防火墙的基本配置
防火墙的基本配置
一 实验拓扑
二 实验步骤
FW4(config)# sh ver
Cisco PIX Security Appliance Software Version 8.0(3)19
Compiled on Mon 16-Jun-08 11:30 by builders
System p_w_picpath file is "Unknown, monitor mode tftp booted p_w_picpath"
Config file at boot was "startup-config"
FW4 up 23 mins 31 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 0000.abea.1d00, irq 9
1: Ext: Ethernet1 : address is 0000.abcd.ef01, irq 11
2: Ext: Ethernet2 : address is 0000.abea.1d02, irq 11
3: Ext: Ethernet3 : address is 0000.abea.1d03, irq 11
4: Ext: Ethernet4 : address is 0000.abcd.ef04, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
×××-DES : Enabled
×××-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
××× Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 807211225
Running Activation Key: 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57
Configuration last modified by enable_15 at 07:46:44.561 UTC Wed Oct 10 2012
2.防火墙的基本配置
FW4(config)# int e0
FW4(config-if)# ip add 192.168.1.2 255.255.255.0
FW4(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
FW4(config-if)# no shu
FW4(config-if)# int e2
FW4(config-if)# ip add 192.168.2.2 255.255.255.0
FW4(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
FW4(config-if)# no shu
FW4(config-if)# int e3
FW4(config-if)# ip add 192.168.3.2 255.255.255.0
FW4(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
FW4(config-if)# sec
FW4(config-if)# security-level 50
FW4(config-if)# no shu
FW4(config-if)# end
FW4# sh int ip bri
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.1.2 YES manual up up
Ethernet1 unassigned YES unset administratively down up
Ethernet2 192.168.2.2 YES manual up up
Ethernet3 192.168.3.2 YES manual up up
Ethernet4 unassigned YES unset administratively down up
3.路由配置
FW4(config)# router ospf 1
FW4(config-router)# router-id 4.4.4.4
FW4(config-router)# net 192.168.1.0 0.0.0.255 area 0
ERROR: OSPF: Invalid address/mask combination (discontiguous mask)
FW4(config-router)# net 192.168.1.0 255.255.255.0 area 0
FW4(config-router)# default-information originate metric 1000 metric-type 1//外部路由以1类缺省路由重发布出去①
FW4(config-router)# redistribute rip subnets //将全局路由表中的OSPF路由重发布到RIP ②
FW4(config-router)# exi
FW4(config)# router rip
FW4(config-router)# ver 2
FW4(config-router)# no auto-summary
FW4(config-router)# net 192.168.3.0
FW4(config-router)# default-information originate //向RIP区域的路由器发布一条默认路由 ③
FW4(config-router)# redistribute ospf 1 metric 5 //将全局路由表中的RIP路由重发布到OSPF ④
FW4(config-router)# exi
FW4(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.1 ⑤
注 :default-information originate 在FW4上配置这条命令,会自动地向R3注入一条默认路由,并且路由器会很智能地改变下一跳的地址。
在哪个路由进程里发布,属于该路由域的路由器才会收到这条缺省路由。
FW4# sh rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
R 192.168.30.0 255.255.255.0 [120/1] via 192.168.3.1, 0:00:02, dmz 发布到了R1
O 192.168.10.1 255.255.255.255 [110/11] via 192.168.1.1, 0:21:37, inside 发布到了R3
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, outside
C 192.168.3.0 255.255.255.0 is directly connected, dmz
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside 对应⑤
注意:重发布是先到了对应的路由进程里,再到对应的该路由域的路由器
R1#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
O E2 192.168.30.0/24 [110/20] via 192.168.1.2, 00:00:57, Ethernet1/0 为什么是2类?对应④
C 192.168.10.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Ethernet1/0
O E2 192.168.3.0/24 [110/20] via 192.168.1.2, 00:22:46, Ethernet1/0 怎么来的?
O*E1 0.0.0.0/0 [110/1010] via 192.168.1.2, 00:20:54, Ethernet1/0 对应①
R3#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.3.2 to network 0.0.0.0
C 192.168.30.0/24 is directly connected, Ethernet1/1
192.168.10.0/32 is subnetted, 1 subnets
R 192.168.10.1 [120/5] via 192.168.3.2, 00:00:15, Ethernet1/0 对应②
R 192.168.1.0/24 [120/5] via 192.168.3.2, 00:00:15, Ethernet1/0 怎么来的?
