pix535实际配置(nat与不做nat)
添加时间: 2008-1-19 1:50:54 作者: Cisco指导 阅读次数:11 来源: http://www.d9soft.com
实际使用pix两个端口。
最终目的是:不使用nat让内部 网络 的地址直接出去,pix内外均为cernet地址。
配置1中不使用NAT的,内部节点不能通过pix出去
配置2中使用NAT的,内部节点可以通过pix出去
两个配置除了NAT以外,都一样。
请大家帮助 检查 一下,看看不做nat时,怎样才能做通。谢谢!
配置1: 没有使用NAT,内部节点不能通过pix出去
: Saved
PIX Version 6.1(2)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif ethernet0 intf2 security10
nameif ethernet1 intf3 security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 202.*.212.2 255.255.255.0
ip address inside 202.*.8.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 202.*.8.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 202.*.212.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d758aba407c7fb58d24b03da4b6970b4
配置2: 使用NAT,内部节点可出去。
: Saved
PIX Version 6.1(2)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif ethernet0 intf2 security10
nameif ethernet1 intf3 security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 202.*.212.2 255.255.255.0
ip address inside 202.*.8.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 202.*.212.3-202.*.212.50
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 202.*.212.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:77595ed5d852b9a1dfaf10426af3f516
: end
上一篇文章: 浅谈IP地址的使用 下一篇文章: 各ios下各平台支持的idb数量(一个int使用一个idb)
相关文章: