security Contexts: 2

GTP/GPRS: Disabled

* × × Peers: Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 807211225

Running Activation Key: 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57

Configuration last modified by enable_15 at 07:46:44.561 UTC Wed Oct 10 2012

two。 Basic configuration of firewall

FW4 (config) # int e0

FW4 (config-if) # ip add 192.168.1.2 255.255.255.0

FW4 (config-if) # nameif inside

INFO: Security level for "inside" set to 100by default.

FW4 (config-if) # no shu

FW4 (config-if) # int e2

FW4 (config-if) # ip add 192.168.2.2 255.255.255.0

FW4 (config-if) # nameif outside

INFO: Security level for "outside" set to 0 by default.

FW4 (config-if) # no shu

FW4 (config-if) # int E3

FW4 (config-if) # ip add 192.168.3.2 255.255.255.0

FW4 (config-if) # nameif dmz

INFO: Security level for "dmz" set to 0 by default.

FW4 (config-if) # sec

FW4 (config-if) # security-level 50

FW4 (config-if) # no shu

FW4 (config-if) # end

FW4# sh int ip bri

Interface IP-Address OK? Method Status Protocol

Ethernet0 192.168.1.2 YES manual up up

Ethernet1 unassigned YES unset administratively down up

Ethernet2 192.168.2.2 YES manual up up

Ethernet3 192.168.3.2 YES manual up up

Ethernet4 unassigned YES unset administratively down up

3. Routing configuration

FW4 (config) # router ospf 1

FW4 (config-router) # router-id 4.4.4.4

FW4 (config-router) # net 192.168.1.0 0.0.255 area 0

ERROR: OSPF: Invalid address/mask combination (discontiguous mask)

FW4 (config-router) # net 192.168.1.0 255.255.255.0 area 0

FW4 (config-router) # default-information originate metric 1000 metric-type 1ax / external routes are reissued to ① as a Class 1 default route

FW4 (config-router) # redistribute rip subnets / / republish OSPF routes in the global routing table to RIP ②

FW4 (config-router) # exi

FW4 (config) # router rip

FW4 (config-router) # ver 2

FW4 (config-router) # no auto-summary

FW4 (config-router) # net 192.168.3.0

FW4 (config-router) # default-information originate / / issue a default route ③ to the router in the RIP area

FW4 (config-router) # redistribute ospf 1 metric 5 / / republish RIP routes in the global routing table to OSPF ④

FW4 (config-router) # exi

FW4 (config) # route outside 0.0.0.0 0.0.0.0 192.168.2.1 ⑤

Note: when default-information originate configures this command on FW4, it automatically injects a default route into R3, and the router intelligently changes the address of the next hop.

In which routing process is published, the router belonging to that routing domain will receive this default route.

FW4# sh rout

Codes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP

D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area

N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2

E1-OSPF external type 1, E2-OSPF external type 2, E-EGP

I-IS-IS, L1-IS-IS level-1, L2-IS-IS level-2, ia-IS-IS inter area

*-candidate default, U-per-user static route, o-ODR

P-periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

R 192.168.30.0 255.255.255.0 [120stop 1] via 192.168.3.1, 0:00:02, dmz was released to R1

O 192.168.10.1 255.255.255.255 [110 take 11] via 192.168.1.1, 0:21:37, inside released to R3

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.2.0 255.255.255.0 is directly connected, outside

C 192.168.3.0 255.255.255.0 is directly connected, dmz

S* 0.0.0.0 0.0.0.0 [1ape 0] via 192.168.2.1, outside corresponds to ⑤

Note: the rerelease is first in the corresponding routing process, and then to the corresponding router in the routing domain.

R1#sh ip rout

Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP

D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area

N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2

E1-OSPF external type 1, E2-OSPF external type 2

I-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2

Ia-IS-IS inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

O E2 192.168.30.0 Ethernet1/0 24 [110 Universe 20] via 192.168.1.2, 00:00:57, Why is it Category 2? Corresponding ④

C 192.168.10.0/24 is directly connected, Loopback0

C 192.168.1.0/24 is directly connected, Ethernet1/0

O E2 192.168.3.0 via 24 [110 Compact 20] 192.168.1.2, 00:22:46, where did Ethernet1/0 come from?

O*E1 0.0.0.0 O*E1 0 [110 take 1010] via 192.168.1.2, 00:20:54, Ethernet1/0 corresponds to ①

R3#sh ip rout

Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP

D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area

N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2

E1-OSPF external type 1, E2-OSPF external type 2

I-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2

Ia-IS-IS inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort is 192.168.3.2 to network 0.0.0.0

C 192.168.30.0/24 is directly connected, Ethernet1/1

192.168.10.0/32 is subnetted, 1 subnets

R 192.168.10.1 [120 via 5] via 192.168.3.2, 00:00:15, Ethernet1/0 corresponds to ②

R 192.168.1.0 via 24 [120 Compact 5] 192.168.3.2, 00:00:15, how did Ethernet1/0 get here?

