二、按照图1装上防火墙。
将从路由器到交换机上的线,改为先从路由器到防火墙,然后用防火墙的E0口接交换机。
图3
进入路由器配置模式修改,将路由器的配置改为:
Using 942 out of 7506 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 $1$FreK$4oQGtvDEF1jv8dh3NNXnN0
enable password 123455676!
!
ip subnet-zero
!
crypto ipsec transform-set test esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp
! Incompleteset transform-set test
match address 100
interface Ethernet0
ip address 211.97.213.41 255.255.255.248
interface Ethernet1
no ip address
ip nat inside
no ip route-cache
no ip mroute-cache
shutdown
!
!
interface Serial0
description internet
bandwidth 2048
ip address 211.97.209.145 255.255.255.252
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
transport input none
line vty 0 4
password 123456
login
!
end
三、这时候,你可以配置你的防火墙了,以下是防火墙的配置情况:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 pix/intf2 security10
hostname imrac_c_pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
access-list 100 permit ip 192.168.1.1 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit ip 192.168.1.1 255.255.255.0 192.100.0.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu pix/intf2 1500
ip address outside 211.97.213.44 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address pix/intf2 127.0.0.1 255.255.255.255
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address pix/intf2 0.0.0.0
arp timeout 14400
global (outside) 1 211.97.213.45 netmask 255.255.255.248
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 211.97.213.41 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address 100
crypto map vpnmap 40 set transform-set trans
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.1.88 255.255.255.255 inside
telnet timeout 5
terminal width 80
Cryptochecksum:7fd10854228b7e32b2808508f49a65a7
我们一直都在努力坚持原创.......请不要一声不吭,就悄悄拿走。
我原创,你原创,我们的内容世界才会更加精彩!
【所有原创内容版权均属TechTarget,欢迎大家转发分享。但未经授权,严禁任何媒体(平面媒体、网络媒体、自媒体等)以及微信公众号复制、转载、摘编或以其他方式进行使用。】
微信公众号
TechTarget
官方微博
TechTarget中国
相关推荐
-
在云中添加安全管理控制层
企业战略集团(Enterprise Strategy Group)分析师Jon Oltsik认为,许多网络安全专业人员在自己网络上安装管理服务器,以避免出现破坏性配置错误。
-
难以避免的泄漏事故:怎么解?
网络安全泄露事故不可避免?如果遭遇网络安全泄露事故不可避免,如果真的不可能阻止泄露事故,那么,试图保护信息和信息系统是不是浪费时间和金钱?
-
合理分析恶意软件:用对方法很重要
以正确的顺序实施多种分析方法可以使安全团队更有可能防止恶意软件渗透进入网络,甚至对于以前并没有被确认的恶意软件样本也能够起作用……
-
“智进”方能“御远” :2017 C3安全峰会蓄势启航
中国最高规格、备受全球网络安全从业者关注的2017年C3安全峰会将于7月6日至7月7日在成都世纪城会展中心召开。