«

By duynam

The Installation and Configuration of a Cisco PIX Firewall

Xem file đính kèm. Một số nội dung cụ thể như sau:

Mô hình:

Internet
|
External Router
|192.168.1.2
|
|E0utside2 192.168.1.1 security0
——-
| PIX |—–E2MZ 172.17.1.1 security50
——-
|E1:inside 172.16.0.1 security 100
|
|172.16.0.2
Internal Router
172.16.0.0/24 network

Cấu hình như sau:
pixfirewall(config)# hostname PIX1
PIX1(config)#enable password cisco
PIX1(config)#nameif ethernet2 DMZ sec50
PIX1(config)#ip address dmz 172.17.1.1 255.255.255.0
PIX1(config)#ip address inside 172.16.0.1 255.255.255.0
PIX1(config)#ip address outside 192.168.1.1 255.255.255.0
PIX1(config)#interface ethernet0 auto
PIX1(config)#interface ethernet1 auto
PIX1(config)#interface ethernet2 auto

Có 4 kỹ thuật nat dùng trên PIX:
- Static nat: thực hiện map 1 ip – 1 registered ip
- Dynamic nat: map 1 ip – 1 pool registered ip
- Overloading: map multi-ip – 1 registered ip
- Overlapping: is when IP addresses on your network are registered IP address and used by another network.

Nhưng thông thường sẽ cấu hình như sau:
Dynamic nat:
PIX1(config)#global (outside) 1 192.168.1.254 netmask 255.255.255.0
PIX1(config)#nat (inside) 1 172.16.0.0 255.255.255.0 0 0
PIX1(config)#nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
Nghĩa là:
1. Create a global address 192.168.1.254 with a tag ID of 1.
2. Assign the network 172.16.0.0/24 behind the inside interface the NAT tag ID 1.
3. Assign the network 172.17.1.0/24 behind the dmz interface the NAT tag ID 1.

Static nat:
PIX1(config)#static (inside,dmz) 172.17.1.0 172.17.1.0 netmask 255.255.255.0 0 0
PIX1(config)#static (dmz,outside) 192.168.1.10 172.17.1.10 netmask
255.255.255.0 0 0
PIX1(config)#static (dmz,outside) 192.168.1.20 172.17.1.20 netmask
Nghĩa là
1. Khi traffic đến từ inside network thì sẽ giữ nguyên ip
2.Trafic từ outside khi đến IP 192.168.1.10 sẽ được gửi đến server có ip là 172.17.1.10
3.Trafic từ outside khi đến IP 192.168.1.20 sẽ được gửi đến server có ip là 172.17.1.20

- Để tăng cường security dùng ACL để cho phép 1 số traffic thông dụng:
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq www
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq ftp
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq 443
PIX1(config)# access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 host
172.17.1.20 eq smtp
PIX1(config)#access-list acl_dmz permit tcp 172.17.1.0 255.255.255.0 any eq www
PIX1(config)#access-list acl_dmz permit tcp host 172.17.1.20 any eq smtp
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.20 eq smtp
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.10 eq www
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.10 eq 443
PIX1(config)#access-group acl_inside in interface inside
PIX1(config)#access-group acl_dmz in interface dmz
PIX1(config)#access-group acl_outside in interface outside

Cuối cùng cấu hình định tuyến:
PIX1(config)#route inside 172.16.0.0 255.255.255.0 172.16.0.2 1
PIX1(config)#route outside 0 0 192.168.1.2 1
PIX1(config)#wr mem

Chú ý:
- Nhớ lưu lại cấu hình: PIX1(config)#wr mem
- Xóa bảng translation: PIX1(config)#clear xlate
- Cú pháp static (internal_if_name,external_if_name) global_ip local_ip netmask mask có cách dễ nhớ hơn là: static (high.low) low high
- Các lệnh trong PIX là case-sensitive

This entry was posted on August 24, 2007 at 6:16 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply