Cisco PIX 两界面多服务配置

1/6/2008来源:Cisco网络人气:2639


  结构图如下:
  
  
  PIX 520
  
  Two Interface Multiple Server Configuration
  
  nameif ethernet0 outside security0
  
  nameif ethernet0 inside security100
  
  interface ethernet0 auto
  
  interface ethernet1 auto
  
   
  
  ip address inside 10.1.1.1 255.0.0.0
  
  ip address outside 204.31.17.10 255.255.255.0
  
  logging on
  
  logging host 10.1.1.11
  
  logging trap 7
  
  logging facility 20
  
  no logging console
  
  arp timeout 600
  
  nat (inside) 1 10.0.0.0 255.0.0.0
  
  nat (inside) 2 192.168.3.0 255.255.255.0
  
  global (outside) 1 204.31.1.25-204.31.17.27
  
  global (outside) 1 204.31.1.24
  
  global (outside) 2 192.159.1.1-192.159.1.254
  
   
  
  conduit permit icmp any any
  
  outbound 10 deny 192.168.3.3 255.255.255.255 1720
  
  outbound 10 deny 0 0 80
  
  outbound 10 permit 192.168.3.3 255.255.255.255 80
  
  outbound 10 deny 192.168.3.3 255.255.255.255 java
  
  outbound 10 permit 10.1.1.11 255.255.255.255 80
  
   
  
  apply (inside) 10 outgoing_src
  
   
  
  no rip outside passive
  
  no rip outside default
  
  rip inside passive
  
  rip inside default
  
   
  
  route outside 0 0 204.31.17.1.1
  
  tacacs-server host 10.1.1.12 lq2w3e
  
  aaa authentication any inside 192.168.3.0 255.255.255.0 0 0 tacacs+
  
  aaa authentication any inside 192.168.3.0 255.255.255.0 0 0
  
   
  
  static (inside,outside) 204.31.19.0 192.168.3.0 netmask 255.255.255.0
  
  conduit permit tcp 204.31.19.0 255.255.255.0 eg h323 any
  
  static (inside,outside) 204.31.17.29 10.1.1.11
  
  conduit permit tcp host 204.31.17.29 eq 80 any
  
   
  
  conduit permit udp host 204.31.17.29 eq rpc host 204.31.17.17
  
   
  
  conduit permit udp host 204.31.17.29 eq 2049 host 204.31.17.17
  
   
  
  static (inside.outside) 204.31.1.30 10.1.1.3 netmask 255.255.255.255 10 10
  
  conduit permit tcp host 204.31.1.30 eq smtp any
  
   
  
  conduit permit tcp host 204.31.1.30 eq 113 any
  
  snmp-server host 192.168.3.2
  
  snmp-server location building 42
  
  snmp-server contact polly hedra
  
  snmp-server community ohwhatakeyisthee
  
   
  
  telnet 10.1.1.11 255.255.255.255
  
  telnet 192.168.3.0 255.255.255.0