| 知乎专栏 | 多维度架构 |
目录
过程 12.1. Login Pix515E
登陆
1.、telnet 192.168.0.1 User Access Verification Password:(输入密码出现如下信息:) Type help or '?' for a list of available commands. weibo> (此时是PIX 515E的无特权模式,此模式只能查看,并且只能查看防火墙的系统信息) /**************chase*********************/
Then do this.
2.、enable(进入特权模式,出现如下信息) password:(输入密码进入特权模式) weibo#(weibo>变为weibo#) (在特权模式下只能查看放火墙的配置不能修改防火墙的配置,用disable退出特权模式返回无特权模式) /*************chase*********************/
And now do this.
conf t(进入配置模式,出现如下信息) firewall(config)#(weibo#变为weibo(config)#) (在配置模式才能修改防火墙的配置,用exit、quit退出配置模式到特权模式)
show tech-support
firewall(config)# show tech-support
Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by morlee
firewall up 36 mins 41 secs
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 001c.58b5.6e80, irq 10
1: ethernet1: address is 001c.58b5.6e81, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 810323551 (0x304c8e5f)
Running Activation Key: 0x1512d3bb 0xdbb4b468 0xb28e1dc9 0x1b826959
Configuration last modified by enable_15 at 23:06:10.370 UTC Thu Sep 2 2010
------------------ show clock ------------------
23:08:58.073 UTC Thu Sep 2 2010
------------------ show memory ------------------
Free memory: 79151528 bytes
Used memory: 55066200 bytes
------------- ----------------
Total memory: 134217728 bytes
------------------ show conn count ------------------
0 in use, 0 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 1600 1600 1600
80 400 400 400
256 500 499 500
1550 933 667 676
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 001c.58b5.6e80
IP address 172.16.0.30, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2 packets output, 120 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
2 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 001c.58b5.6e81
IP address 172.16.1.254, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 180 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
3 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001f02c9 00953044 0056ed50 0 009520bc 3916/4096 arp_timer
Lsi 001f5a95 009f623c 0056ed50 0 009f52c4 3928/4096 FragDBGC
Lwe 0011a13f 00a0236c 005724b8 0 00a01504 3688/4096 dbgtrace
Lwe 003fb2fd 00a044fc 00567688 0 00a025b4 8008/8192 Logger
Hwe 003ff4b8 00a075f4 00567938 0 00a0567c 8024/8192 tcp_fast
Hwe 003ff431 00a096a4 00567938 0 00a0772c 8024/8192 tcp_slow
Lsi 00314885 028e9924 0056ed50 0 028e899c 3916/4096 xlate clean
Lsi 00314793 028ea9c4 0056ed50 0 028e9a4c 3884/4096 uxlate clean
Mwe 0030be5f 02d7edc4 0056ed50 0 02d7ce2c 7908/8192 tcp_intercept_timer_process
Lsi 00452ee5 02e2b79c 0056ed50 0 02e2a814 3900/4096 route_process
Hsi 002fb6fc 02e2c82c 0056ed50 20 02e2b8c4 3780/4096 PIX Garbage Collector
Hwe 0021e529 02e36d5c 0056ed50 0 02e32df4 16048/16384 isakmp_time_keeper
Lsi 002f929c 02e5069c 0056ed50 0 02e4f714 3944/4096 perfmon
Mwe 00214d39 02e7aacc 0056ed50 0 02e78b54 7860/8192 IPsec timer handler
Hwe 003b105b 02e8ee14 00591c90 0 02e8cecc 7000/8192 qos_metric_daemon
Mwe 0026d0dd 02ea996c 0056ed50 0 02ea5a04 15592/16384 IP Background
Lwe 0030cad6 02f5c2bc 00585368 0 02f5b444 3704/4096 pix/trace
Lwe 0030cd0e 02f5d36c 00585a98 0 02f5c4f4 3704/4096 pix/tconsole
H* 0011fa67 0009ff2c 0056ed38 1310 02f63784 13136/16384 ci/console
Csi 003048fb 02f6878c 0056ed50 0 02f67834 3432/4096 update_cpu_usage
Hwe 002ef791 03019534 0054e100 0 030156ac 15884/16384 uauth_in
Hwe 003fdf05 0301b634 00892508 0 0301975c 7896/8192 uauth_thread
Hwe 0041553a 0301c784 00567c88 0 0301b80c 3960/4096 udp_timer
Hsi 001e7d4e 0301e444 0056ed50 0 0301d4cc 3800/4096 557mcfix
Crd 001e7d03 0301f504 0056f1c8 1638450 0301e57c 3632/4096 557poll
Lsi 001e7dbd 030205a4 0056ed50 0 0301f62c 3848/4096 557timer
