Home | 简体中文 | 繁体中文 | 杂文 | 打赏(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Search | Email

第 13 章 Firewall

目录

13.1. Cisco PIX Firewall
13.1.1. cisco PIX 515E的全部数据与配置
13.1.2. 清除所有配置
13.1.3. 配置防火墙的用户信息
13.1.4. 接口设置
13.1.5. 配置NAT配置映射
13.1.5.1. 端口映射
13.1.5.2. IP 映射
13.1.6. 配置路由
13.1.7. 策略
13.1.7.1. Ping
13.1.7.2. SSH
13.1.8. ACL
13.1.9. 配置远程telnet访问
13.1.10. 配置DHCP
13.1.11. VPN
13.1.12. 防止DDOS攻击
13.1.13. SNMP
13.1.14. 开启WEB管理
13.1.15. 保存
13.1.15.1. 备份及恢复
13.1.16. clear
13.1.16.1. NAT映射更改后仍然指向之前的IP
13.1.16.2. reload
13.2. Cisco ASA Firewall
13.2.1. Console 登录
13.2.1.1. 清除配置文件
13.2.2. Management0/0
13.2.3. 接口配置
13.2.3.1. 子接口
13.2.4. route
13.2.5. ACL
13.2.5.1. Blacklist
13.2.5.2. Whitelist
13.2.5.3. object-group
13.2.5.4. Example
13.2.6. 配置NAT映射
13.2.6.1. IP 映射
13.2.6.2. 端口映射
13.2.7. timeout
13.2.8. DHCP
13.2.8.1. management
13.2.8.2. inside
13.2.9. SNMP
13.2.10. 用户登录
13.2.10.1. Telnet
13.2.10.2. SSH
13.2.11. VPN
13.2.11.1. site to site
13.2.11.2. webvpn
13.2.12. service-policy
13.2.13. failover
13.2.14. 透明防火墙(transparent)
13.2.15. logging
13.2.16. ntp
13.2.17. asdm
13.2.18. 备份配置文件
13.3. 查看命令
13.3.1. show interface
13.3.2. show static
13.3.3. show ip
13.3.4. show cpu usage
13.3.5. show conn count
13.3.6. show blocks
13.3.7. show mem
13.3.8. show traffic
13.3.9. show xlate
13.4. FAQ
13.4.1. inside 不能到达 outside
13.5. Example
13.5.1. ASA Firewall

13.1. Cisco PIX Firewall

Cisco PIX 515E

过程 13.1. Login Pix515E

  1. 登陆

    1.、telnet 192.168.0.1
       User Access Verification
       Password:(输入密码出现如下信息:)
       Type help or '?' for a list of available commands.
       weibo>
       (此时是PIX 515E的无特权模式,此模式只能查看,并且只能查看防火墙的系统信息)
      /**************chase*********************/
    			
  2. Then do this.

    2.、enable(进入特权模式,出现如下信息)
       password:(输入密码进入特权模式)
       weibo#(weibo>变为weibo#)
       (在特权模式下只能查看放火墙的配置不能修改防火墙的配置,用disable退出特权模式返回无特权模式)
      /*************chase*********************/
    			
  3. And now do this.

    conf t(进入配置模式,出现如下信息)
    firewall(config)#(weibo#变为weibo(config)#)
       (在配置模式才能修改防火墙的配置,用exit、quit退出配置模式到特权模式)
    			

13.1.1. cisco PIX 515E的全部数据与配置

show tech-support

firewall(config)# show tech-support

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

firewall up 36 mins 41 secs

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 001c.58b5.6e80, irq 10
1: ethernet1: address is 001c.58b5.6e81, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 810323551 (0x304c8e5f)
Running Activation Key: 0x1512d3bb 0xdbb4b468 0xb28e1dc9 0x1b826959
Configuration last modified by enable_15 at 23:06:10.370 UTC Thu Sep 2 2010

------------------ show clock ------------------

23:08:58.073 UTC Thu Sep 2 2010

------------------ show memory ------------------

Free memory:        79151528 bytes
Used memory:        55066200 bytes
-------------     ----------------
Total memory:      134217728 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550    933    667    676

