Pix 515e opsætning
Jeg er ved at flytte configurationen fra en PIX over til en anden pix, der skal over på at nyt netværk fra en anden udbyder. Jeg har også fået læst konfigurationen over på den nye, men kan ikke få forbindelse til Internettet.Jeg ved godt den er lidt gammel, men det er nu hvad vi har til rådighed.
Jeg har følgende opsætning:
PIX(config)# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xxx encrypted
passwd xxx encrypted
hostname PIX
domain-name k.dk
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
...
...
...
object-group network Scansoft
description Mails modtages fra Scansoft
network-object Softscan-1 255.255.255.255
network-object Softscan-2 255.255.255.255
object-group network Softscan-mail-relay
network-object Softscan-5 255.255.255.255
network-object Softscan-4 255.255.255.255
network-object Softscan-2 255.255.255.255
network-object softscan-3 255.255.255.255
network-object Softscan-6 255.255.255.255
network-object Softscan-7 255.255.255.255
network-object softscan-9 255.255.255.255
network-object Softscan-1 255.255.255.255
network-object Softscan-8 255.255.255.255
network-object Softscan-10 255.255.255.255
object-group network AgfaServere
network-object ApplicationSRV 255.255.255.255
network-object ApplicationSRV2 255.255.255.255
object-group network Mediabank
network-object Actit-Kbh 255.255.255.255
network-object Fyns_Kran 255.255.255.255
object-group network Act-IT
network-object Actit-Kbh 255.255.255.255
network-object Actit-Arh 255.255.255.255
object-group network SymantecCloud
network-object SymantecCloud1 255.255.240.0
network-object SymantecCloud2 255.255.240.0
network-object SymantecCloud3 255.255.248.0
network-object SymantecCloud4 255.255.248.0
network-object SymantecCloud5 255.255.248.0
network-object SymantecCloud6 255.255.248.0
network-object SymantecCloud7 255.255.254.0
network-object SymantecCloud8 255.255.254.0
network-object SymantecCloud9 255.255.254.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_access_in permit tcp object-group Scansoft host postPub-out eq smtp
access-list outside_access_in permit tcp object-group SymantecCloud host postPub-out eq smtp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in remark RDC
access-list outside_access_in remark MediaBank
access-list outside_access_in permit tcp any host postPub-out eq https
access-list outside_access_in permit tcp any host x.x.x.174 eq ftp-data
access-list outside_access_in permit tcp any host x.x.x.174 eq ftp
access-list outside_access_in permit tcp any host x.x.x.174 eq www
access-list outside_access_in permit tcp any host x.x.x.172 eq ftp
access-list outside_access_in permit tcp any host x.x.x.172 eq www
access-list outside_access_in permit tcp any host x.x.x.172 eq https
access-list outside_access_in remark RDC
access-list outside_access_in permit tcp object-group Mediabank host x.x.x.173 eq 8000
access-list outside_access_in remark MediaBank
access-list outside_access_in permit tcp object-group Mediabank host x.x.x.173 eq 8600
access-list DMZ_access_in permit tcp host MBWEB host DTPSERVER eq 8000
access-list DMZ_access_in permit tcp host MBWEB host DTPSERVER eq 8500
access-list DMZ_access_in permit tcp host MBWEB host 10.0.0.24 eq 5000
access-list DMZ_access_in permit icmp any any echo-reply
access-list DMZ_access_in permit icmp any any time-exceeded
access-list DMZ_access_in deny ip any 10.0.0.0 255.255.255.0
access-list DMZ_access_in permit ip any any
access-list inside_access_in permit tcp host Post any eq smtp
access-list inside_access_in permit tcp object-group AgfaServere any eq smtp
access-list inside_access_in permit tcp object-group AgfaServere any eq pop3
access-list inside_access_in deny tcp any any eq smtp
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap warnings
logging host inside Private-I
icmp permit any outside
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.170 255.255.255.248
ip address inside 10.0.0.160 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name IDS-outside attack action drop
ip audit name IDS-dmz attack action drop
ip audit interface outside IDS-outside
ip audit interface DMZ IDS-dmz
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool IP-VPN-hjemme 10.10.10.1-10.10.10.20
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location lokal 255.255.255.255 inside
pdm location ApplicationSRV 255.255.255.255 inside
pdm location ApplicationSRV2 255.255.255.255 inside
pdm location 10.0.0.24 255.255.255.255 inside
pdm location DTPSERVER 255.255.255.255 inside
pdm location Private-I 255.255.255.255 inside
pdm location MBWEB 255.255.255.255 DMZ
pdm location FTP 255.255.255.255 DMZ
pdm location EFIWEB-DMZ 255.255.255.255 DMZ
pdm location SymantecCloud5 255.255.248.0 outside
pdm location SymantecCloud2 255.255.240.0 outside
pdm location SymantecCloud3 255.255.248.0 outside
pdm location Actit-Kbh 255.255.255.255 outside
pdm location SymantecCloud4 255.255.248.0 outside
pdm location SymantecCloud6 255.255.248.0 outside
pdm location SymantecCloud7 255.255.254.0 outside
pdm location SymantecCloud8 255.255.254.0 outside
pdm location Softscan-2 255.255.255.255 outside
pdm location Fyns_Kran 255.255.255.255 outside
pdm location SymantecCloud9 255.255.254.0 outside
pdm location Softscan-1 255.255.255.255 outside
pdm location SymantecCloud1 255.255.240.0 outside
pdm location 10.10.10.0 255.255.255.0 DMZ
pdm group AgfaServere inside
pdm group Scansoft outside
pdm group SymantecCloud outside
pdm group Mediabank outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 DMZ-Zone 255.255.255.0 0 0
static (DMZ,outside) tcp interface www EFIWEB-DMZ www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface ftp EFIWEB-DMZ ftp netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.172 MBWEB netmask 255.255.255.255 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
static (inside,outside) x.x.x.173 DTPSERVER netmask 255.255.255.255 0 0
static (DMZ,inside) x.x.x.172 MBWEB netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.174 FTP netmask 255.255.255.255 0 0
static (DMZ,inside) x.x.x.174 FTP netmask 255.255.255.255 0 0
static (inside,outside) postPub-out post netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.2 xxxx timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server 217.198.208.66 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
vpngroup VPN-hjemme default-domain k.dk
vpngroup VPN-hjemme idle-time 1800
vpngroup VPN-hjemme password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 0
username skfadmin password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxx
: end
PIX(config)#
