 |
|
HP : 0 / 43
MP : 5 / 538
EXP : 74%
|
|
初涉江湖
成员等级: 2
发表总数: 16
金币总数: 81
所属组别: 普通成员
注册日期: 2004/10/20
|
大家帮我看看这个配置,现在的问题是PCA不能访问PCB
拓扑如下:
PCA(10.0.3.1/24)-------(inside:10.0.3.253/24)PIX-A(outside:219.151.36.xxx/26)-------INTERNET-----------(outside:202.98.252.xxx/24)EUDEMON100(inside:10.0.8.254/24)--------PCB(10.0.8.1/24)
PIX 配置
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname GLGLJ-FW
domain-name GLGLJ.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit any
access-list 111 deny tcp any any range 10000 30000
access-list inside_outbound_nat0_acl permit ip any 10.0.6.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.6.0 255.255.255.192
access-list sidevpn permit ip 10.0.3.0 255.255.255.0 10.0.8.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 219.151.36.xxx 255.255.255.192
ip address inside 10.0.3.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool glgljvpn 10.0.6.20-10.0.6.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.1.233 255.255.255.255 inside
pdm location 10.0.3.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.2.0 255.255.255.0 inside
pdm location 10.0.4.0 255.255.255.0 inside
pdm location 10.0.5.0 255.255.255.0 inside
pdm location 10.0.6.0 255.255.255.192 outside
pdm location 10.0.6.0 255.255.255.0 outside
pdm location 10.0.8.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list sidevpn
nat (inside) 2 access-list inside_outbound_nat0_acl 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 219.151.36.xxx 1
route inside 10.0.2.0 255.255.255.0 10.0.3.254 1
route inside 10.0.4.0 255.255.255.0 10.0.3.254 1
route inside 10.0.5.0 255.255.255.0 10.0.3.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.233 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 10.0.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set mytrans esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address sidevpn
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 202.98.252.191
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 202.98.252.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup glgljvpn address-pool glgljvpn
vpngroup glgljvpn idle-time 1800
vpngroup glgljvpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.0.3.0 255.255.255.0 inside
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:afd4ecb808db822479ef6c2f67fd559a
: end
eudumon 100 配置
[Eudemon]dis cu
#
sysname Eudemon
#
l2tp enable
#
info-center console channel 1
#
ike local-name xxxx
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat address-group 0 202.98.252.191 202.98.252.191
nat alg enable ftp
nat alg enable dns
nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
undo nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable sip
#
firewall defend ip-spoofing enable
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend tracert enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
firewall defend teardrop enable
firewall defend tcp-flag enable
firewall defend ip-fragment enable
firewall defend large-icmp enable
#
ike peer 1
pre-shared-key glgljsidevpn
remote-address 219.151.36.120
#
ipsec proposal p1
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
security acl 3002
ike-peer 1
proposal p1
#
traffic classifier sw operator and
if-match any
#
traffic behavior sw
queue af bandwidth 128
#
qos policy vpn
qos policy sw
classifier sw behavior sw
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
ip address 10.0.8.254 255.255.255.0
#
interface Ethernet1/0
ip address 202.98.252.191 255.255.255.0
ipsec policy policy1
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 192.168.0.1 255.255.255.0
remote address pool 1
qos reserved-bandwidth pct 20
#
interface NULL0
#
acl number 3000
rule 1 deny tcp destination-port eq 135
rule 2 deny udp destination-port eq 135
rule 3 deny tcp destination-port eq 136
rule 4 deny udp destination-port eq 136
rule 6 deny tcp destination-port eq 137
rule 7 deny udp destination-port eq netbios-ns
rule 8 deny tcp destination-port eq 138
rule 9 deny udp destination-port eq netbios-dgm
rule 10 deny tcp destination-port eq 139
rule 11 deny udp destination-port eq netbios-ssn
rule 12 deny tcp destination-port eq 445
rule 13 deny tcp destination-port eq 593
rule 14 deny udp destination-port eq 593
rule 15 deny udp destination-port eq tftp time-range bt
rule 16 deny tcp destination-port eq 4444 time-range bt
rule 17 deny udp destination-port eq 1434
rule 18 deny tcp destination-port eq 5554
rule 19 deny udp destination-port eq 5554
rule 20 deny tcp destination-port eq 9995
rule 21 deny udp destination-port eq 9995
rule 22 deny tcp destination-port eq 9996
rule 23 deny udp destination-port eq 9996
rule 24 deny udp destination-port eq 445
rule 25 deny tcp destination-port gt 5555 time-range bt
rule 30 deny udp destination-port gt 5555 time-range bt
rule 35 permit tcp destination-port eq 8000
rule 40 permit udp destination-port eq 8000
rule 50 permit ip
acl number 3001
rule 1 deny tcp destination-port eq 23616 time-range bt
rule 5 deny udp destination-port eq 23616 time-range bt
acl number 3002
rule 0 permit ip source 10.0.8.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
#
time-range bt 09:00 to 18:00 working-day
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
add interface Virtual-Template1
set priority 5
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local dmz
#
firewall interzone trust untrust
packet-filter 3000 inbound
packet-filter 3000 outbound
nat outbound 3000 interface Ethernet1/0
#
firewall interzone trust dmz
#
firewall interzone dmz untrust
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
aaa
local-user snjtjvpn password simple xxxx
local-user snjtjvpn service-type ppp
ip pool 1 192.168.0.10 192.168.0.100
#
authentication-scheme default
authentication-scheme snjtj
#
authorization-scheme default
authorization-scheme snjtj
#
accounting-scheme default
accounting-scheme snjtj
accounting-scheme local
#
domain default
domain snjtj
authentication-scheme snjtj
authorization-scheme snjtj
accounting-scheme snjtj
user-priority 7
#
#
ip route-static 0.0.0.0 0.0.0.0 202.98.252.129
ip route-static 0.0.0.0 0.0.0.0 219.151.36.120
#
acl accelerate enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password simple xxxx
#
return
以下是PIX的调试信息
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 219.151.36.xxx, remote= 202.98.252.xxx,
local_proxy= 10.0.3.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.0.8.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 219.151.36.xxx, dst 202.98.252.xxx
ISADB: reaper checking SA 0x38fa6b4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 202.98.252.xx/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 219.151.36.120, remote= 202.98.252.191,
local_proxy= 10.0.3.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.0.8.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:202.98.252.xxx, dest:219.151.36.xxx spt:500 dpt:500
ISAKMP: sa not found for ike msg
|