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 001c.58b5.6e80
  IP address 172.16.0.30, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        2 packets output, 120 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        2 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 001c.58b5.6e81
  IP address 172.16.1.254, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        3 packets output, 180 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        3 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001f02c9 00953044 0056ed50          0 009520bc 3916/4096 arp_timer
Lsi 001f5a95 009f623c 0056ed50          0 009f52c4 3928/4096 FragDBGC
Lwe 0011a13f 00a0236c 005724b8          0 00a01504 3688/4096 dbgtrace
Lwe 003fb2fd 00a044fc 00567688          0 00a025b4 8008/8192 Logger
Hwe 003ff4b8 00a075f4 00567938          0 00a0567c 8024/8192 tcp_fast
Hwe 003ff431 00a096a4 00567938          0 00a0772c 8024/8192 tcp_slow
Lsi 00314885 028e9924 0056ed50          0 028e899c 3916/4096 xlate clean
Lsi 00314793 028ea9c4 0056ed50          0 028e9a4c 3884/4096 uxlate clean
Mwe 0030be5f 02d7edc4 0056ed50          0 02d7ce2c 7908/8192 tcp_intercept_timer_process
Lsi 00452ee5 02e2b79c 0056ed50          0 02e2a814 3900/4096 route_process
Hsi 002fb6fc 02e2c82c 0056ed50         20 02e2b8c4 3780/4096 PIX Garbage Collector
Hwe 0021e529 02e36d5c 0056ed50          0 02e32df4 16048/16384 isakmp_time_keeper
Lsi 002f929c 02e5069c 0056ed50          0 02e4f714 3944/4096 perfmon
Mwe 00214d39 02e7aacc 0056ed50          0 02e78b54 7860/8192 IPsec timer handler
Hwe 003b105b 02e8ee14 00591c90          0 02e8cecc 7000/8192 qos_metric_daemon
Mwe 0026d0dd 02ea996c 0056ed50          0 02ea5a04 15592/16384 IP Background
Lwe 0030cad6 02f5c2bc 00585368          0 02f5b444 3704/4096 pix/trace
Lwe 0030cd0e 02f5d36c 00585a98          0 02f5c4f4 3704/4096 pix/tconsole
H*  0011fa67 0009ff2c 0056ed38       1310 02f63784 13136/16384 ci/console
Csi 003048fb 02f6878c 0056ed50          0 02f67834 3432/4096 update_cpu_usage
Hwe 002ef791 03019534 0054e100          0 030156ac 15884/16384 uauth_in
Hwe 003fdf05 0301b634 00892508          0 0301975c 7896/8192 uauth_thread
Hwe 0041553a 0301c784 00567c88          0 0301b80c 3960/4096 udp_timer
Hsi 001e7d4e 0301e444 0056ed50          0 0301d4cc 3800/4096 557mcfix
Crd 001e7d03 0301f504 0056f1c8    1638450 0301e57c 3632/4096 557poll
Lsi 001e7dbd 030205a4 0056ed50          0 0301f62c 3848/4096 557timer
Cwe 001e99a9 0332267c 007f1058          0 03320784 7928/8192 pix/intf0
Mwe 004152aa 0332378c 008dc6f8          0 03322854 3896/4096 riprx/0
Msi 003ba8a1 0332489c 0056ed50          0 03323924 3888/4096 riptx/0
Cwe 001e99a9 03426aa4 00779ae0          0 03424bac 7928/8192 pix/intf1
Mwe 004152aa 03427bb4 008dc6b0          0 03426c7c 3896/4096 riprx/1
Msi 003ba8a1 03428cc4 0056ed50          0 03427d4c 3888/4096 riptx/1
Hwe 003fe199 0344d67c 00868c90          0 0344d034 1196/2048 listen/telnet_1
Mwe 0038707e 0344f85c 0056ed50          0 0344d8e4 7960/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 2214.880 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 2214.880 secs):
                2 packets       120 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 2214.880 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 2214.880 secs):
                3 packets       180 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s

------------------ show running-config ------------------

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
firewall(config)#

		

13.1.2. 清除所有配置

pix# conf t
pix(config)# clear config all
pixfirewall(config)# quit
pixfirewall# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
pixfirewall#

		

13.1.3. 配置防火墙的用户信息

enable password chen
hostname pix515
domain-name example.com

pixfirewall# conf t
pixfirewall(config)# enable password chen
pixfirewall(config)# hostname firewall
firewall(config)# domain-name example.com
firewall(config)#
		

13.1.4. 接口设置

激活以太端口

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto


firewall(config)# interface ethernet0 auto
firewall(config)# interface ethernet1 auto
		

