_PIX 7.0 Day 1

什么是防火墙

控制多个流量间的访问.

防火墙类型

包过滤

代理服务器（应用层网关）

状态化包过滤

思科防火墙技术

1.专有的操作系统,proprietary operating system

2.状态化的包过滤监控,可以监控tcp的源目地址,序列号,flags位.对初始化的tcp序列号进行扰乱,默认情况允许连接从高到底.

3.从低往高的流量被drop.

4.支持aaa.

cut-through proxy operation认证代理

application-aware inspection应用程序监控,动态监控应用程序,ftp,http,dns.

模块化的策略

class map-policy map-service policy

virtual private network(vpn)

site to site

ipsec vpn

ssl vpn

security context(virtual firewall)虚拟防火墙

failover(高可用性)

active/standby

active/active

transparent firewall(透明防火墙)

web-based(asdm)

pix产品线

501,506e,515e,525,535

asa产品线

5510,5520,5540

vac/vac+(vpn加速)

security services module模块

aip-ssm模块

aip-ssm-10

2.0-ghz processor

1.0 gb ram

aip-ssm-20

2.4-ghz processor

2.0 gb ram

pix licensing类型

ur:

restricted:

active/standby

active/active

vpn encryption license

des license

provides 56-bit des

3des/aes license

provides 168-bit 3des

provides up to 256-bit aes

security context(虚拟防火墙licenses默认2个)

pix 515e,525,and 535 licensing

asa security context licenses(asa虚拟防火墙licenses

default

two contexts

available context licenses

five contexts

ten contexts

20 contexts

50 contexts

asa 5510,5520,and 5540 licensing

防火墙模块fwsm

用于6500交换机,7600路由器.

show running-config

show startup-config

write memory

write terminal

clear config all

write erase (情况start-config)

文件系统

pix6.0

software image

configuration file

private data file

pdm image

crash

information

pix7.0

software image

configuration file

private data

asdm image

backup image

backup

configuration file

virtual fiewall

configuration file

pix#dir

ctrl+z退出向导模式

改变启动文件

boot system flash:/pix722.bin

降级命令使用低级别的ios文件启动.

downgradet tftp:1.1.1.1 config(配置文件) flash:/downgrade.cfg

more flash:/downgrade.cfg(查看文件内容)

dos查看文件内容type file(文件名字)

pix只有flash

asa有flash还有disk0:disk1:

show bootvar(查看当前启动的文件)

pix安全级别0-100,0为最不安全,100为最安全,允许单方向从高到低连接.监控返回的包,保证他通过.扰乱初始化的tcp序列号.

配置为带外网关接口

pix(config-if)#management-only/nomanagement-only

no nat-control 不做nat转换

name 5.5.5.5 out

ping out

write termimal和show run一样

show memory(查看内存)show cpu(查看cpu)

activation-key 0xd2390d2c 0x9fc4b36d 0x98442d99 0xeef7d8b1(激活码)

show ip add

show xlate(查看nat转换信息)

show conn(查看链接)

fw1#clock set 21:0:0 23 jul  2003

fw1#clock timezone GMT +8

ntp配置

fw1(config)#ntp authentication-key 1234 md5 cisco123

fw1(config)#ntp trusted-key 1234

fw1(config)#ntp server 10.0.0.12 key 1234 source inside prefer

fw1(config)#ntp authenticate

system logging

logging options

console-output to console

buffered-output to internal buffer

monitor-out to telnet

host-output to syslog server

snmp-output to snmp server

开启logging

logging on(防火墙默认没有开启)

logging levels(logging levels等级)

0-emergencies

1-alerts

2-critical

3-errors

4-warnings

5-notifications

6-informational

7-debugging

logging配置

fw1(config)#logging host inside 10.0.1.11

fw1(config)#logging trap warnings

fw1(config)#logging timerstanp

fw1(config)#logging device-id pix6(多个设备都往logging服务器发送为了区分起个名字,路由器使用logging facility)

fw1(config)#logging on

pix(config)#no logging message 710005(不发送的log信息)

pix(config)#logging message 710005 level 5(更改日志级别)

fw1(config)#logging trap warning s

fw1(config)#logging message 302013 level 4

fw1(config)#logging message 302014 level 4

route and switch

vlans

fw1(config)#int e3.1

fw1(config-subjf)#vlan 10

route

rip

fw1(config)#router rip

fw1(config)#no au

fw1(config)#ver 2

fw1(config)#net 218.18.100.0

fw1(config)#redistribute static metric 2

fw1(config)#int e0

fw1(config)#rip authentication key smoke key-id 1

fw1(config)#rip authentication mode md5

ospf

fw1(config)#router ospf 1

fw1(config)#router-id 1.1.1.1

fw1(config)#net 10.1.1.0 255.255.255.0 area 0

fw1(config)#redistribute rip route-map r20 metric-type 1 tag 10 subnets

pix最多支持2个ospf进程