C 192.168.3.0/24 is directly connected, Ethernet1/0
R* 0.0.0.0/0 [120/1] via 192.168.3.2, 00:00:15, Ethernet1/0 对应③
R2#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
C 192.168.20.0/24 is directly connected, Loopback0
C 192.168.2.0/24 is directly connected, Ethernet1/0
S 192.168.0.0/16 [1/0] via 192.168.2.2
小结:
重发布的概念:将一种路由协议获知的路由告知给另一路由协议的过程。
连通性测试:
R1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
蓝色部分可以省,ping是双向的,第一个测试不成功,自然下面两个测试也不成功!!
Pix防火墙的基本访问规则
1)默认情况下,高安全级别可以访问低安全级别区域
2)默认情况下,低安全级别不可以访问高安全级别区域
3)默认情况下,相同安全级别不能相互访问
4)默认情况下,防火墙总是在执行地址转换前检查ACL
问题:本实验R1为什么不能ping通R2和R3?
难道是因为ping是双向?
解答:因为默认情况下,高安全级别可以访问低安全级别,所以R1 的ping包的request包可以出去,但是来自对方的reply包却不能回来,因为默认情况下,低安全级别的不可以访问高安全级别。
防火墙ACL
1 高安全级别访问低安全级别
1)防火墙对ICMP包进行审查
FW4(config)# fixup protocol icmp//这里没有配置其他的,所以给与通过
INFO: converting 'fixup protocol icmp ' to MPF commands
当有数据报文要通过防火墙的时候,防火墙检查是不是有能匹配的ACL,如果有则根据ACL来转发数据,如果没有,则在状态数据库中查找是否存在状态连接表项,有则放通数据,没有则丢弃数据。
2)通过ACL放通ICMP返回流量
FW4(config)# no fixup protocol icmp //禁用了ICMP协议,通过ACL来放通数据
FW4(config)# access-list inside-outside extended permit icmp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 echo-reply //允许来自20网段到10网段的ICMP回应包通过。
FW4(config)# access-group inside-outside in int outside //应用到outside 这个接口,用到intside不可以吗?确实!!!为什么??还有同时用到inside和outside 也不可以,,为什么?
以上配置使得R1可以ping通R2--------实验不成功。。。。因为造成了干扰,看小结
FW4(config)#access-list dmz-outside extended permit icmp 192.168.20.0 255.255.255.255.0 192.168.30.0 255.255.255.0 echo-reply
FW4(config)# access-group dmz-outside in int outside //一定要应用到这个接口吗?应用到dmz不行?确实!!为什么呢???
以上配置使得R3可以ping通R2-------实验不成功。。。。 改了之后就可以了。。。。
2 低安全级别访问高安全级别
FW4(config)# access-list dmz-inside extended permit icmp 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 //允许30网段到10网段的ICMP包通过,即包括request和reply包
FW4(config)# access-group dmz-inside in int dmz//如果应用到inside则不通,为什么?
以上配置使得R3可以ping通R1
注意:ACL该应用到哪个接口???
疑问:使用上面方法1)高安全级别可以ping通,即R1可以ping 通R2和R3,R3可以ping通R2,即回来的reply包可以通过FW4,反之不成立即,低安全级别无法访问高安全级别,第一个包都无法通过。但是在这个方法的基础上,再加上面的第三条ACL就可以使得低安全级别访问高安全级别,即R3可以ping通R1.
使用方法2)就都行不通了(R1不能ping通R2,R3不能ping通R2)。。。。。。R1可以ping通R3,R3可以ping通R1(在有配置2的情况下,没有配置的话就都不通)
我明白了。。。。造成以上疑问是因为2与上面的同时配了,会干扰!!!
小结:
1)不要有不同的ACL应用到同一个接口上,会被覆盖!!
2)不要有同一个ACL应用到不同的接口上,这个ACL会在不同的接口上同时生效!!所以会干扰!!!
