加裝防火墻前后的路由器配置概要

1、在這里我講述一下關(guān)于加裝防火墻前后的路由配置變化，因?yàn)樵谠葲](méi)有防火墻的情況下，路由既起到路由選擇的作用，又起到網(wǎng)關(guān)的作用。當(dāng)加裝防火墻的后，局域網(wǎng)的網(wǎng)關(guān)就設(shè)為防火墻的局域網(wǎng)IP地址。要修改路由首先還是先看該網(wǎng)絡(luò)的拓?fù)浣Y(jié)構(gòu)。在這里我所描述的是這樣拓?fù)浣Y(jié)構(gòu)：圖1一、先將進(jìn)入路由器設(shè)置將原來(lái)的配置備份一份，雖然這一份備份以后不一定用的上，可是萬(wàn)一防火墻 安裝失敗呢？211.97.21：. 411-46審地KenPassword:Router#show config (察看 ROUTER己置情況命令)Using 810 out of 7506 bytes!version 12

2、.1service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Router(ROUTE名 字，這里為默認(rèn)名字 ROUTER!enable secret 5 $1$FreK$4oQGtvDEF1jv8dh3NNXnN0.enable password 123456789(特權(quán)密碼，當(dāng)然這是加密的)!ip subnet-zero!interface Ethernet0 (配置局域網(wǎng) e0 口ip address 255.255.255

3、.0(e0 口在其局域網(wǎng)中對(duì)應(yīng)的 ip 為 ip nat inside 是表示為 C類網(wǎng)絡(luò)!interface Ethernet1 (E1口沒(méi)有激活，也沒(méi)有配置no ip addressshutdown!interface Serial0bandwidth 2048ip address 1 52 (此為定義 ROUTE外部接口的 IPip nat outside 52表示此合法的 INTERNET-IPencapsulation pppip nat pool 165 21

4、1 6 netmask 48 (ispip nat inside source list 1 pool 165 overloadip classlessip route SerialOno ip http server!access-list 1 permit 55!line con 0transport input noneline vty 0 1password 123456login!endRouter#二、按照?qǐng)D1裝上防火墻。給你分配的ipE0 口

5、接交換機(jī)。將從路由器到交換機(jī)上的線，改為先從路由器到防火墻，然后用防火墻的ISP JOIER.MIHM.進(jìn)入路由器配置模式修改，將路由器的配置改為：Using 942 out of 7506 bytes!version 12.1service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname router!enable secret 5 $1$FreK$4oQGtvDEF1jv8dh3NNXnN0enable password 123455676!ip subnet-

6、zero!crypto ipsec transform-set test esp-des esp-md5-hmac!crypto map vpnmap 1 ipsec-isakmp! Incompleteset transform-set testmatch address 100interface Ethernet。ip address 1 48interface Ethernet1no ip addressip nat insideno ip route-cacheno ip mroute-cacheshutdown!interface S

7、erialOdescription internetbandwidth 2048ip address 45 52 ip nat outsideencapsulation pppno ip route-cacheno ip mroute-cache!ip classlessip route Serial0ip http server!route-map nonat permit 10match ip address 110line con 0transport input noneline vty 0 4passw

8、ord 123456login!end三、這時(shí)候，你可以配置你的防火墻了，以下是防火墻的配置情況：PIX Version 5.1(2nameif ethernetO outside if ethernetl inside securitylOOnameif ethernet2 pix/intf2 securitylOhostname imrac_c_pixfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp

9、 25fixup protocol sqlnet 1521no namesaccess-list 100 permit ip access-list 100 permit ip pager lines 24logging onno logging timestampno logging standbyno logging consoleno logging monitorno logging

10、 bufferedno logging traplogging facility 20logging queue 512interface ethernetO autointerface ethernetl autointerface ethernet2 auto shutdownmtu outside 1500mtu inside 1500mtu pix/intf2 1500ip address outside 4 48ip address inside ip address pix/intf

11、2 55no failoverfailover timeout 0:00:00failover ip address outside failover ip address inside failover ip address pix/intf2 arp timeout 14400global (outside 1 5 netmask 48nat (inside 0 access-list 100nat (inside 1 0

12、 0route outside 1 1timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00timeout rpc 0:10:00 h323 0:05:00aaa-server RADIUS protocol radiusno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysop

13、t connection permit-ipseccrypto ipsec transform-set trans esp-des esp-md5-hmaccrypto map vpnmap 40 ipsec-isakmpcrypto map vpnmap 40 match address 100crypto map vpnmap 40 set transform-set transcrypto map vpnmap interface outsideisakmp enable outsideisakmp identity addressisakmp policy 1 authentication pre-shareisakmp policy 1 encryp