C 192.168.3.0/24 is directly connected, Ethernet1/0

R* 0.0.0.0 via 0 [120gamma] via 192.168.3.2, 00:00:15, Ethernet1/0 corresponds to ③

R2#sh ip rout

Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP

D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area

N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2

E1-OSPF external type 1, E2-OSPF external type 2

I-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2

Ia-IS-IS inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0

C 192.168.20.0/24 is directly connected, Loopback0

C 192.168.2.0/24 is directly connected, Ethernet1/0

S 192.168.0.0/16 [1/0] via 192.168.2.2

Summary:

The concept of redistribution: the process of informing one routing protocol of a route learned by another routing protocol.

Connectivity Test:

R1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

R2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

R2#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

R3#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

R3#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

The blue part can be saved, ping is two-way, the first test is not successful, naturally the following two tests are not successful!

Basic access rules of Pix Firewall

1) by default, a high security level can access a low security level area

2) by default, the low security level cannot access the high security level area

3) by default, the same security level cannot access each other

4) by default, firewalls always check ACL before performing address translation

Question: why can't R1 ping R2 and R3 in this lab?

Is it because ping is two-way?

Answer: because by default, the high security level can access the low security level, so the request package of the ping packet of R1 can go out, but the reply packet from the other party cannot come back, because by default, the low security level cannot access the high security level.

Firewall ACL

1 High security level access low security level

1) Firewall examines ICMP packets

FW4 (config) # fixup protocol icmp// there is no other configuration here, so give a pass

INFO: converting 'fixup protocol icmp' to MPF commands

When there is a data message to pass through the firewall, the firewall checks whether there is a matching ACL, if so, forwards the data according to the ACL, if not, looks for the existence of a state connection table entry in the state database, opens the data, and discards the data if not.

2) release the ICMP return traffic through ACL

FW4 (config) # no fixup protocol icmp / / disable the ICMP protocol and release data through ACL

FW4 (config) # access-list inside-outside extended permit icmp 192.168.20.0255.255.255.0 192.168.10.0255.255.255.0 echo-reply / / allows ICMP response packets from 20 to 10 segments to pass.

FW4 (config) # access-group inside-outside in int outside / / apply to outside this interface, can't you use intside? Indeed! Why? And it's not possible to use inside and outside at the same time. Why?

The above configuration allows R1 to ping R2-the experiment is unsuccessful. Because of the interference, see the summary.

FW4 (config) # access-list dmz-outside extended permit icmp 192.168.20.0 255.255.255.255.0 192.168.30.0 255.255.255.0 echo-reply

FW4 (config) # access-group dmz-outside in int outside / / does it have to be applied to this interface? Can't it be applied to dmz? Indeed! Why?

The above configuration allows R3 to ping R2-the experiment is unsuccessful. It will be fine after you change it.

2 low security level access high security level

FW4 (config) # access-list dmz-inside extended permit icmp 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 / / allow ICMP packets from 30 network segments to 10 network segments, including request and reply packets

FW4 (config) # access-group dmz-inside in int dmz// does not work if it is applied to inside. Why?

The above configuration enables R3 to ping R1

Note: which interface should ACL be applied to?

Question: use the above method 1) High security level can ping, that is, R1 can ping R2 and R3Magi R3 can ping R2, that is, the returned reply packet can go through FW4, otherwise, the low security level cannot access the high security level, and the first packet cannot pass. But on the basis of this method, adding the third ACL above can make low security level access high security level, that is, R3 can ping R1.

Using method 2) will not work (R1 cannot ping R2Magol R3 cannot ping R2). R1 can ping R3 and R3 can ping R1 (in the case of configuration 2, it will not work without configuration)

I see. The above doubt is caused because 2 is matched with the above at the same time, it will interfere!

Summary:

1) Don't have different ACL applied to the same interface, it will be overwritten!

2) do not have the same ACL applied to different interfaces, the ACL will take effect on different interfaces at the same time! So it will interfere!

3) what's the difference between interfaces that are not used? Why is the effect different?

When used with option 1) and 2, R3 cannot ping R2 because only R3 is allowed to access R1 on the dmz interface. This is interference!

Attached:

FW4 (config) # access-list?

