enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Pix fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list aclout deny tcp any any eq www access-list aclout permit tcp 10.10.10.0 255.255.255.0 host 209.162.1.2 eq telnet access-list aclout permit tcp host 10.10.10.10 host 172.16.1.2 eq www access-list aclout permit ip any any pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 209.162.1.1 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 209.162.1.30 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) 209.162.1.10 172.16.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 209.162.1.9 10.10.10.10 netmask 255.255.255.255 0 0 static (inside,dmz) 172.16.1.5 10.10.10.10 netmask 255.255.255.255 0 0 access-group aclout in interface inside conduit permit tcp host 209.162.1.10 eq www any conduit permit tcp host 209.162.1.9 eq www any conduit permit tcp host 209.162.1.9 eq telnet any conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 209.162.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 2 ssh timeout 5 terminal width 80 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end 2503#sh run Building configuration Current configuration : 569 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 2503 ! enable password cisco ! ! ! ! ! ip subnet-zero ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0 ip address 209.162.1.2 255.255.255.0 ! interface Serial0 no ip address shutdown no fair-queue ! interface Serial1 no ip address shutdown ! interface BRI0 no ip address shutdown ! ip classless ip http server ! ! line con 0 line aux 0 line vty 0 4 no login ! end dmz#sh run Building configuration Current configuration : 569 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dmz ! enable password cisco ! ! ! ! ! ip subnet-zero ! ! ! ! interface Ethernet0 ip address 172.16.1.2 255.255.255.0 ! interface Serial0 no ip address shutdown no fair-queue ! interface Serial1 no ip address shutdown ! interface BRI0 no ip address shutdown ! ip classless ip http server ! ! line con 0 line aux 0 line vty 0 4 no login ! end Cấu hình từng bước : 1. Command-line interface ; Khi truy cập vào Pix sẽ vào mode unprivileged , sử dụng enable command để vào mode privileged pixfirewall>enable password : => trước khi vào mode enable , pix sẽ yêu cầu nhập password , mặc định là không có password nào cả , chỉ cần nhấn enter pixfirewall#disable pixfirewall> ß sử dụng disable để đưa pix về mode unprivileged pixfirewall> ? ð để xem những lệnh nào có thể dùng được ở mode này . pixfirewall#configure terminal pixfirewall(config)# ð Pix đang ở trong mode configuration , tại đây ta có thể cấu hình mọi thứ cho PIX . ð Tất cả câu lệnh sử dụng ở hai mode unprivileged và privileged đều có thể được sử dụng ở mode này . Trước khi vào cấu hình sử dụng show run command để xem cấu hình mặc định của PIX . access-group aclout in interface inside conduit permit tcp host 209.162.1.10 eq www any conduit permit tcp host 209.162.1.9 eq www any conduit permit tcp host 209.162.1.9 eq telnet any conduit. aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server. skinny 2000 names access-list aclout deny tcp any any eq www access-list aclout permit tcp 10.10.10.0 255.255.255.0 host 209.162.1.2 eq telnet access-list aclout permit tcp host 10.10.10.10