清空配置write erasereload第一步配置好各个端口 第二步配置全局地址,NAT,和inside到outdide的路由pixP(config)# global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0查看pixP(config)# show run globalglobal (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0配置允许inside的host 使用nat 出去pixP(config)# nat (inside) 1 0 0查看pixP(config)# show run natnat (inside) 1 0.0.0.0 0.0.0.0 0 0指定默认出去的默认路由pixP(config)# route outside 0 0 192.168.1.254查看路由表pixP(config)# show routeoutside 0.0.0.0 0.0.0.0 192.168.P.254 1 OTHER staticinside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT staticdmz 172.16.1.0 255.255.255.0 172.16.1.P 1 CONNECT staticoutside 192.168.P.0 255.255.255.0 192.168.P.1 1 CONNECT static现在inside host 就可以访问wan了.用show xlate 查看 nat 转换表第三步配置 访问DMZ指定访问dmz的ip池pixP(config)# global (dmz) 1 172.16.1.110-172.16.1.119 netmask 255.255.255.0现在就可以访问dmz了.show arp show conn show xlate 查看详细信息.第一步 在接口上禁用ping通过lan ping测试lan#ping 10.0.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 mslan#ping 192.168.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)在pix上禁用ping查看show running-configre icmpicmp deny any echo-reply inside在lan上ping测试lan#ping 10.0.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)启用ping在lan上ping测试lan#ping 10.0.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/12 ms从inside ping outside 默认是禁止的. 启用echo-replies 创建acl-list应用acl从lan上ping测试lan#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 92/381/1036 ms第二步配置出口acl目的允许 出去的web流量拒绝内部到192.168.1.2 的ftp流量允许所有其他流量.从lan上测试 访问192.168.1.2 lan#telnet 192.168.1.2 80Trying 192.168.1.2, 80 ... Openlan#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/20 ms配置acl查看aclpixfirewall(config)# show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)alert-interval 300access-list ping; 1 elementsaccess-list ping line 1 extended permit icmp any any echo-reply (hitcnt=5) 0x6431b796access-list ACLOUT; 1 elementsaccess-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=0) 0x455d1434lan#telnet 192.168.1.2 80Trying 192.168.1.2, 80 ... Openlan#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)移除aclpixfirewall(config)# show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)alert-interval 300access-list ping; 1 elementsaccess-list ping line 1 extended permit icmp any any echo-reply (hitcnt=10) 0x6431b796access-list ACLOUT; 2 elementsaccess-list ACLOUT line 1 extended permit tcp any any eq www (hitcnt=1) 0x455d1434access-list ACLOUT line 2 extended deny tcp 10.0.1.0 255.255.255.0 host 192.168.1.2 eq ftp (hitcnt=0) 0x854f8818access-list ACLOUR; 1 elementsaccess-list ACLOUR line 1 extended permit ip any any (hitcnt=0) 0x9996460b测试 略第三步配置一个进入的acl目的:允许外部访问内部web允许外部访问内部ftp允许进入的icmp拒绝其他进入的数据(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq www(config)# access-list ACLIN permit tcp any host 192.168.1.10 eq ftp(config)#