|
|
 |
|
|
| 1. 有无PIX 7.0实现透明传送的案例啊? |
  |
|
 |
|
HP : 0 / 265
MP : 52 / 3932
EXP : 62%
|
|
武林奇才
成员等级: 11
发表总数: 158
金币总数: 310
所属组别: 普通成员
注册日期: 2003/12/17
|
有无PIX 7.0实现透明传送的案例啊?
目前客户需要这个功能,但小弟以前且没做过。 |
|
|
|
| 2. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
 |
|
HP : 0 / 216
MP : 37 / 3240
EXP : 65%
|
|
江湖异人
成员等级: 9
发表总数: 113
金币总数: 162
所属组别: 普通成员
注册日期: 2003/11/25
|
有的
该用户的签名中包含广告信息,已被管理员强制更改签名 |
|
|
|
| 3. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
 |
|
HP : 0 / 243
MP : 45 / 3209
EXP : 75%
|
|
江湖豪客
成员等级: 10
发表总数: 137
金币总数: 145
所属组别: 普通成员
注册日期: 2004/07/9
|
这种问题建议先到cisco.com上查查文档再来问。  |
|
|
|
| 4. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
|
|
|
HP : 0 / 265
MP : 52 / 3932
EXP : 62%
|
|
武林奇才
成员等级: 11
发表总数: 158
金币总数: 310
所属组别: 普通成员
注册日期: 2003/12/17
|
我查了就没查到才来问大家的啊! |
|
|
|
| 5. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
 |
|
HP : 0 / 403
MP : 112 / 6023
EXP : 12%
|
|
名动江湖
成员等级: 17
发表总数: 336
金币总数: 563
所属组别: 中级成员
注册日期: 2003/11/29
|
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
hostname PIX535
domain-name PIX.COM
boot system flash:/pix701.bin
boot system flash:/pdm-302.bin
mtu outside 1500
mtu inside 1500
ip address 192.168.2.1 255.255.255.0
monitor-interface outside
monitor-interface inside
!
默认:inside to outside 允许;outside to inside 禁止,可以用ACL允许,配置请查文档。
PIX用管理地址访问,接口不配置地址。 |
|
|
|
| 6. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
|
|
|
HP : 0 / 403
MP : 112 / 6023
EXP : 12%
|
|
名动江湖
成员等级: 17
发表总数: 336
金币总数: 563
所属组别: 中级成员
注册日期: 2003/11/29
|
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
A management IP address is required; for multiple context mode, an IP address is required for each context.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications.
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).
The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
Each directly connected network must be on the same subnet.
Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway.
For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.
For multiple context mode, each context typically uses a different subnet. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.
You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.
You can also optionally use an EtherType access list to allow non-IP traffic through.
Unsupported Features in Transparent Mode
The following features are not supported in transparent mode:
NAT
NAT is performed on the upstream router.
Dynamic routing protocols
You can, however, add static routes for traffic originating on the security appliance. You can also allow dynamic routing protocols through the security appliance using an extended access list.
IPv6
DHCP relay
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through using an extended access list.
Quality of Service
Multicast
You can, however, allow multicast traffic through the security appliance by allowing it in an extended access list.
VPN termination for through traffic
The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance using an extended access list, but it does not terminate non-management connections
|
|
|
|
| 7. Re:有无PIX 7.0实现透明传送的案例啊? |
|
|
|
|
|
HP : 0 / 265
MP : 52 / 3932
EXP : 62%
|
|
武林奇才
成员等级: 11
发表总数: 158
金币总数: 310
所属组别: 普通成员
注册日期: 2003/12/17
|
谢谢 |
|
|
