我能够为我的家庭网络挑选一个 pix515e,我让它运行了 8.0(4)28 版和设备管理器 6.1(3) 版,我认为这是它支持 64Ram/16Flash 的最新版本。
我的网络配置如下:
ISP 网关是 192.168.0.1
我的外面是192。
我的 dmz 为 172。
我的里面是10。
我遇到的问题是从内部我无法进行 DNS 查找。我可以访问外部主机。我可以 ping 8.8.8.8 但是 dns 不起作用,nslookups 到同一地址超时。(命令从外部网络工作)
当我做一个节目服务政策
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 135, drop 0, reset-drop 0
它没有显示任何下降,但我不确定这是否相关。
这是完整的配置:
PIX Version 8.0(4)28
!
hostname pix515e
domain-name MyDomain.com
enable password fTSmleTIquYwO4vv encrypted
passwd 2KFNnbNIdI.4KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.0.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name MyDomain.com
access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert
access-list outside-in-acl extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any echo
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 10 burst-size 5
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 101 in interface outside
access-group 101 in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.11 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1ddc4bf11598117083299f0bfb98004d
pix515e(config)#
我已经好多年没有搞乱 PIX,所以除了 dns 配置之外,我还犯了其他错误,请指出它们:)