Configure mode commands/options:

WORD

< 241 char Access list identifier alert-interval Specify the alert interval for generating syslog message 106001 which alerts that the system has reached a deny flow maximum. If not specified, the default value is 300 sec deny-flow-max Specify the maximum number of concurrent deny flows that can be created. If not specified, the default value is 4096 FW4(config)# access-list inside-outside ? configure mode commands/options: deny Specify packets to reject extended Configure access policy for IP traffic through the system line Use this to specify line number at which ACE should be entered permit Specify packets to forward remark Specify a comment (remark) for the access-list after this keyword rename rename an existing access-list standard Use this to configure policy having destination host or network only 命名以上用的是ACL吗？ DHCP的配置 FW4(config)# dhcpd address 192.168.1.20-192.168.1.100 inside FW4(config)# dhcpd dns 59.51.78.211 FW4(config)# dhcpd ? configure mode commands/options: address Configure the IP pool address range after this keyword auto_config Enable auto configuration from client dns Configure the IP addresses of the DNS servers after this keyword domain Configure DNS domain name after this keyword enable Enable the DHCP server lease Configure the DHCPD lease length after this keyword option Configure options to pass to DHCP clients after this keyword ping_timeout Configure ping timeout value after this keyword update Configure dynamic updates wins Configure the IP addresses of the NETBIOS servers after this keyword FW4(config)# dhcpd wins 192.168.20.1 FW4(config)# dhcpd lease 300 FW4(config)# dhcpd domain xunbo.cn FW4(config)# dhcpd ping_timeout 750 FW4(config)# dhcpd enable inside 测试： R1(config)#int e1/0 R1(config-if)#no ip add R1(config-if)# *Mar 1 00:46:45.039: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached R1(config-if)#ip addres dhcp R1(config-if)#end R1#sh *Mar 1 00:47:01.399: %SYS-5-CONFIG_I: Configured from console by console R1#sh ip i *Mar 1 00:47:02.047: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.20, mask 255.255.255.0, hostname R1 R1#s *Mar 1 00:47:41.527: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done FW4(config)# sh dhcpd binding //特权模式也可以 IP address Hardware address Lease expiration Type 192.168.1.20 0063.6973.636f.2d63. 274 seconds Automatic 6330.302e.3034.3330. 2e30.3031.302d.4574. 312f.30 FW4(config)# sh dhcpd state Context Configured as DHCP Server Interface inside, Configured for DHCP SERVER Interface outside, Not Configured for DHCP Interface dmz, Not Configured for DHCP FW4(config)# sh dhcpd statistics DHCP UDP Unreachable Errors: 0 DHCP Other UDP Errors: 0 Address pools 1 Automatic bindings 1 Expired bindings 0 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 1 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 0 配置防火墙为DHCP中继 FW4(config)# no dhcpd enable inside FW4(config)# no dhcpd address 192.168.1.20-192.168.1.100 inside R3(config)#ip dhcp pool R1 R3(dhcp-config)#net 192.168.1.0 255.255.255.0 % Ambiguous command: "net 192.168.1.0 255.255.255.0" R3(dhcp-config)#network 192.168.1.0 255.255.255.0 FW4(config)# dhcprelay server 192.168.3.1 dmz FW4(config)# dhcprelay enable inside 测试： R1(config)#int e1/0 R1(config-if)#ip add dhcp R1(config-if)#s *Mar 1 01:03:09.295: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached R1(config-if)#shu R1(config-if)#no shu R1(config-if)# *Mar 1 01:03:21.123: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down *Mar 1 01:03:22.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down R1(config-if)# *Mar 1 01:03:24.871: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up *Mar 1 01:03:25.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up R1(config-if)# *Mar 1 01:03:26.391: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname R1 R1(config-if)# *Mar 1 01:04:08.355: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done 成功！！ FW4# sh dhcprelay statistics DHCP UDP Unreachable Errors: 0 DHCP Other UDP Errors: 0 Packets Relayed BOOTREQUEST 0 DHCPDISCOVER 3 DHCPREQUEST 8 DHCPDECLINE 0 DHCPRELEASE 3 DHCPINFORM 0 BOOTREPLY 0 DHCPOFFER 3 DHCPACK 8 DHCPNAK 0 FW4# sh dhcprelay state Context Configured as DHCP Relay Interface inside, Configured for DHCP RELAY SERVER Interface outside, Not Configured for DHCP Interface dmz, Configured for DHCP RELAY 远程登录 FW4(config)# telnet 0 0 inside FW4(config)# passwd xunbo FW4(config)# telnet timeout 60 测试： R1#telnet 192.168.1.2 Trying 192.168.1.2 ... Open User Access Verification Password: Type help or '?' for a list of available commands. FW4>

En

Password:

FW4# conf t

FW4 (config) #

Success!

Log information

FW4 (config) # logging host dmz 192.168.30.100

WARNING: interface Ethernet3 security level is 50.

FW4 (config) # logging trap 7

FW4 (config) # logging timestamp

FW4 (config) # logging device-id hostname

FW4 (config) # logging on

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.