Shulou(Shulou.com)06/01 Report--

(1) Application environment

As shown below:

The connection between the intranet and the Internet has already been deployed, but there is no firewall installed in the intranet.

For security reasons, it is necessary to install a firewall in the intranet (in fact, it can also be in the exit), but the requirement is that all the configurations in the original intranet should not be changed, so the transparent mode of the firewall needs to be used.

(2) deployment

Configuration on the firewall:

[1] basic interface configuration

Pixfirewall (config) # int E1

Pixfirewall (config-if) # no shu

Pixfirewall (config-if) # nameif inside

INFO: Security level for "inside" set to 100by default.

Pixfirewall (config-if) # int e2

Pixfirewall (config-if) # no shu

Pixfirewall (config-if) # nameif outside

INFO: Security level for "outside" set to 0 by default.

[2] transparent mode configuration

Pixfirewall (config) # firewall transparent / / turn on transparent mode

Pixfirewall (config) # ip address 172.16.1.254 255.255.255.0 / / configure the management IP address to facilitate remote management. In this case, both E1 and E2 interfaces will automatically configure this IP address.

When transparent mode is turned on, by default, PIX Firewall rejects all data streams.

So here we need to allow OSPF data and ICMP data to pass through, and amend the ICMP protocol.

Pixfirewall (config) # access-list permitospf permitospf any any / / create an access list that allows OSPF data

Pixfirewall (config) # access-group permitospf in interface inside / / allow OSPF data to come in through the inside interface

Pixfirewall (config) # access-group permitospf in interface outside / / allow OSPF data to come in through the outside interface

Pixfirewall (config) # access-list permiticmp permiticmp any any / / create an access list that allows ICMP data

Pixfirewall (config) # access-group permiticmp in interface inside / / allow ICMP data to come in through the outside interface

Pixfirewall (config) # fixup protocol icmp / / enable ICMP protocol modification

Question: why not have an outside interface to allow ICMP data in?

This is configured entirely according to individual needs, and can be configured if you want ICMP data to come in actively from the outside interface.

For OSPF data, because the OSPF data on both inside and outside is unicast, you need to allow both sides to establish a neighbor relationship correctly.

For the sake of security, ICMP data only comes in actively on the inside interface, and then the PIX firewall turns on stateful detection, allowing ICMP reply packets to come in from the outside interface.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.