本文共 23022 字,大约阅读时间需要 76 分钟。
目录
过程 7.1. Login Pix515E
登陆
1.、telnet 192.168.0.1 User Access Verification Password:(输入密码出现如下信息:) Type help or '?' for a list of available commands. weibo> (此时是PIX 515E的无特权模式,此模式只能查看,并且只能查看防火墙的系统信息) /**************chase*********************/
Then do this.
2.、enable(进入特权模式,出现如下信息) password:(输入密码进入特权模式) weibo#(weibo>变为weibo#) (在特权模式下只能查看放火墙的配置不能修改防火墙的配置,用disable退出特权模式返回无特权模式) /*************chase*********************/
And now do this.
conf t(进入配置模式,出现如下信息)firewall(config)#(weibo#变为weibo(config)#) (在配置模式才能修改防火墙的配置,用exit、quit退出配置模式到特权模式)
show tech-support
firewall(config)# show tech-supportCisco PIX Firewall Version 6.3(5)Compiled on Thu 04-Aug-05 21:40 by morleefirewall up 36 mins 41 secsHardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHzFlash E28F128J3 @ 0x300, 16MBBIOS Flash AM29F400B @ 0xfffd8000, 32KB0: ethernet0: address is 001c.58b5.6e80, irq 101: ethernet1: address is 001c.58b5.6e81, irq 11Licensed Features:Failover: DisabledVPN-DES: EnabledVPN-3DES-AES: EnabledMaximum Physical Interfaces: 3Maximum Interfaces: 5Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledInside Hosts: UnlimitedThroughput: UnlimitedIKE peers: UnlimitedThis PIX has a Restricted (R) license.Serial Number: 810323551 (0x304c8e5f)Running Activation Key: 0x1512d3bb 0xdbb4b468 0xb28e1dc9 0x1b826959Configuration last modified by enable_15 at 23:06:10.370 UTC Thu Sep 2 2010------------------ show clock ------------------23:08:58.073 UTC Thu Sep 2 2010------------------ show memory ------------------Free memory: 79151528 bytesUsed memory: 55066200 bytes------------- ----------------Total memory: 134217728 bytes------------------ show conn count ------------------0 in use, 0 most used------------------ show xlate count ------------------0 in use, 0 most used------------------ show blocks ------------------ SIZE MAX LOW CNT 4 1600 1600 1600 80 400 400 400 256 500 499 500 1550 933 667 676------------------ show interface ------------------interface ethernet0 "outside" is up, line protocol is down Hardware is i82559 ethernet, address is 001c.58b5.6e80 IP address 172.16.0.30, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 2 packets output, 120 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 2 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/1)interface ethernet1 "inside" is up, line protocol is down Hardware is i82559 ethernet, address is 001c.58b5.6e81 IP address 172.16.1.254, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 3 packets output, 180 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 3 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/1)------------------ show cpu usage ------------------CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%------------------ show process ------------------ PC SP STATE Runtime SBASE Stack ProcessHsi 001f02c9 00953044 0056ed50 0 009520bc 3916/4096 arp_timerLsi 001f5a95 009f623c 0056ed50 0 009f52c4 3928/4096 FragDBGCLwe 0011a13f 00a0236c 005724b8 0 00a01504 3688/4096 dbgtraceLwe 003fb2fd 00a044fc 00567688 0 00a025b4 8008/8192 LoggerHwe 003ff4b8 00a075f4 00567938 0 00a0567c 8024/8192 tcp_fastHwe 003ff431 00a096a4 00567938 0 00a0772c 8024/8192 tcp_slowLsi 00314885 028e9924 0056ed50 0 028e899c 3916/4096 xlate cleanLsi 00314793 028ea9c4 0056ed50 0 028e9a4c 3884/4096 uxlate cleanMwe 0030be5f 02d7edc4 0056ed50 0 02d7ce2c 7908/8192 tcp_intercept_timer_processLsi 00452ee5 02e2b79c 0056ed50 0 02e2a814 3900/4096 route_processHsi 002fb6fc 02e2c82c 