!configure the IP address for each PIX Firewall interface ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.3 255.255.255.0 ip address dmz 192.168.11.1 255.255.255.0 global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0 !creates a global pooll on the outside interface,enables NAT. !windows NT server static (inside,outside) 192.168.1.10 10.1.1.4 netmask 255.255.255.0 !Crypto access list specifiles between the global and the inside !server beind PIX Firewalls is encrypted ,The source !and destination IP address are the global IP addresses of the statics. Access-list 101 permit ip host 192.168.1.10 host 192.168.2.10 !The conduit permit ICMP and web access for testing. Conduit permit icmp any any Conduit permit tcp host 192.168.1.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.1.2 1 !Enable IPSec to bypass access litst,access ,and confuit restrictions syspot connnection permit ipsec !Defines a crypto map transform set to user esp-des crypto ipsec transform-set pix2 esp-des crypto map peer2 10 ipsec-isakmp!
完全配置:
ip address outside 202.105.113.194 255.255.255.0 /*看电信给你的IP ip address inside 192.168.1.1 255.255.255.0 ! global (outside) 1 202.105.113.195-202.105.113.200 global (outside) 1 202.105.113.201 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 202.105.113.203 192.168.1.10 netmask 255.255.255.255 0 0 static (inside,outside) 202.105.113.205 192.168.1.11netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 202.105.113.203 eq www any conduit permit tcp host 202.105.113.203 eq FTP any conduit permit tcp host 202.105.113.205 eq smtp any conduit permit tcp host 202.105.113.205 eq pop3 any ! route outside 0.0.0.0 0.0.0.0 202.105.113.193 1 route inside 0.0.0.0 0.0.0.0 192.168.1.1
