Cisco PIX 防火墙的问题集锦

为什么ping不通515E的outside地址？

网管联盟bitsCN_com

PIX的版本是6.3(4)，设置了515E的outside地址和inside地址后，用网 网管网www.bitscn.com

线将笔记本和515E的outside端口联起来，本本的地址和outside地址在

网管bitscn_com

一个网段内，但总是ping不通outside地址，但同样的配置在6.2版本的 网管联盟bitsCN_com

515E上使用时是没有问题的，好奇怪啊？？

网管联盟bitsCN_com

icmp pemit any outside

========================================================

网管u家u.bitscn@com

pix vpn设置好了，DDN方式可以上，为什么家里的adsl不行？ 网管下载dl.bitscn.com

配置如下：pix520

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 Outside security0
nameif ethernet1 inside security100
nameif ethernet2 Outside-DMZ security50
enable password GyBjREM5Y/fIjrzB encrypted
passwd enO4Olec9w1AmAwd encrypted
hostname PIX-yinhetech
domain-name test.cn
clock timezone CST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.128.1.0 notebookpoolIP
access-list nonat permit ip 10.10.0.0 255.255.0.0 notebookpoolIP 255.255.255.0
access-list 101 permit ip 10.10.0.0 255.255.0.0 any

网管bitscn_com

access-list notebookpc_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any
access-list notebookpc_splitTunnelAcl permit ip notebookpoolIP 255.255.255.0 any
access-list notebookpc_splitTunnelAcl permit ip host 10.6.4.11 any
access-list Outside_cryptomap_dyn_20 permit ip any notebookpoolIP 255.255.255.0
access-list Outside_cryptomap_dyn_20 permit ip notebookpoolIP 255.255.255.0 any
pager lines 24
logging on
logging standby
logging buffered debugging
logging trap notifications
icmp deny any Outside
mtu Outside 1500
mtu inside 1500
mtu Outside-DMZ 1500
ip address Outside ***.***.***.** 255.255.255.240
ip address inside 10.127.1.253 255.255.255.0
ip address Outside-DMZ 172.18.3.254 255.255.255.0
ip verify reverse-path interface Outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool notebookpool 10.128.1.1-10.128.1.250
no failover

网管论坛bbs_bitsCN_com

failover timeout 0:00:00
failover poll 15
no failover ip address Outside
no failover ip address inside
no failover ip address Outside-DMZ
pdm history enable
arp timeout 14400
global (Outside) 1 ***.***.***.** netmask 255.255.255.240
global (Outside-DMZ) 1 172.18.3.200-172.18.3.250 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.128.0.0 0 0
access-group 101 in interface inside
route Outside 0.0.0.0 0.0.0.0 ***.***.***.** 1
route inside 10.0.0.0 255.128.0.0 10.127.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.74 255.255.255.255 inside
http 10.10.10.88 255.255.255.255 inside 网管论坛bbs_bitsCN_com
snmp-server host inside 10.10.10.10
snmp-server host inside 10.10.10.74
snmp-server location soft_yuan_internet
snmp-server contact bill
snmp-server community public
snmp-server enable traps
tftp-server inside 10.10.10.74 /
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp identity address
isakmp keepalive 60 5
isakmp nat-traversal 120
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup notebookpc address-pool notebookpool 网管论坛bbs_bitsCN_com
vpngroup notebookpc dns-server 10.10.10.68 202.103.224.68
vpngroup notebookpc default-domain yhgroup.cn
vpngroup notebookpc split-tunnel notebookpc_splitTunnelAcl
vpngroup notebookpc idle-time 1800
vpngroup notebookpc password ********
telnet 10.0.0.0 255.128.0.0 inside
telnet 10.10.10.110 255.255.255.255 inside
telnet 10.10.10.110 255.255.255.255 Outside-DMZ
telnet timeout 31
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:826ec1728f5df3bb3ecf0542790a4d35

中国网管论坛bbs.bitsCN.com

 

surf_qj (普通用户) 网管bitscn_com

对了，是使用cisco system VPN Client 4.01登录的，家里adsl可以连上VPN，但是不能访问，DDN就可以 网管下载dl.bitscn.com

其实，不光是PIX问题，我用2620做的和你的也一样，用一般的ADSL是不行的，但如果是用带路由功能ADSL就可以。

isakmp nat-traversal 120
还有客户端NAT打开，估计是NAT穿透的问题吧。

========================================================

pix515的问题 网管联盟bitsCN_com

具体现象是，DMZ和inside各接一台单机，DMZ的单机能用上网，其他不能，inside的机器什么都干不了。单机保证无问题。请各位帮忙看看配 网管联盟bitsCN_com

置吧。 outside的地址和global的地址不同，有影响么？（没有空闲的连续地址了,只能用两个不同地址表示一下）
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password O53fPNRgHkA6IEsY encrypted
passwd TWjtI1emvjruV4SY encrypted
hostname jygatewall
domain-name 219.2.2.2
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list dmz_jygate_acl deny icmp any any
access-list dmz_jygate_acl permit udp any any eq domain
access-list dmz_jygate_acl permit tcp any any eq www
access-list dmz_jygate_acl permit udp any any eq 20
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 20817

access-list dmz_jygate_acl permit tcp any host 219.150.1..1eq 20820
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8080
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 8383
access-list dmz_jygate_acl permit tcp any host 219.150.1.1 eq 32002
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 219.150.1.2 255.255.255.224
ip address inside 192.168.168.1 255.255.255.0
ip address dmz 172.172.172.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 219.150.1.2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 219.150.1.2 172.172.172.101 netmask 255.255.255.255 0 0 网管u家u.bitsCN.com

static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
access-group dmz_jygate_acl in interface outside
access-group dmz_jygate_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 219.150.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:594b9bbf77abf8a342afee1764e4f7cd
: end

  网管u家u.bitsCN.com

nyb0319 (普通用户) 中国网管论坛bbs.bitsCN.com

no static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
改为static (inside,dmz) 172.172.172.1 192.168.168.0 netmask 255.255.255.0 0 0 网管网www.bitscn.com

加一条 网管网www.bitscn.com

static (inside,outside)
219.150.1.2 192.168.168.0
netmask 255.255.255.0 0 0 网管u家u.bitscn@com

no access-group dmz_jygate_acl in interface dmz 中国网管联盟bitsCN.com

crazytank (普通用户) 中国网管联盟bitsCN.com

按照上面的提示改了，结果提示global address overlaps with mask
请各位大侠再帮忙看看啊

网管网www_bitscn_com

lcschina (活跃用户) 网管下载dl.bitscn.com

ip address outside 219.150.1.2 255.255.255.224

global (outside) 1 219.150.1.2 网管bitscn_com

地址重叠！！！
加上 global (outside) 1 interface
去掉你的那个global 网管论坛bbs_bitsCN_com