[JavaScript知识库] How to configure Cisco firewall PIX 525 (2)

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> JavaScript知识库 -> How to configure Cisco firewall PIX 525 (2) -> 正文阅读

[JavaScript知识库]How to configure Cisco firewall PIX 525 (2)

In this session we'll will add an internal OSPF network and configure on PIX to let OSPF network to access external and dmz, based on the work of How to configure Cisco firewall PIX 525 (1)

1. The diagram with OSPF network

2. Configure OSPF on R9, R2 and R7

R9-InternalSvr(config)#int f0/0
R9-InternalSvr(config-if)#ip address 10.10.90.9 255.255.255.0 ?
R9-InternalSvr(config-if)#no sh
R9-InternalSvr(config-if)#int lo0
R9-InternalSvr(config-if)#ip address 9.9.9.9 255.255.255.255
R9-InternalSvr(config-if)#router ospf 1
R9-InternalSvr(config-router)#network 9.9.9.9 0.0.0.0 area 0
R9-InternalSvr(config-router)#network 10.10.90.0 0.0.0.255 a 0

R2-Inside(config)#int f0/1
R2-Inside(config-if)#ip address 10.10.90.12 255.255.255.0
R2-Inside(config-if)#no sh
R2-Inside(config-if)#router ospf 1
R2-Inside(config-router)#network 10.10.90.0 0.0.0.255 a 0

R7-Inside(config)#int f1/0
R7-Inside(config-if)#ip address 10.10.90.17 255.255.255.0
R7-Inside(config-if)#no sh
R7-Inside(config-if)#router ospf 1
R7-Inside(config-router)#network 10.10.90.0 0.0.0.255 a 0

R9-InternalSvr#sh ip os nei

Neighbor ID ? ? Pri ? State ? ? ? ? ? Dead Time ? Address ? ? ? ? Interface
2.2.2.2 ? ? ? ? ? 1 ? FULL/BDR ? ? ? ?00:00:37 ? ?10.10.90.12 ? ? FastEthernet0/0
7.7.7.7 ? ? ? ? ? 1 ? FULL/DROTHER ? ?00:00:33 ? ?10.10.90.17 ? ? FastEthernet0/0

3. Add default routing to external for internal OSPF network

Before add default routing:

R9-InternalSvr#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
? ? ? ?D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area?
? ? ? ?N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
? ? ? ?E1 - OSPF external type 1, E2 - OSPF external type 2
? ? ? ?i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
? ? ? ?* - candidate default, U - per-user static route, o - ODR
? ? ? ?P - periodic downloaded static route

Gateway of last resort is not set

Add default routing on R2 and R7:

R2-Inside(config)#router ospf 1
R2-Inside(config-router)#default-information originate?

R7-Inside(config)#router ospf 1
R7-Inside(config-router)#default-information originate?

After adding default routing

Gateway of last resort is 10.10.90.12 to network 0.0.0.0

? ? ?9.0.0.0/32 is subnetted, 1 subnets
C ? ? ? 9.9.9.9 is directly connected, Loopback0
? ? ?10.0.0.0/24 is subnetted, 1 subnets
C ? ? ? 10.10.90.0 is directly connected, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.10.90.12, 00:03:00, FastEthernet0/0
? ? ? ? ? ? ? ?[110/1] via 10.10.90.17, 00:03:00, FastEthernet0/0
R9-InternalSvr#

4. Add routing from PIX to OSPF network for PIX

We have two paths from PIX to R9. To avoid a single point of failure, we configure HSRP on R2 and R7.

R2-Inside(config)#int f0/0
R2-Inside(config-if)#standby 1 ip 10.10.10.254?
R2-Inside(config-if)#standby 1 priority 105
R2-Inside(config-if)#standby 1 preempt

R7-Inside(config-router)#int f0/0
R7-Inside(config-if)#standby 1 ip 10.10.10.254

Check the HSRP status:

R2-Inside#sh standby brie
? ? ? ? ? ? ? ? ? ? ?P indicates configured to preempt.
? ? ? ? ? ? ? ? ? ? ?|
Interface ? Grp Prio P State ? ?Active ? ? ? ? ?Standby ? ? ? ? Virtual IP ? ??
Fa0/0 ? ? ? 1 ? 105 ?P Active ? local ? ? ? ? ? 10.10.10.17 ? ? 10.10.10.254 ??
R2-Inside#

Add static routing in PIX to R9:

pix3# conf t
pix3(config)# route inside 10.10.90.0 255.255.255.0 10.10.10.254
pix3(config)# route inside 9.9.9.9 255.255.255.255 10.10.10.254
pix3(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
? ? ? ?D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area?
? ? ? ?N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
? ? ? ?E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
? ? ? ?i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
? ? ? ?* - candidate default, U - per-user static route, o - ODR
? ? ? ?P - periodic downloaded static route

Gateway of last resort is not set

C ? ?172.16.1.0 255.255.255.0 is directly connected, dmz
C ? ?202.1.1.0 255.255.255.0 is directly connected, outside
S ? ?9.9.9.9 255.255.255.255 [1/0] via 10.10.10.254, inside
C ? ?10.10.10.0 255.255.255.0 is directly connected, inside
S ? ?10.10.90.0 255.255.255.0 [1/0] via 10.10.10.254, inside
pix3(config)# ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!?!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
pix3(config)#?

5. Configure R9 to access external

We follow the way:(Actually it's alreadly done for all internal network to access external, pls refer to??artical How to configure Cisco firewall PIX 525 (2), Chapter 11.)

High to low:

- Global address (pool) in low area

- Internal address in high area

- Access control (access-list + access-group)

R9-InternalSvr#ping 202.1.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9-InternalSvr#telnet 202.1.1.10
Trying 202.1.1.10 ... Open

R1-Internet#

R9 to DMZ is also OK:

R9-InternalSvr#ping 172.16.1.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9-InternalSvr#telnet 172.16.1.13
Trying 172.16.1.13 ... Open

R3-dmz#

6. Configure DMZ to Internal OSPF network

DMZ to R9:

pix3(config)# static (inside,dmz) 9.9.9.9 9.9.9.9 netmask 255.255.255.255 ?

pix3(config)# access-list from_dmz extended permit tcp any 9.9.9.9 255.255.255.255 eq telnet?

R3-dmz#ping 9.9.9.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3-dmz#telnet 9.9.9.9
Trying 9.9.9.9 ... Open

R9-InternalSvr#