Cwe 001e99a9 0332267c 007f1058 0 03320784 7928/8192 pix/intf0
Mwe 004152aa 0332378c 008dc6f8 0 03322854 3896/4096 riprx/0
Msi 003ba8a1 0332489c 0056ed50 0 03323924 3888/4096 riptx/0
Cwe 001e99a9 03426aa4 00779ae0 0 03424bac 7928/8192 pix/intf1
Mwe 004152aa 03427bb4 008dc6b0 0 03426c7c 3896/4096 riprx/1
Msi 003ba8a1 03428cc4 0056ed50 0 03427d4c 3888/4096 riptx/1
Hwe 003fe199 0344d67c 00868c90 0 0344d034 1196/2048 listen/telnet_1
Mwe 0038707e 0344f85c 0056ed50 0 0344d8e4 7960/8192 Crypto CA
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
received (in 2214.880 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2214.880 secs):
2 packets 120 bytes
0 pkts/sec 0 bytes/sec
inside:
received (in 2214.880 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2214.880 secs):
3 packets 180 bytes
0 pkts/sec 0 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
firewall(config)#
pix# conf t pix(config)# clear config all pixfirewall(config)# quit pixfirewall# show run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 no ip address outside no ip address inside ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:00000000000000000000000000000000 : end pixfirewall#
enable password chen hostname pix515 domain-name example.com pixfirewall# conf t pixfirewall(config)# enable password chen pixfirewall(config)# hostname firewall firewall(config)# domain-name example.com firewall(config)#
激活以太端口
interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto firewall(config)# interface ethernet0 auto firewall(config)# interface ethernet1 auto
下面两句配置内外端口的安全级别
nameif ethernet0 outside security0 nameif ethernet1 inside security100 firewall(config)# nameif ethernet0 outside security0 firewall(config)# nameif ethernet1 inside security100
配置以太端口ip 地址
ip address outside 61.144.203.114 255.255.255.244 ip address inside 192.168.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 ip address e3 61.233.203.47 255.255.255.192
global (outside) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0 0 0
WAN IP:PORT --> LAN IP:PORT
static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0 static (inside,outside) tcp 61.144.203.41 21 192.168.0.116 21 netmask 255.255.255.255 0 0 pix515(config)# static (inside,outside) tcp 61.144.23.50 22 192.168.0.11 22 netmask 255.255.255.255 0 0
配置outside使用的网关
route outside 0.0.0.0 0.0.0.0 120.13.14.1 1 route e3 0.0.0.0 0.0.0.0 61.233.203.1 2
conduit permit tcp host 公网IP eq ssh 信任IP 255.255.255.255 (这种写法,是信任某个IP)
1、配置内网到VPN不做NAT access-list 107 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (inside) 0 access-list 107 (内网-->VPN不做NAT,引用上一步access-list 107) 2、配置内网到DMZ 做NAT access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 1433 access-list 102 permit tcp 192.168.0.0 255.255.255.0 host 172.16.0.103 eq 3125 nat (inside) 2 access-list 102(内网-->DMZ做NAT,引用上一步access-list 102) 3、配置内网到Internet 做NAT access-list 101 permit ip 192.168.0.0 255.255.255.0 any nat (inside) 1 access-list 101 0 0 4、配置DMZ到VPN不做NAT access-list 107 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (DMZ) 0 access-list 107 4、配置VPN到DMZ不做NAT access-list 150 permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0 (建立内网-->VPN的访问列表) nat (e3) 0 access-list 150
password chen (把telnet的密码修改为chen) telnet 192.168.0.1 255.255.255.255 inside(开启内网口的telnet服务) telnet 192.168.0.0 255.255.255.0 inside(允许所有内网用户访问telnet服务) telnet 0.0.0.0 0.0.0.0 e3 telnet 61.144.203.41 255.255.255.255 e3
pix515(config)#ip address dhcp pix515(config)#dhcpd enable inside pix515(config)#dhcpd auto_config outside(自动配置外网DHCP服务参数) pix515(config)#dhcpd address 172.16.0.20-172.16.0.200 inside (内网DHCP分配的IP地址范围) pix515(config)#dhcpd dns 208.67.222.222 208.67.220.220 pix515(config)#dhcpd domain example.com
