cisco PIX防火墙配置命令解析 哪位大神可以帮我注释一下 小白看不懂到底做了哪些配置

woshihu1

就是这个配置命令

PIX# show configuration

: Saved

: Written byenable_15 at 00:06:46.804 UTC Tue Nov 30 1999

!

ASA Version 8.0(2)

!

hostname PIX     //命名

enable password8Ry2YjIyt7RRXU24 encrypted  //进入特权模式的密码

names

!

interfaceEthernet0/0   //外网接口

nameif outside

security-level 0//优先级为0

ip address 171.16.1.1 255.255.255.0

!

interfaceEthernet0/1  //DMZ区接口

nameif dmz

security-level 50 //优先级为50

ip address 192.168.1.1 255.255.255.0

!

interfaceEthernet0/2  //内网接口

nameif inside

security-level 100  //优先级为100

ip address 192.168.2.1 255.255.255.0

!

passwd2KFQnbNIdI.2KYOU encrypted   // pix防火墙密码在默认状态下已被加密，在配置文件中不会以明文显示，telnet 密码缺省为cisco

boot configdisk0:/.private/startup-config

ftp mode passive

access-list nonat extendedpermit ip 192.168.1.0 255.255.255.0 any  //acl访问控制列表

[url=]access-list nonat extended permit ip any192.168.1.0 255.255.255.0[/url]

access-list nonatextended permit ip 192.168.10.0 255.255.255.0 any

access-list nonatextended permit ip any 192.168.10.0 255.255.255.0

access-listpeer-splitlist extended permit ip 192.168.2.0 255.255.255.0 any

access-listdmzlist extended permit ip any any

access-listoutsidelist extended permit ip any any

pager lines 24

mtu outside 1500

mtu dmz 1500  

mtu inside 1500

ip local poolvpnpool 192.168.10.4-192.168.10.100 mask 255.255.255.0 //定义一个命名vpnpool的ip地址池分配ip地址

no failover   

icmp unreachablerate-limit 1 burst-size 1

no asdm historyenable

arp timeout 14400

nat-control  //nat配置

[url=]global (outside) 1 interface[/url][X2]

nat (dmz) 0access-list nonat

nat (dmz) 10.0.0.0 0.0.0.0

nat (inside) 0access-list nonat

nat (inside) 10.0.0.0 0.0.0.0

access-groupoutsidelist in interface outside

access-groupdmzlist in interface dmz

!            

router ospf 110  //osof配置

network 192.168.1.0 255.255.255.0 area 0

network 192.168.2.0 255.255.255.0 area 0

log-adj-changes

default-information originate always

!            

router ospf 100

network 192.168.10.0 255.255.255.0 area 0

log-adj-changes

!            

route outside0.0.0.0 0.0.0.0 171.16.1.2 1  //外部网关接口

timeout xlate3:00:00

timeout conn1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth0:05:00 absolute

dynamic-access-policy-recordDfltAccessPolicy

no snmp-serverlocation   //snmp默认配置

no snmp-servercontact

snmp-server enabletraps snmp authentication linkup linkdown coldstart  

crypto ipsectransform-set vpnset esp-3des esp-md5-hmac  //定义加密算法

crypto ipsectransform-set vpnset mode transport

crypto dynamic-maptemplate-map 10 set transform-set vpnset

crypto dynamic-maptemplate-map 10 set reverse-route

crypto map vpnmap10 ipsec-isakmp dynamic template-map

crypto map vpnmapinterface outside

crypto isakmpenable outside  //配置IKE

crypto isakmppolicy 10

authentication pre-share

encryption 3des

hash md5   

group 2     

lifetime 86400

crypto isakmppolicy 65535

authentication pre-share

encryption 3des

hash sha   

group 2     

lifetime 86400

no crypto isakmpnat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detectionbasic-threat

threat-detectionstatistics access-list

!            

class-mapinspection_default

match default-inspection-traffic

!            

!            

policy-map typeinspect dns preset_dns_map

parameters  

  message-length maximum 512

policy-mapglobal_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny  

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!            

service-policyglobal_policy global  //定义策略组

group-policyl2tp-policy internal

group-policyl2tp-policy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value peer-splitlist

username cisco passwordXIAPE6POhu0lQN1OczHpog== nt-encrypted //配置用户名和密码

tunnel-groupDefaultRAGroup general-attributes//定义隧道组并应用拨号地址池，定义共享密钥

address-pool vpnpool

default-group-policy l2tp-policy

tunnel-groupDefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-groupDefaultRAGroup ppp-attributes

authentication ms-chap-v2

prompt hostnamecontext

Cryptochecksum:da536be620ea5507708b672493effab5

PIX#

PIX#

---

其他部分是什么命令  拜托各位大神了

access-list nonat extendedpermit ip 192.168.1.0 255.255.255.0 any  //acl访问控制列表

[url=]access-list nonat extended permit ip any192.168.1.0 255.255.255.0[/url]

access-list nonatextended permit ip 192.168.10.0 255.255.255.0 any

access-list nonatextended permit ip any 192.168.10.0 255.255.255.0

access-listpeer-splitlist extended permit ip 192.168.2.0 255.255.255.0 any

access-listdmzlist extended permit ip any any

access-listoutsidelist extended permit ip any any

pager lines 24

[url=]global (outside) 1 interface[/url][X2]

nat (dmz) 0access-list nonat

nat (dmz) 10.0.0.0 0.0.0.0

nat (inside) 0access-list nonat

nat (inside) 10.0.0.0 0.0.0.0

access-groupoutsidelist in interface outside

access-groupdmzlist in interface dmz

主要是这两段到底什么意思   谢谢各位大神了

woshihu1

第一次发帖 会沉吗

ykce

ykce