下面两句配置内外端口的安全级别

nameif ethernet0 outside security0
nameif ethernet1 inside security100

firewall(config)# nameif ethernet0 outside security0
firewall(config)# nameif ethernet1 inside security100

		

配置以太端口ip 地址

ip address outside 61.144.203.114 255.255.255.244
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
ip address e3 61.233.203.47 255.255.255.192
		

13.1.5. 配置NAT配置映射

global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
		

13.1.5.1. 端口映射

WAN IP:PORT --> LAN IP:PORT

static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.41 21 192.168.0.116 21 netmask 255.255.255.255 0 0
pix515(config)# static (inside,outside) tcp 61.144.23.50 22 192.168.0.11 22 netmask 255.255.255.255 0 0
			

13.1.5.2. IP 映射

WAN IP --> LAN IP

static (inside,outside) 120.13.14.28 172.16.1.28 netmask 255.255.255.255 0 0
			

13.1.6. 配置路由

配置outside使用的网关

route outside 0.0.0.0 0.0.0.0 120.13.14.1 1
route e3 0.0.0.0 0.0.0.0 61.233.203.1 2
		

13.1.7. 策略

conduit permit tcp host 公网IP eq ssh 信任IP 255.255.255.255 (这种写法,是信任某个IP)

13.1.7.1. Ping

下面这句允许ping

pix515(config)#conduit permit icmp any any
			

13.1.7.2. SSH

pix515(config)# conduit permit tcp host 61.144.23.50 eq ssh any
			

13.1.8. ACL

1、配置内网到VPN不做NAT
   access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
  (建立内网-->VPN的访问列表)
   nat (inside) 0 access-list 107 (内网-->VPN不做NAT,引用上一步access-list 107)

2、配置内网到DMZ 做NAT
   access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433
   access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125
   nat (inside) 2 access-list 102(内网-->DMZ做NAT,引用上一步access-list 102)

3、配置内网到Internet 做NAT
   access-list 101 permit ip 192.168.0.0 255.255.255.0 any
   nat (inside) 1 access-list 101 0 0

4、配置DMZ到VPN不做NAT
   access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
  (建立内网-->VPN的访问列表)
   nat (DMZ) 0 access-list 107

4、配置VPN到DMZ不做NAT
   access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0
  (建立内网-->VPN的访问列表)
   nat (e3) 0 access-list 150
		

13.1.9. 配置远程telnet访问

password chen (把telnet的密码修改为chen)
telnet 192.168.0.1 255.255.255.255 inside(开启内网口的telnet服务)
telnet 192.168.0.0 255.255.255.0 inside(允许所有内网用户访问telnet服务)
telnet 0.0.0.0 0.0.0.0 e3
telnet 61.144.203.41 255.255.255.255 e3
		

13.1.10. 配置DHCP

pix515(config)#ip address dhcp
pix515(config)#dhcpd enable inside
pix515(config)#dhcpd auto_config outside(自动配置外网DHCP服务参数)
pix515(config)#dhcpd address 172.16.0.20-172.16.0.200 inside (内网DHCP分配的IP地址范围)
pix515(config)#dhcpd dns 208.67.222.222 208.67.220.220
pix515(config)#dhcpd domain example.com
		

13.1.11. VPN

PPTP

1、命令行方式直接在PIX上配置PPTP的VPN,即PIX作为PPTP方式VPDN的服务器
    ip local pool pptp 10.0.0.1-10.0.0.50
    //定义一个pptp 方式的vpdn拨入后获得的IP地址池,名字叫做pptp。此处地址段的定义范围不要和拨入后内网其他计算机的IP冲突,并且要根据拨入用户的数量来定义地址池的大小
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication pap
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    //以上为配置pptp的vpdn组的相关属性
    vpdn group PPTP-VPDN-GROUP client configuration address local pptp
    //上面定义pptp的vpnd组使用本地地址池组pptp,为一开始定义的
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    //此处配置pptp的vpdn拨入用户口令认证为本地认证,当然也可以选择AAA服务器认证,本地认证属于比较方便的一种实现
    vpdn username test1 password *********
    vpdn username test2 password *********
    //上面为定义本地用户认证的用户帐号和密码,可以定义多个
    vpdn enable outside
    //在pix防火墙的outside口起用vpdn功能,也可以在其他接口上应用
  2、使用pix防火墙内部的某个pptp的VPDN服务器作为专门的VPN服务器,只是在pix上开放相应的服务端口
  pptp使用1723端口,而通常pix里面的服务器对外都是做的静态NAT转换,但是光双向开放1723端口仍旧无法建立pptp的vpn连接,那么对于pix 6.3以上版本的pptp穿透可以用一条命令fixup protocol pptp 1723 来解决这个问题。
		