3)应用到不用的接口有什么区别?为什么实现的效果是不一样的?
当:用方案1)和2一起使用时,R3不能ping通R2,原因是在dmz接口上只允许了R3访问R1。。。。这就是干扰!!!
附:
FW4(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
FW4(config)# access-list inside-outside ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
命名以上用的是ACL吗?
DHCP的配置
FW4(config)# dhcpd address 192.168.1.20-192.168.1.100 inside
FW4(config)# dhcpd dns 59.51.78.211
FW4(config)# dhcpd ?
configure mode commands/options:
address Configure the IP pool address range after this keyword
auto_config Enable auto configuration from client
dns Configure the IP addresses of the DNS servers after this
keyword
domain Configure DNS domain name after this keyword
enable Enable the DHCP server
lease Configure the DHCPD lease length after this keyword
option Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
update Configure dynamic updates
wins Configure the IP addresses of the NETBIOS servers after this
keyword
FW4(config)# dhcpd wins 192.168.20.1
FW4(config)# dhcpd lease 300
FW4(config)# dhcpd domain xunbo.cn
FW4(config)# dhcpd ping_timeout 750
FW4(config)# dhcpd enable inside
测试:
R1(config)#int e1/0
R1(config-if)#no ip add
R1(config-if)#
*Mar 1 00:46:45.039: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-if)#ip addres dhcp
R1(config-if)#end
R1#sh
*Mar 1 00:47:01.399: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip i
*Mar 1 00:47:02.047: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.20, mask 255.255.255.0, hostname R1
R1#s
*Mar 1 00:47:41.527: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done
FW4(config)# sh dhcpd binding //特权模式也可以
IP address Hardware address Lease expiration Type
192.168.1.20 0063.6973.636f.2d63. 274 seconds Automatic
6330.302e.3034.3330.
2e30.3031.302d.4574.
312f.30
FW4(config)# sh dhcpd state
Context Configured as DHCP Server
Interface inside, Configured for DHCP SERVER
Interface outside, Not Configured for DHCP
Interface dmz, Not Configured for DHCP
FW4(config)# sh dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 0
配置防火墙为DHCP中继
FW4(config)# no dhcpd enable inside
FW4(config)# no dhcpd address 192.168.1.20-192.168.1.100 inside
R3(config)#ip dhcp pool R1
R3(dhcp-config)#net 192.168.1.0 255.255.255.0
% Ambiguous command: "net 192.168.1.0 255.255.255.0"
R3(dhcp-config)#network 192.168.1.0 255.255.255.0
FW4(config)# dhcprelay server 192.168.3.1 dmz
FW4(config)# dhcprelay enable inside
测试:
R1(config)#int e1/0
R1(config-if)#ip add dhcp
R1(config-if)#s
*Mar 1 01:03:09.295: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-if)#shu
R1(config-if)#no shu
R1(config-if)#
*Mar 1 01:03:21.123: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
*Mar 1 01:03:22.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down
R1(config-if)#
*Mar 1 01:03:24.871: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
*Mar 1 01:03:25.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
R1(config-if)#
*Mar 1 01:03:26.391: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname R1
R1(config-if)#
*Mar 1 01:04:08.355: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Ethernet1/0 from LOADING to FULL, Loading Done
成功!!
FW4# sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 3
DHCPREQUEST 8
DHCPDECLINE 0
DHCPRELEASE 3
DHCPINFORM 0
BOOTREPLY 0
DHCPOFFER 3
DHCPACK 8
DHCPNAK 0
FW4# sh dhcprelay state
Context Configured as DHCP Relay
Interface inside, Configured for DHCP RELAY SERVER
Interface outside, Not Configured for DHCP
Interface dmz, Configured for DHCP RELAY
远程登录
FW4(config)# telnet 0 0 inside
FW4(config)# passwd xunbo
FW4(config)# telnet timeout 60
测试:
R1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
FW4> en
Password:
FW4# conf t
FW4(config)#
成功!!
日志信息
FW4(config)# logging host dmz 192.168.30.100
WARNING: interface Ethernet3 security level is 50.
FW4(config)# logging trap 7
FW4(config)# logging timestamp
FW4(config)# logging device-id hostname
FW4(config)# logging on