PPTP
1、命令行方式直接在PIX上配置PPTP的VPN,即PIX作为PPTP方式VPDN的服务器
ip local pool pptp 10.0.0.1-10.0.0.50
//定义一个pptp 方式的vpdn拨入后获得的IP地址池,名字叫做pptp。此处地址段的定义范围不要和拨入后内网其他计算机的IP冲突,并且要根据拨入用户的数量来定义地址池的大小
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
//以上为配置pptp的vpdn组的相关属性
vpdn group PPTP-VPDN-GROUP client configuration address local pptp
//上面定义pptp的vpnd组使用本地地址池组pptp,为一开始定义的
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
//此处配置pptp的vpdn拨入用户口令认证为本地认证,当然也可以选择AAA服务器认证,本地认证属于比较方便的一种实现
vpdn username test1 password *********
vpdn username test2 password *********
//上面为定义本地用户认证的用户帐号和密码,可以定义多个
vpdn enable outside
//在pix防火墙的outside口起用vpdn功能,也可以在其他接口上应用
2、使用pix防火墙内部的某个pptp的VPDN服务器作为专门的VPN服务器,只是在pix上开放相应的服务端口
pptp使用1723端口,而通常pix里面的服务器对外都是做的静态NAT转换,但是光双向开放1723端口仍旧无法建立pptp的vpn连接,那么对于pix 6.3以上版本的pptp穿透可以用一条命令fixup protocol pptp 1723 来解决这个问题。
Ipsec VPN 配置
ip local pool pigpool 172.16.1.50-172.16.1.240 (建立VPN的地址空间) sysopt connection permit-ipsec(开启系统ipsec端口) sysopt connection permit-pptp(开启系统pptp端口) sysopt connection permit-l2tp(开启系统l2tp端口) isakmp enable e3 (e3接口启用isakmp) isakmp policy 8 encryption des(定义phase 1协商用DES加密算法) isakmp policy 8 hash md5(定义phase 1协商用MD5散列算法) isakmp policy 8 authentication pre-share(定义phase 1使用pre-shared key进行认证) isakmp key pix address 0.0.0.0 netmask 0.0.0.0(定义使用共享密匙pix) isakmp client configuration address-pool local pigpool e3(将VPN client地址池绑定到isakmp) isakmp policy 8 group 2(isakmp policy 10 group 2) crypto ipsec transform-set strong-des esp-3des esp-sha-hmac(定义一个变换集strong-des) crypto dynamic-map cisco 4 set transform-set strong-des(把strong-des添加到动态加密策略cisco) crypto map partner-map 20 ipsec-isakmp dynamic cisco(把动态加密策略绑定到partner-map 加密图) crypto map partner-map client configuration address initiate(定义给每个客户端分配IP地址) crypto map partner-map client configuration address respond(定义PIX防火墙接受来自任何IP的请求) crypto map partner-map interface e3(把动态加密图vpnpeer绑定到e3口) vpdn group 2 accept dialin l2tp vpdn group 2 ppp authentication pap vpdn group 2 client configuration address local pigpool vpdn group 2 client authentication local vpdn group 2 l2tp tunnel hello 80 vpdn username pix password pix(设置vpn密码,密码必须与共享密匙一样) vpdn enable e3
vpn本地身份验证
crypto map vpnpeer client authentication LOCAL username whr password whr no username whr
修改VPN拨入密码
no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0(删除共享密匙) isakmp key whr address 0.0.0.0 netmask 0.0.0.0 (设置共享密匙) vpdn username chase (删除chase用户) vpdn username chase password whr (设置用户名为chase;密码为whr;密码要与共享密匙相同)
网上找到的,我不确认是否可以起到效果:)
步骤1:开启日志功能,并确定系统日志级别 logging on logging trap 7(7为最高级别了) 步骤2:确定一台日志服务器(192.168.1.10),并把系统日志输出导系统日志服务器上 logging host inside 192.168.1.10 步骤3:配置入侵检测(IDS) 为攻击类特征码和信息类特征码创建策略 ip audit name attackpolicy attack action alarm reset ip audit name infopolicy info action alarm reset 步骤4:在接口上启用策略 ip audit interface outside attackpolicy ip audit interface outside infopolicy 步骤5:在日志服务器上安装日志软件(如果是LINUX可免了) Kiwi_Syslogd2.exe 步骤6:大功告成了。
firewall(config)# sh snmp snmp-server host inside 172.16.0.5 "安装了MRTG和Cacti服务器地址 snmp-server location 172.16.0.1 "位置描述,可以写内网端口地址,或者更直观的描述如:gateway firewall snmp-server contact netkiller@example.com snmp-server community cisco "public snmp-server enable traps "允许管理信息发送
PIX 515 仅支持snmp v1
neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 interfaces.ifTable.ifEntry.ifDescr IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface neo@monitor:~$ snmpwalk -v1 -c public 172.16.1.254 SNMPv2-MIB::sysDescr.0 = STRING: Cisco PIX Firewall Version 6.3(5) SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.451 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1899600400) 219 days, 20:40:04.00 SNMPv2-MIB::sysContact.0 = STRING: neo.chen@example.com SNMPv2-MIB::sysName.0 = STRING: firewall.example.com SNMPv2-MIB::sysLocation.0 = STRING: gw SNMPv2-MIB::sysServices.0 = INTEGER: 4 IF-MIB::ifNumber.0 = INTEGER: 2 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifDescr.1 = STRING: PIX Firewall 'outside' interface IF-MIB::ifDescr.2 = STRING: PIX Firewall 'inside' interface IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifMtu.1 = INTEGER: 1500 IF-MIB::ifMtu.2 = INTEGER: 1500 IF-MIB::ifSpeed.1 = Gauge32: 100000000 IF-MIB::ifSpeed.2 = Gauge32: 100000000 IF-MIB::ifPhysAddress.1 = STRING: 0:1c:58:b5:6e:80 IF-MIB::ifPhysAddress.2 = STRING: 0:1c:58:b5:6e:81 IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00 IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00 IF-MIB::ifInOctets.1 = Counter32: 4008321683 IF-MIB::ifInOctets.2 = Counter32: 4051905092 IF-MIB::ifInUcastPkts.1 = Counter32: 2797544526 IF-MIB::ifInUcastPkts.2 = Counter32: 2017238766 IF-MIB::ifInNUcastPkts.1 = Counter32: 38465473 IF-MIB::ifInNUcastPkts.2 = Counter32: 27783306 IF-MIB::ifInDiscards.1 = Counter32: 0 IF-MIB::ifInDiscards.2 = Counter32: 0 IF-MIB::ifInErrors.1 = Counter32: 16601 IF-MIB::ifInErrors.2 = Counter32: 32841 IF-MIB::ifInUnknownProtos.1 = Counter32: 0 IF-MIB::ifInUnknownProtos.2 = Counter32: 0 IF-MIB::ifOutOctets.1 = Counter32: 2947292253 IF-MIB::ifOutOctets.2 = Counter32: 3544827218 IF-MIB::ifOutUcastPkts.1 = Counter32: 1968227296 IF-MIB::ifOutUcastPkts.2 = Counter32: 2414528344 IF-MIB::ifOutNUcastPkts.1 = Counter32: 0 IF-MIB::ifOutNUcastPkts.2 = Counter32: 0 IF-MIB::ifOutDiscards.1 = Counter32: 0 IF-MIB::ifOutDiscards.2 = Counter32: 0 IF-MIB::ifOutErrors.1 = Counter32: 0 IF-MIB::ifOutErrors.2 = Counter32: 0 IF-MIB::ifOutQLen.1 = Gauge32: 0 IF-MIB::ifOutQLen.2 = Gauge32: 0 IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero IP-MIB::ipAdEntAddr.120.13.14.30 = IpAddress: 120.13.14.30 IP-MIB::ipAdEntAddr.172.16.1.254 = IpAddress: 172.16.1.254 IP-MIB::ipAdEntIfIndex.120.13.14.30 = INTEGER: 1 IP-MIB::ipAdEntIfIndex.172.16.1.254 = INTEGER: 2 IP-MIB::ipAdEntNetMask.120.13.14.30 = IpAddress: 255.255.255.192 IP-MIB::ipAdEntNetMask.172.16.1.254 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntBcastAddr.120.13.14.30 = INTEGER: 0 IP-MIB::ipAdEntBcastAddr.172.16.1.254 = INTEGER: 0 IP-MIB::ipAdEntReasmMaxSize.120.13.14.30 = INTEGER: 65535 IP-MIB::ipAdEntReasmMaxSize.172.16.1.254 = INTEGER: 65535
如果你使用snmp v2版本尝试连接pix防火墙将会提示
neo@monitor:~$ snmpwalk -v2c -c public 172.16.1.254 Timeout: No Response from 172.16.1.254
http server enable http 172.16.0.1 255.255.255.255 inside
172.16.0.1 是from ip,或者允许一个IP段
http 172.16.0.0 255.255.255.0 inside
http 登录密码
username admin password ysCf4HUXoqIPDu1 privilege 15
https://172.16.0.254
pix515(config)# write mem Building configuration... Cryptochecksum: 5641ca9c 2ef4c53c 0dc8a8f9 75d47f09 [OK] pix515(config)#
备份
pix515(config)# write net 192.168.2.111:pix515.rtf Building configuration... TFTP write 'pix515.rtf' at 192.168.2.111 on interface 1 [OK]
恢复
pix515(config)# clear config all 是清除所有配置
如何想要通过tftp恢复,得要先配置一下inside接口地址:
pixfirewall(config)# ip add inside 192.168.2.1 255.255.255.0
pixfirewall(config)# ping 192.168.2.111 测试一下到TFTP服务器是否通
192.168.2.111 response received -- 0ms
192.168.2.111 response received -- 0ms
192.168.2.111 response received -- 0ms
pix515(config)# configure net 192.168.2.111:pix515.rtf
Global 10.6.6.151 will be Port Address Translated
Global 10.6.6.150 will be Port Address Translated
Global 10.6.6.211 will be Port Address Translated
.
Cryptochecksum(unchanged): ead0c833 1ed19938 b863ace2 4902f21b
Config OK