Pix with mail server access on DMZ
2006-10-29 17:12
351 查看
PIX Version 6.2(2)
!--- These commands name and set the security level
!--- for their respective interfaces.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanQuentin
domain-name noplace.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 ras 1718-1719
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
!--- This statement creates an access list, named smtp, which
!--- allows SMTP traffic originating from anywhere to reach the
!--- server at 209.164.3.5. Note: There is one and only one
!--- access list allowed per interface per direction (for example, inbound
!--- on the outside interface). Because of this limitation, any additional
!--- lines needing to be placed in the access list will need to be
!--- specified here. If the server in question is not SMTP, replace
!--- the occurrences of smtp with www, dns, pop3, or
!--- whatever else may be required.
access-list smtp permit tcp any host 209.164.3.5 eq smtp
!
pager lines 24
logging on
logging timestamp
no logging standby
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
no logging history
logging facility 23
logging queue 512
!--- These commands instruct the PIX to auto-sense the media
!--- attached to each interface.
interface ethernet0 auto
interface ethernet1 auto
interface ethernet 2 auto
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
!
!--- These commands set the IP address of the respective interfaces.
ip address inside 192.168.1.1 255.255.255.252
ip address outside 209.164.3.1 255.255.255.252
ip address dmz 172.16.128.1 255.255.255.0
!
no failover
!
arp timeout 14400
!--- These commands establish port address translation (PAT) for
!--- traffic originating on the inside of the PIX and traveling
!--- outside (beyond) the PIX.
global (outside) 1 209.164.3.129
nat (inside) 1 192.168.1.0 255.255.255.0
!
!--- This static creates a translation between the legal (outside) address
!--- of the server (209.164.3.5) and the RFC 1918 (inside) address (172.16.128.103).
static (dmz,outside) 209.164.3.5 172.16.128.103 netmask 255.255.255.255
!
!--- This static essentially prevents translation of the 192.168.1.x
!--- inside network when sending packets to the DMZ. Literally speaking,
!--- it creates a translation from 192.168.1.x to 192.168.1.x.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
!
!--- This statement applies the access list created above to the
!--- interface named "outside". Because it is applied inbound, the
!--- PIX will now check all incoming packets against this list,
!--- dropping all packets not explicitly permitted.
access-group smtp in interface outside
!
!--- This command instructs the PIX to hand all other packets not
!--- destined for directly-connected networks to the router at
!--- 209.164.3.2 (the outside router).
route outside 0.0.0.0 0.0.0.0 209.164.3.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
terminal width 80
Cryptochecksum:d66eb04bc477f21ffbd5baa21ce0f85a
: end
!
!
!--- Alternate command:
!--- conduit permit tcp host 209.164.3.5 eq smtp any
!--- This command, in earlier PIX software versions, serves the same purpose
!--- as the access-list and access-group commands shown above.
!--- This command replaces the access-list and access-group
!--- commands presented above.
!--- These commands name and set the security level
!--- for their respective interfaces.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanQuentin
domain-name noplace.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 ras 1718-1719
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
!--- This statement creates an access list, named smtp, which
!--- allows SMTP traffic originating from anywhere to reach the
!--- server at 209.164.3.5. Note: There is one and only one
!--- access list allowed per interface per direction (for example, inbound
!--- on the outside interface). Because of this limitation, any additional
!--- lines needing to be placed in the access list will need to be
!--- specified here. If the server in question is not SMTP, replace
!--- the occurrences of smtp with www, dns, pop3, or
!--- whatever else may be required.
access-list smtp permit tcp any host 209.164.3.5 eq smtp
!
pager lines 24
logging on
logging timestamp
no logging standby
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
no logging history
logging facility 23
logging queue 512
!--- These commands instruct the PIX to auto-sense the media
!--- attached to each interface.
interface ethernet0 auto
interface ethernet1 auto
interface ethernet 2 auto
!
mtu outside 1500
mtu inside 1500
mtu dmz 1500
!
!--- These commands set the IP address of the respective interfaces.
ip address inside 192.168.1.1 255.255.255.252
ip address outside 209.164.3.1 255.255.255.252
ip address dmz 172.16.128.1 255.255.255.0
!
no failover
!
arp timeout 14400
!--- These commands establish port address translation (PAT) for
!--- traffic originating on the inside of the PIX and traveling
!--- outside (beyond) the PIX.
global (outside) 1 209.164.3.129
nat (inside) 1 192.168.1.0 255.255.255.0
!
!--- This static creates a translation between the legal (outside) address
!--- of the server (209.164.3.5) and the RFC 1918 (inside) address (172.16.128.103).
static (dmz,outside) 209.164.3.5 172.16.128.103 netmask 255.255.255.255
!
!--- This static essentially prevents translation of the 192.168.1.x
!--- inside network when sending packets to the DMZ. Literally speaking,
!--- it creates a translation from 192.168.1.x to 192.168.1.x.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
!
!--- This statement applies the access list created above to the
!--- interface named "outside". Because it is applied inbound, the
!--- PIX will now check all incoming packets against this list,
!--- dropping all packets not explicitly permitted.
access-group smtp in interface outside
!
!--- This command instructs the PIX to hand all other packets not
!--- destined for directly-connected networks to the router at
!--- 209.164.3.2 (the outside router).
route outside 0.0.0.0 0.0.0.0 209.164.3.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
terminal width 80
Cryptochecksum:d66eb04bc477f21ffbd5baa21ce0f85a
: end
!
!
!--- Alternate command:
!--- conduit permit tcp host 209.164.3.5 eq smtp any
!--- This command, in earlier PIX software versions, serves the same purpose
!--- as the access-list and access-group commands shown above.
!--- This command replaces the access-list and access-group
!--- commands presented above.
相关文章推荐
- Send-only Mail Server with Exim on Ubuntu 10.04 LTS
- Send-only Mail Server with Exim on Ubuntu 11.04
- Apache 403 Forbidden:You don't have permission to access / on this server.
- Enabling VNC Server on startup of the X server with SLE 11
- phpStudy出现You don't have permission to access / on this server.
- wampserver you don't have permission to access / on this server. 解决 方法
- yii中访问出现的错误: You don't have permission to access / on this server
- wampserver出现You don't have permission to access / on this server.
- 访问localhost时You don't have permission to access / on this server.
- You don\'t have permission to access /test.php on this server.怎样解决Forbidden
- You don't have permission to access /zabbix on this server.
- CentOS出错You don't have permission to access on this server(转载)
- wamp出现You don’t have permission to access/on this server提示
- Step by Step Setup Git Server on Windows with CopSSH + msysGit and Integrate Git with Visual Studio
- apache You don't have permission to access /test.php on this server解决方法
- Setup Syslog with LogAnalyzer on Ubuntu Server
- Forbidden:You don't have permission to access / on this server.
- Jenkins on Linux(Master) talk with Windows server 2012 R2 (Slave)
- FTP Server setup with TLS (Transport Layer Security) on Debian