随着人们对网络知识的普及,企业或公司的网络安全性,就变得更加重要起来了。
关于网络安全的最可靠方法是加装防火墙。
在这里我讲述一下关于加装防火墙前后的路由配置变化,因为在原先没有防火墙的情况下,路由既起到路由选择的作用,又起到网关的作用。
当加装防火墙的后,局域网的网关就设为防火墙的局域网IP地址。
要修改路由首先还是先看该网络的拓扑结构。
在这里我所描述的是这样拓扑结构:图1一、先将进入路由器设置将原来的配置备份一份,虽然这一份备份以后不一定用的上,可是万一防火墙安装失败呢?图2下面为没有安装防火墙以前的路由器配置情况。
User Access VerificationPassword: (键入TELNET密码,如果你是直接用CONSOLE口进入没有此项提示)Router>enPassword:Router#show config (察看ROUTER配置情况命令)Using 810 out of 7506 bytes!version 12.1service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Router (ROUTER名字,这里为默认名字ROUTER)!enable secret 5 $1$FreK$4oQGtvDEF1jv8dh3NNXnN0.enable password 123456789 (特权密码,当然这是加密的)!ip subnet-zero!interface Ethernet0 (配置局域网e0口)ip address 192.168.1.1 255.255.255.0 (e0口在其局域网中对应的ip为192.168.1.1ip nat inside 255.255.255.0是表示为C类网络)!interface Ethernet1 (E1口没有激活,也没有配置)no ip addressshutdown!interface Serial0bandwidth 2048ip address 211.97.213.41 255.255.255.252 (此为定义ROUTER外部接口的IPip nat outside 255.255.255.252表示此合法的INTERNET-IP)encapsulation ppp!ip nat pool 165 211.97.213.41 211.97.213.46 netmask 255.255.255.248 (isp 给你分配的ip)ip nat inside source list 1 pool 165 overloadip classlessip route 0.0.0.0 0.0.0.0 Serial0no ip http server!access-list 1 permit 192.168.1.0 0.0.0.255!line con 0transport input noneline vty 0 1password 123456login!endRouter#二、按照图1装上防火墙。
将从路由器到交换机上的线,改为先从路由器到防火墙,然后用防火墙的E0口接交换机。
图3进入路由器配置模式修改,将路由器的配置改为:Using 942 out of 7506 bytes!version 12.1service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname router!enable secret 5 $1$FreK$4oQGtvDEF1jv8dh3NNXnN0 enable password 123455676!!ip subnet-zero!crypto ipsec transform-set test esp-des esp-md5-hmac !crypto map vpnmap 1 ipsec-isakmp! Incompleteset transform-set testmatch address 100interface Ethernet0ip address 211.97.213.41 255.255.255.248 interface Ethernet1no ip addressip nat insideno ip route-cacheno ip mroute-cacheshutdowninterface Serial0description internetbandwidth 2048ip address 211.97.209.145 255.255.255.252 ip nat outsideencapsulation pppno ip route-cacheno ip mroute-cache!ip classlessip route 0.0.0.0 0.0.0.0 Serial0ip http server!route-map nonat permit 10match ip address 110!line con 0transport input noneline vty 0 4password 123456login!end三、这时候,你可以配置你的防火墙了,以下是防火墙的配置情况:PIX Version 5.1(2)nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 pix/intf2 security10hostname imrac_c_pixfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521no namesaccess-list 100 permit ip 192.168.1.1 255.255.255.0 192.168.0.0 255.255.255.0 access-list 100 permit ip 192.168.1.1 255.255.255.0 192.100.0.0 255.255.255.0 pager lines 24logging onno logging timestampno logging standbyno logging consoleno logging monitorno logging bufferedno logging traplogging facility 20logging queue 512interface ethernet0 autointerface ethernet1 autointerface ethernet2 auto shutdownmtu outside 1500mtu inside 1500mtu pix/intf2 1500ip address outside 211.97.213.44 255.255.255.248ip address inside 192.168.1.1 255.255.255.0ip address pix/intf2 127.0.0.1 255.255.255.255no failoverfailover timeout 0:00:00failover ip address outside 0.0.0.0failover ip address inside 0.0.0.0failover ip address pix/intf2 0.0.0.0arp timeout 14400global (outside) 1 211.97.213.45 netmask 255.255.255.248nat (inside) 0 access-list 100nat (inside) 1 0.0.0.0 0.0.0.0 0 0route outside 0.0.0.0 0.0.0.0 211.97.213.41 1timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00aaa-server RADIUS protocol radiusno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set trans esp-des esp-md5-hmac crypto map vpnmap 40 ipsec-isakmpcrypto map vpnmap 40 match address 100crypto map vpnmap 40 set transform-set transcrypto map vpnmap interface outsideisakmp enable outsideisakmp identity addressisakmp policy 1 authentication pre-shareisakmp policy 1 encryption desisakmp policy 1 hash md5isakmp policy 1 group 1isakmp policy 1 lifetime 86400telnet 192.168.1.88 255.255.255.255 insidetelnet timeout 5terminal width 80Cryptochecksum:7fd10854228b7e32b2808508f49a65a7。