Ipsec VPN 配置

ip local pool pigpool 172.16.1.50-172.16.1.240  (建立VPN的地址空间)
sysopt connection permit-ipsec(开启系统ipsec端口)
sysopt connection permit-pptp(开启系统pptp端口)
sysopt connection permit-l2tp(开启系统l2tp端口)

isakmp enable e3 (e3接口启用isakmp)
isakmp policy 8 encryption des(定义phase 1协商用DES加密算法)
isakmp policy 8 hash md5(定义phase 1协商用MD5散列算法)
isakmp policy 8 authentication pre-share(定义phase 1使用pre-shared key进行认证)
isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定义使用共享密匙pix)
isakmp client configuration address-pool local pigpool e3(将VPN client地址池绑定到isakmp)
isakmp policy 8 group 2(isakmp policy 10 group 2)
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定义一个变换集strong-des)
crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到动态加密策略cisco)
crypto map partner-map 20 ipsec-isakmp dynamic cisco(把动态加密策略绑定到partner-map 加密图)
crypto map partner-map client configuration address initiate(定义给每个客户端分配IP地址)
crypto map partner-map client configuration address respond(定义PIX防火墙接受来自任何IP的请求)
crypto map partner-map interface e3(把动态加密图vpnpeer绑定到e3口)
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication pap
vpdn group 2 client configuration address local pigpool
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 80
vpdn username pix password pix(设置vpn密码,密码必须与共享密匙一样)
vpdn enable e3
		

vpn本地身份验证

crypto map vpnpeer client authentication LOCAL
username whr password whr
no username whr
		

修改VPN拨入密码


no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(删除共享密匙)
isakmp key whr address 0.0.0.0 netmask 0.0.0.0     (设置共享密匙)
vpdn username chase (删除chase用户)
vpdn username chase password whr  (设置用户名为chase;密码为whr;密码要与共享密匙相同)
		

13.1.12. 防止DDOS攻击

网上找到的,我不确认是否可以起到效果:)

步骤1:开启日志功能,并确定系统日志级别
logging on
logging trap 7(7为最高级别了)
步骤2:确定一台日志服务器(192.168.1.10),并把系统日志输出导系统日志服务器上
logging host inside 192.168.1.10
步骤3:配置入侵检测(IDS) 为攻击类特征码和信息类特征码创建策略
ip audit name attackpolicy attack action alarm reset
ip audit name infopolicy info action alarm reset
步骤4:在接口上启用策略
ip audit interface outside attackpolicy
ip audit interface outside infopolicy
步骤5:在日志服务器上安装日志软件(如果是LINUX可免了)
Kiwi_Syslogd2.exe
步骤6:大功告成了。
		

13.1.13. SNMP

firewall(config)# sh snmp
snmp-server host inside 172.16.0.5 		"安装了MRTG和Cacti服务器地址
snmp-server location 172.16.0.1 		"位置描述,可以写内网端口地址,或者更直观的描述如:gateway firewall
snmp-server contact netkiller@example.com
snmp-server community cisco 			"public
snmp-server enable traps 				"允许管理信息发送
		

PIX 515 仅支持snmp v1

neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 interfaces.ifTable.ifEntry.ifDescr
IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface
IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface


neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254
SNMPv2-MIB::sysDescr.0 = STRING: Cisco PIX Firewall Version 6.3(5)