0056ed50 20 02e2b8c4 3780/4096 PIX Garbage CollectorHwe 0021e529 02e36d5c 0056ed50 0 02e32df4 16048/16384 isakmp_time_keeperLsi 002f929c 02e5069c 0056ed50 0 02e4f714 3944/4096 perfmonMwe 00214d39 02e7aacc 0056ed50 0 02e78b54 7860/8192 IPsec timer handlerHwe 003b105b 02e8ee14 00591c90 0 02e8cecc 7000/8192 qos_metric_daemonMwe 0026d0dd 02ea996c 0056ed50 0 02ea5a04 15592/16384 IP BackgroundLwe 0030cad6 02f5c2bc 00585368 0 02f5b444 3704/4096 pix/traceLwe 0030cd0e 02f5d36c 00585a98 0 02f5c4f4 3704/4096 pix/tconsoleH* 0011fa67 0009ff2c 0056ed38 1310 02f63784 13136/16384 ci/consoleCsi 003048fb 02f6878c 0056ed50 0 02f67834 3432/4096 update_cpu_usageHwe 002ef791 03019534 0054e100 0 030156ac 15884/16384 uauth_inHwe 003fdf05 0301b634 00892508 0 0301975c 7896/8192 uauth_threadHwe 0041553a 0301c784 00567c88 0 0301b80c 3960/4096 udp_timerHsi 001e7d4e 0301e444 0056ed50 0 0301d4cc 3800/4096 557mcfixCrd 001e7d03 0301f504 0056f1c8 1638450 0301e57c 3632/4096 557pollLsi 001e7dbd 030205a4 0056ed50 0 0301f62c 3848/4096 557timerCwe 001e99a9 0332267c 007f1058 0 03320784 7928/8192 pix/intf0Mwe 004152aa 0332378c 008dc6f8 0 03322854 3896/4096 riprx/0Msi 003ba8a1 0332489c 0056ed50 0 03323924 3888/4096 riptx/0Cwe 001e99a9 03426aa4 00779ae0 0 03424bac 7928/8192 pix/intf1Mwe 004152aa 03427bb4 008dc6b0 0 03426c7c 3896/4096 riprx/1Msi 003ba8a1 03428cc4 0056ed50 0 03427d4c 3888/4096 riptx/1Hwe 003fe199 0344d67c 00868c90 0 0344d034 1196/2048 listen/telnet_1Mwe 0038707e 0344f85c 0056ed50 0 0344d8e4 7960/8192 Crypto CA------------------ show failover ------------------No license for Failover------------------ show traffic ------------------outside: received (in 2214.880 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec transmitted (in 2214.880 secs): 2 packets 120 bytes 0 pkts/sec 0 bytes/secinside: received (in 2214.880 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec transmitted (in 2214.880 secs): 3 packets 180 bytes 0 pkts/sec 0 bytes/sec------------------ show perfmon ------------------PERFMON STATS: Current AverageXlates 0/s 0/sConnections 0/s 0/sTCP Conns 0/s 0/sUDP Conns 0/s 0/sURL Access 0/s 0/sURL Server Req 0/s 0/sTCP Fixup 0/s 0/sTCPIntercept 0/s 0/sHTTP Fixup 0/s 0/sFTP Fixup 0/s 0/sAAA Authen 0/s 0/sAAA Author 0/s 0/sAAA Account 0/s 0/s------------------ show running-config ------------------: Saved:PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namespager lines 24mtu outside 1500mtu inside 1500no ip address outsideno ip address insideip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout sip-disconnect 0:02:00 sip-invite 0:03:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server TACACS+ max-failed-attempts 3aaa-server TACACS+ deadtime 10aaa-server RADIUS protocol radiusaaa-server RADIUS max-failed-attempts 3aaa-server RADIUS deadtime 10aaa-server LOCAL protocol localno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enabletelnet timeout 5ssh timeout 5console timeout 0terminal width 80Cryptochecksum:00000000000000000000000000000000: endfirewall(config)#
pix# conf tpix(config)# clear config allpixfirewall(config)# quitpixfirewall# show run: Saved:PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namespager lines 24mtu outside 1500mtu inside 1500no ip address outsideno ip address insideip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout sip-disconnect 0:02:00 sip-invite 0:03:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server TACACS+ max-failed-attempts 3aaa-server TACACS+ deadtime 10aaa-server RADIUS protocol radiusaaa-server RADIUS max-failed-attempts 3aaa-server RADIUS deadtime 10aaa-server LOCAL protocol localno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enabletelnet timeout 5ssh timeout 5console timeout 0terminal width 80Cryptochecksum:00000000000000000000000000000000: endpixfirewall#
enable password chenhostname pix515domain-name example.compixfirewall# conf tpixfirewall(config)# enable password chenpixfirewall(config)# hostname firewallfirewall(config)# domain-name example.comfirewall(config)#
激活以太端口
interface ethernet0 autointerface ethernet1 autointerface ethernet2 autointerface ethernet3 autofirewall(config)# interface ethernet0 autofirewall(config)# interface ethernet1 auto
下面两句配置内外端口的安全级别
nameif ethernet0 outside security0nameif ethernet1 inside security100firewall(config)# nameif ethernet0 outside security0firewall(config)# nameif ethernet1 inside security100
配置以太端口ip 地址
ip address outside 61.144.203.114 255.255.255.244ip address inside 192.168.0.1 255.255.255.0ip address dmz 172.16.0.1 255.255.255.0ip address e3 61.233.203.47 255.255.255.192
global (outside) 1 interfacenat (inside) 1 172.16.1.0 255.255.255.0 0 0
WAN IP:PORT --> LAN IP:PORT
static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0static (inside,outside) tcp 61.144.203.41 21 192.168.0.116 21 netmask 255.255.255.255 0 0pix515(config)# static (inside,outside) tcp 61.144.23.50 22 192.168.0.11 22 netmask 255.255.255.255 0 0
WAN IP --> LAN IP
static (inside,outside) 120.13.14.28 172.16.1.28 netmask 255.255.255.255 0 0
配置outside使用的网关
route outside 0.0.0.0 0.0.0.0 120.13.14.1 1route e3 0.0.0.0 0.0.0.0 61.233.203.1 2
conduit permit tcp host 公网IP eq ssh 信任IP 255.255.255.255 (这种写法,是信任某个IP)
下面这句允许ping
pix515(config)#conduit permit icmp any any
pix515(config)# conduit permit tcp host 61.144.23.50 eq ssh any
1、配置内网到VPN不做NAT access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (inside) 0 access-list 107 (内网-->VPN不做NAT,引用上一步access-list 107)2、配置内网到DMZ 做NAT access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433 access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125 nat (inside) 2 access-list 102(内网-->DMZ做NAT,引用上一步access-list 102)3、配置内网到Internet 做NAT access-list 101 permit ip 192.168.0.0 255.255.255.0 any nat (inside) 1 access-list 101 0 04、配置DMZ到VPN不做NAT access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (DMZ) 0 access-list 1074、配置VPN到DMZ不做NAT access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (e3) 0 access-list 150
password chen (把telnet的密码修改为chen)telnet 192.168.0.1 255.255.255.255 inside(开启内网口的telnet服务)telnet 192.168.0.0 255.255.255.0 inside(允许所有内网用户访问telnet服务)telnet 0.0.0.0 0.0.0.0 e3telnet 61.144.203.41 255.255.255.255 e3
pix515(config)#ip address dhcppix515(config)#dhcpd enable insidepix515(config)#dhcpd auto_config outside(自动配置外网DHCP服务参数)pix515(config)#dhcpd address 172.16.0.20-172.16.0.200 inside (内网DHCP分配的IP地址范围)pix515(config)#dhcpd dns 208.67.222.222 208.67.220.220pix515(config)#dhcpd domain example.com
PPTP
1、命令行方式直接在PIX上配置PPTP的VPN,即PIX作为PPTP方式VPDN的服务器 ip local pool pptp 10.0.0.1-10.0.0.50 //定义一个pptp 方式的vpdn拨入后获得的IP地址池,名字叫做pptp。此处地址段的定义范围不要和拨入后内网其他计算机的IP冲突,并且要根据拨入用户的数量来定义地址池的大小 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto //以上为配置pptp的vpdn组的相关属性 vpdn group PPTP-VPDN-GROUP client configuration address local pptp //上面定义pptp的vpnd组使用本地地址池组pptp,为一开始定义的 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local //此处配置pptp的vpdn拨入用户口令认证为本地认证,当然也可以选择AAA服务器认证,本地认证属于比较方便的一种实现 vpdn username test1 password ********* vpdn username test2 password ********* //上面为定义本地用户认证的用户帐号和密码,可以定义多个 vpdn enable outside //在pix防火墙的outside口起用vpdn功能,也可以在其他接口上应用 2、使用pix防火墙内部的某个pptp的VPDN服务器作为专门的VPN服务器,只是在pix上开放相应的服务端口 pptp使用1723端口,而通常pix里面的服务器对外都是做的静态NAT转换,但是光双向开放1723端口仍旧无法建立pptp的vpn连接,那么对于pix 6.3以上版本的pptp穿透可以用一条命令fixup protocol pptp 1723 来解决这个问题。
