Cisco PIX 防火墙的问题集锦(2)

PIX Version 6.3(3) 
interface ethernet0 100full 
interface ethernet1 100full 
interface ethernet2 100full 
nameif ethernet0 Outside security0 
nameif ethernet1 inside security100 
nameif ethernet2 Outside-DMZ security50 
enable password GyBjREM5Y/fIjrzB encrypted 
passwd enO4Olec9w1AmAwd encrypted 
hostname PIX-yinhetech 
domain-name test.cn 
clock timezone CST 8 
fixup protocol dns maximum-length 512 
fixup protocol ftp 21 
fixup protocol ftp 2121 
fixup protocol h323 h225 1720 
fixup protocol h323 ras 1718-1719 
fixup protocol http 80 
fixup protocol rsh 514 
fixup protocol rtsp 554 
fixup protocol sip 5060 
fixup protocol sip udp 5060 
no fixup protocol skinny 2000 
fixup protocol smtp 25 
fixup protocol sqlnet 1521 
fixup protocol tftp 69 
names 
name 10.128.1.0 notebookpoolIP 
access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0 
access-list 101 permit ip 10.10.0.0 255.255.0.0 any 
access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any 
access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any 
access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any 
access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0 
access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any 
pager lines 24 
logging on 
logging standby 
logging buffered debugging 
logging trap notifications 
icmp deny any Outside 
mtu Outside 1500 
mtu inside 1500 
mtu Outside-DMZ 1500 
ip address Outside ***.***.***.** 255.255.255.240 
ip address inside 10.127.1.253 255.255.255.0 
ip address Outside-DMZ 172.18.3.254 255.255.255.0 
ip verify reverse-path interface Outside 
ip verify reverse-path interface inside 
ip audit info action alarm 
ip audit attack action alarm 
ip local pool notebookpool 10.128.1.1-10.128.1.250 
no failover 
failover timeout 0:00:00 
failover poll 15 
no failover ip address Outside 
no failover ip address inside 
no failover ip address Outside-DMZ 
pdm history enable 
arp timeout 14400 
global (Outside) 1 ***.***.***.** netmask 255.255.255.240 
global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0 
nat (inside) 0 access-list nonat 
nat (inside) 1 10.0.0.0 255.128.0.0 0 0 
access-group 101 in interface inside 
route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1 
route inside 10.0.0.0 255.128.0.0 10.127.1.254 1 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 
timeout uauth 0:05:00 absolute 
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable 
http 10.10.10.74 255.255.255.255 inside 
http 10.10.10.88 255.255.255.255 inside 
snmp-server host inside 10.10.10.10 
snmp-server host inside 10.10.10.74 
snmp-server location soft_yuan_internet 
snmp-server contact bill 
snmp-server community public 
snmp-server enable traps 
tftp-server inside 10.10.10.74 / 
no floodguard enable 
sysopt connection permit-ipsec 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5 
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map 
crypto map Outside_map interface Outside 
isakmp enable Outside 
isakmp identity address 
isakmp keepalive 60 5 
isakmp nat-traversal 120 
isakmp policy 20 authentication pre-share 
isakmp policy 20 encryption des 
isakmp policy 20 hash md5 
isakmp policy 20 group 2 
isakmp policy 20 lifetime 86400 
vpngroup notebookpc address-pool notebookpool 
vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68 
vpngroup notebookpc default-domain yhgroup.cn 
vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl 
vpngroup notebookpc idle-time 1800 
vpngroup notebookpc password ******** 
telnet 10.0.0.0 255.128.0.0 inside 
telnet 10.10.10.110 255.255.255.255 inside 
telnet 10.10.10.110 255.255.255.255 Outside-DMZ 
telnet timeout 31 
ssh timeout 5 
console timeout 0 
terminal width 80 
Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35 

PIX Version 6.2(2) 
nameif ethernet0 outside security0 
nameif ethernet1 inside security100 
nameif ethernet2 dmz security50 
enable password O53fPNRgHkA6IEsY encrypted 
passwd TWjtI1emvjruV4SY encrypted 
hostname jygatewall 
domain-name 219.2.2.2 
fixup protocol ftp 21 
fixup protocol http 80 
fixup protocol h323 h225 1720 
fixup protocol h323 ras 1718-1719 
fixup protocol ils 389 
fixup protocol rsh 514 
fixup protocol rtsp 554 
fixup protocol sqlnet 1521 
fixup protocol sip 5060 
no fixup protocol skinny 2000 
no fixup protocol smtp 25 
names 
access-list dmz_jygate_acl deny icmp any any 
access-list dmz_jygate_acl permit udp any any eq domain 
access-list dmz_jygate_acl permit tcp any any eq www 
access-list dmz_jygate_acl permit udp any any eq 20 
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 20817 
access-list dmz_jygate_acl permit tcp any host 219.150.1..1eq 20820 
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8080 
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8383 
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 32002 
pager lines 24 
interface ethernet0 100full 
interface ethernet1 100full 
interface ethernet2 100full 
mtu outside 1500 
mtu inside 1500 
mtu dmz 1500 
ip address outside 219.150.1.2 255.255.255.224 
ip address inside 192.168.168.1 255.255.255.0 
ip address dmz 172.172.172.1 255.255.0.0 
ip audit info action alarm 
ip audit attack action alarm 
no failover 
failover timeout 0:00:00 
failover poll 15 
failover ip address outside 0.0.0.0 
failover ip address inside 0.0.0.0 
failover ip address dmz 0.0.0.0 
pdm history enable 
arp timeout 14400 
global (outside) 1 219.150.1.2 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 
static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 0 0 

static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0 
access-group dmz_jygate_acl in interface outside 
access-group dmz_jygate_acl in interface dmz 
route outside 0.0.0.0 0.0.0.0 219.150.1.3 1 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si 
p 0:30:00 sip_media 0:02:00 
timeout uauth 0:05:00 absolute 
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location 
no snmp-server contact 
snmp-server community public 
no snmp-server enable traps 
floodguard enable 
sysopt security fragguard 
no sysopt route dnat 
telnet timeout 5 
ssh timeout 5 
terminal width 80 
Cryptochecksum:594b9bbf77abf8a342afee1764e4f7cd 
: end 
nyb0319 (普通用户) 

no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0 
改为static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0 

加一条 

static (inside,outside) 
219.150.1.2 192.168.168.0 
netmask 255.255.255.0 0 0 

no access-group dmz_jygate_acl in interface dmz 

crazytank (普通用户)