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.451
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1899600400) 219 days, 20:40:04.00
SNMPv2-MIB::sysContact.0 = STRING: neo.chen@example.com
SNMPv2-MIB::sysName.0 = STRING: firewall.example.com
SNMPv2-MIB::sysLocation.0 = STRING: gw
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 2
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface
IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1500
IF-MIB::ifMtu.2 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 100000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifPhysAddress.1 = STRING: 0:1c:58:b5:6e:80
IF-MIB::ifPhysAddress.2 = STRING: 0:1c:58:b5:6e:81
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifAdminStatus.2 = INTEGER: up(1)
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.2 = INTEGER: up(1)
IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00
IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00
IF-MIB::ifInOctets.1 = Counter32: 4008321683
IF-MIB::ifInOctets.2 = Counter32: 4051905092
IF-MIB::ifInUcastPkts.1 = Counter32: 2797544526
IF-MIB::ifInUcastPkts.2 = Counter32: 2017238766
IF-MIB::ifInNUcastPkts.1 = Counter32: 38465473
IF-MIB::ifInNUcastPkts.2 = Counter32: 27783306
IF-MIB::ifInDiscards.1 = Counter32: 0
IF-MIB::ifInDiscards.2 = Counter32: 0
IF-MIB::ifInErrors.1 = Counter32: 16601
IF-MIB::ifInErrors.2 = Counter32: 32841
IF-MIB::ifInUnknownProtos.1 = Counter32: 0
IF-MIB::ifInUnknownProtos.2 = Counter32: 0
IF-MIB::ifOutOctets.1 = Counter32: 2947292253
IF-MIB::ifOutOctets.2 = Counter32: 3544827218
IF-MIB::ifOutUcastPkts.1 = Counter32: 1968227296
IF-MIB::ifOutUcastPkts.2 = Counter32: 2414528344
IF-MIB::ifOutNUcastPkts.1 = Counter32: 0
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 0
IF-MIB::ifOutErrors.1 = Counter32: 0
IF-MIB::ifOutErrors.2 = Counter32: 0
IF-MIB::ifOutQLen.1 = Gauge32: 0
IF-MIB::ifOutQLen.2 = Gauge32: 0
IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero
IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero
IP-MIB::ipAdEntAddr.120.13.14.30 = IpAddress: 120.13.14.30
IP-MIB::ipAdEntAddr.172.16.1.254 = IpAddress: 172.16.1.254
IP-MIB::ipAdEntIfIndex.120.13.14.30 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.172.16.1.254 = INTEGER: 2
IP-MIB::ipAdEntNetMask.120.13.14.30 = IpAddress: 255.255.255.192
IP-MIB::ipAdEntNetMask.172.16.1.254 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntBcastAddr.120.13.14.30 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.172.16.1.254 = INTEGER: 0
IP-MIB::ipAdEntReasmMaxSize.120.13.14.30 = INTEGER: 65535
IP-MIB::ipAdEntReasmMaxSize.172.16.1.254 = INTEGER: 65535
		

如果你使用snmp v2版本尝试连接pix防火墙将会提示

neo@monitor:~$ snmpwalk -v2c -c public 172.16.1.254
Timeout: No Response from 172.16.1.254
		

13.1.14. 开启WEB管理

http server enable
http 172.16.0.1 255.255.255.255 inside
		

172.16.0.1 是from ip,或者允许一个IP段

http 172.16.0.0 255.255.255.0 inside
		

http 登录密码

username admin password ysCf4HUXoqIPDu1 privilege 15
		

https://172.16.0.254

13.1.15. 保存

write memory
pix515(config)# write mem
Building configuration...
Cryptochecksum: 5641ca9c 2ef4c53c 0dc8a8f9 75d47f09
[OK]
pix515(config)#

		

13.1.15.1. 备份及恢复

备份

pix515(config)# write net 192.168.2.111:pix515.rtf
Building configuration...
TFTP write 'pix515.rtf' at 192.168.2.111 on interface 1
[OK]
		

恢复

pix515(config)# clear config all  是清除所有配置
如何想要通过tftp恢复,得要先配置一下inside接口地址:
pixfirewall(config)# ip add inside 192.168.2.1 255.255.255.0
pixfirewall(config)# ping 192.168.2.111  测试一下到TFTP服务器是否通
        192.168.2.111 response received -- 0ms
        192.168.2.111 response received -- 0ms
        192.168.2.111 response received -- 0ms
pix515(config)# configure net 192.168.2.111:pix515.rtf
Global 10.6.6.151 will be Port Address Translated
Global 10.6.6.150 will be Port Address Translated
Global 10.6.6.211 will be Port Address Translated
.
Cryptochecksum(unchanged): ead0c833 1ed19938 b863ace2 4902f21b
Config OK
		

13.1.16. clear

clear xlate
clear arp
clear local-host
		

13.1.16.1. NAT映射更改后仍然指向之前的IP

clear xlate
			

13.1.16.2. reload

fix515(config)# reload