Ipsec VPN 配置
ip local pool pigpool 172.16.1.50-172.16.1.240 (建立VPN的地址空间)sysopt connection permit-ipsec(开启系统ipsec端口)sysopt connection permit-pptp(开启系统pptp端口)sysopt connection permit-l2tp(开启系统l2tp端口)isakmp enable e3 (e3接口启用isakmp)isakmp policy 8 encryption des(定义phase 1协商用DES加密算法)isakmp policy 8 hash md5(定义phase 1协商用MD5散列算法)isakmp policy 8 authentication pre-share(定义phase 1使用pre-shared key进行认证)isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定义使用共享密匙pix)isakmp client configuration address-pool local pigpool e3(将VPN client地址池绑定到isakmp)isakmp policy 8 group 2(isakmp policy 10 group 2)crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定义一个变换集strong-des)crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到动态加密策略cisco)crypto map partner-map 20 ipsec-isakmp dynamic cisco(把动态加密策略绑定到partner-map 加密图)crypto map partner-map client configuration address initiate(定义给每个客户端分配IP地址)crypto map partner-map client configuration address respond(定义PIX防火墙接受来自任何IP的请求)crypto map partner-map interface e3(把动态加密图vpnpeer绑定到e3口)vpdn group 2 accept dialin l2tpvpdn group 2 ppp authentication papvpdn group 2 client configuration address local pigpoolvpdn group 2 client authentication localvpdn group 2 l2tp tunnel hello 80vpdn username pix password pix(设置vpn密码,密码必须与共享密匙一样)vpdn enable e3
vpn本地身份验证
crypto map vpnpeer client authentication LOCALusername whr password whrno username whr
修改VPN拨入密码
no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(删除共享密匙)isakmp key whr address 0.0.0.0 netmask 0.0.0.0 (设置共享密匙)vpdn username chase (删除chase用户)vpdn username chase password whr (设置用户名为chase;密码为whr;密码要与共享密匙相同)
网上找到的,我不确认是否可以起到效果:)
步骤1:开启日志功能,并确定系统日志级别logging onlogging trap 7(7为最高级别了)步骤2:确定一台日志服务器(192.168.1.10),并把系统日志输出导系统日志服务器上logging host inside 192.168.1.10步骤3:配置入侵检测(IDS) 为攻击类特征码和信息类特征码创建策略ip audit name attackpolicy attack action alarm resetip audit name infopolicy info action alarm reset步骤4:在接口上启用策略ip audit interface outside attackpolicyip audit interface outside infopolicy步骤5:在日志服务器上安装日志软件(如果是LINUX可免了)Kiwi_Syslogd2.exe步骤6:大功告成了。
firewall(config)# sh snmpsnmp-server host inside 172.16.0.5 "安装了MRTG和Cacti服务器地址snmp-server location 172.16.0.1 "位置描述,可以写内网端口地址,或者更直观的描述如:gateway firewallsnmp-server contact netkiller@example.comsnmp-server community cisco "publicsnmp-server enable traps "允许管理信息发送
PIX 515 仅支持snmp v1
neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 interfaces.ifTable.ifEntry.ifDescrIF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interfaceIF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interfaceneo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254SNMPv2-MIB::sysDescr.0 = STRING: Cisco PIX Firewall Version 6.3(5)SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.451DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1899600400) 219 days, 20:40:04.00SNMPv2-MIB::sysContact.0 = STRING: neo.chen@example.comSNMPv2-MIB::sysName.0 = STRING: firewall.example.comSNMPv2-MIB::sysLocation.0 = STRING: gwSNMPv2-MIB::sysServices.0 = INTEGER: 4IF-MIB::ifNumber.0 = INTEGER: 2IF-MIB::ifIndex.1 = INTEGER: 1IF-MIB::ifIndex.2 = INTEGER: 2IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interfaceIF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interfaceIF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)IF-MIB::ifMtu.1 = INTEGER: 1500IF-MIB::ifMtu.2 = INTEGER: 1500IF-MIB::ifSpeed.1 = Gauge32: 100000000IF-MIB::ifSpeed.2 = Gauge32: 100000000IF-MIB::ifPhysAddress.1 = STRING: 0:1c:58:b5:6e:80IF-MIB::ifPhysAddress.2 = STRING: 0:1c:58:b5:6e:81IF-MIB::ifAdminStatus.1 = INTEGER: up(1)IF-MIB::ifAdminStatus.2 = INTEGER: up(1)IF-MIB::ifOperStatus.1 = INTEGER: up(1)IF-MIB::ifOperStatus.2 = INTEGER: up(1)IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00IF-MIB::ifInOctets.1 = Counter32: 4008321683IF-MIB::ifInOctets.2 = Counter32: 4051905092IF-MIB::ifInUcastPkts.1 = Counter32: 2797544526IF-MIB::ifInUcastPkts.2 = Counter32: 2017238766IF-MIB::ifInNUcastPkts.1 = Counter32: 38465473IF-MIB::ifInNUcastPkts.2 = Counter32: 27783306IF-MIB::ifInDiscards.1 = Counter32: 0IF-MIB::ifInDiscards.2 = Counter32: 0IF-MIB::ifInErrors.1 = Counter32: 16601IF-MIB::ifInErrors.2 = Counter32: 32841IF-MIB::ifInUnknownProtos.1 = Counter32: 0IF-MIB::ifInUnknownProtos.2 = Counter32: 0IF-MIB::ifOutOctets.1 = Counter32: 2947292253IF-MIB::ifOutOctets.2 = Counter32: 3544827218IF-MIB::ifOutUcastPkts.1 = Counter32: 1968227296IF-MIB::ifOutUcastPkts.2 = Counter32: 2414528344IF-MIB::ifOutNUcastPkts.1 = Counter32: 0IF-MIB::ifOutNUcastPkts.2 = Counter32: 0IF-MIB::ifOutDiscards.1 = Counter32: 0IF-MIB::ifOutDiscards.2 = Counter32: 0IF-MIB::ifOutErrors.1 = Counter32: 0IF-MIB::ifOutErrors.2 = Counter32: 0IF-MIB::ifOutQLen.1 = Gauge32: 0IF-MIB::ifOutQLen.2 = Gauge32: 0IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZeroIF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZeroIP-MIB::ipAdEntAddr.120.13.14.30 = IpAddress: 120.13.14.30IP-MIB::ipAdEntAddr.172.16.1.254 = IpAddress: 172.16.1.254IP-MIB::ipAdEntIfIndex.120.13.14.30 = INTEGER: 1IP-MIB::ipAdEntIfIndex.172.16.1.254 = INTEGER: 2IP-MIB::ipAdEntNetMask.120.13.14.30 = IpAddress: 255.255.255.192IP-MIB::ipAdEntNetMask.172.16.1.254 = IpAddress: 255.255.255.0IP-MIB::ipAdEntBcastAddr.120.13.14.30 = INTEGER: 0IP-MIB::ipAdEntBcastAddr.172.16.1.254 = INTEGER: 0IP-MIB::ipAdEntReasmMaxSize.120.13.14.30 = INTEGER: 65535IP-MIB::ipAdEntReasmMaxSize.172.16.1.254 = INTEGER: 65535
如果你使用snmp v2版本尝试连接pix防火墙将会提示
neo@monitor:~$ snmpwalk -v2c -c public 172.16.1.254Timeout: No Response from 172.16.1.254
http server enablehttp 172.16.0.1 255.255.255.255 inside
172.16.0.1 是from ip,或者允许一个IP段
http 172.16.0.0 255.255.255.0 inside
http 登录密码
username admin password ysCf4HUXoqIPDu1 privilege 15
https://172.16.0.254
pix515(config)# write memBuilding configuration...Cryptochecksum: 5641ca9c 2ef4c53c 0dc8a8f9 75d47f09[OK]pix515(config)#
备份
pix515(config)# write net 192.168.2.111:pix515.rtfBuilding configuration...TFTP write 'pix515.rtf' at 192.168.2.111 on interface 1[OK]
恢复
pix515(config)# clear config all 是清除所有配置如何想要通过tftp恢复,得要先配置一下inside接口地址:pixfirewall(config)# ip add inside 192.168.2.1 255.255.255.0pixfirewall(config)# ping 192.168.2.111 测试一下到TFTP服务器是否通 192.168.2.111 response received -- 0ms 192.168.2.111 response received -- 0ms 192.168.2.111 response received -- 0mspix515(config)# configure net 192.168.2.111:pix515.rtfGlobal 10.6.6.151 will be Port Address TranslatedGlobal 10.6.6.150 will be Port Address TranslatedGlobal 10.6.6.211 will be Port Address Translated.Cryptochecksum(unchanged): ead0c833 1ed19938 b863ace2 4902f21bConfig OK
clear xlateclear arpclear local-host
clear xlate
fix515(config)# reload