: Saved

　　:

　　PIX Version 6.3(1)

　　interface ethernet0 auto 设定端口0 速率为自动

　　interface ethernet1 100full 设定端口1 速率为100兆全双工

　　interface ethernet2 auto 设定端口2 速率为自动

　　nameif ethernet0 outside security0 设

　　定端口0 名称为 outside 安全级别为0

　　nameif ethernet1 inside security100 设定端口1 名称为 inside 安全级别为100

　　nameif ethernet2 dmz security50 设定端口2 名称为 dmz 安全级别为50

　　enable password Dv0yXUGPM3Xt7xVs encrypted 特权密码

　　passwd 2KFQnbNIdI.2KYOU encrypted 登陆密码

　　hostname hhyy 设定防火墙名称

　　fixup protocol ftp 21

　　fixup protocol h323 h225 1720

　　fixup protocol h323 ras 1718-1719

　　fixup protocol http 80

　　fixup protocol ils 389

　　fixup protocol rsh 514

　　fixup protocol rtsp 554

　　fixup protocol sip 5060

　　fixup protocol sip udp 5060

　　no fixup protocol skinny 2000

　　fixup protocol smtp 25

　　fixup protocol sqlnet 1521

　　允许用户查看、改变、启用或禁止一个服务或协议通过PIX防火墙，防火墙默认启用了一些常见的端口，但对于ORACLE等专有端口，需要专门启用。

　　names

　　access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.170.0 255.255.255.0

　　access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0

　　access-list 101 permit ip 192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0

　　access-list 101 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0

　　建立访问列表，允许特定网段的地址访问某些网段

　　access-list 120 deny icmp 192.168.2.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.3.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.4.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.5.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.6.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.7.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.8.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.9.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.10.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.11.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.12.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.13.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.14.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.15.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.16.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.17.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.18.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.19.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.20.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.21.0 255.255.255.0 any

　　access-list 120 deny icmp 192.168.22.0 255.255.255.0 any

　　access-list 120 deny udp any any eq netbios-ns

　　access-list 120 deny udp any any eq netbios-dgm

　　access-list 120 deny udp any any eq 4444

　　access-list 120 deny udp any any eq 1205

　　access-list 120 deny udp any any eq 1209

　　access-list 120 deny tcp any any eq 445

　　access-list 120 deny tcp any any range 135 netbios-ssn

　　access-list 120 permit ip any any

　　建立访问列表120防止各个不同网段之间的ICMP发包及拒绝135、137等端口之间的通信(主要防止冲击波病毒)

　　access-list 110 permit ip 192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0

　　pager lines 24

　　logging on

　　logging monitor debugging

　　logging buffered debugging

　　logging trap notifications

　　mtu outside 1500

　　mtu inside 1500

　　mtu dmz 1500

　　ip address outside 10.1.1.4 255.255.255.224 设定外端口地址

　　ip address inside 192.168.1.254 255.255.255.0 设定内端口地址

　　ip address dmz 192.168.19.1 255.255.255.0 设定DMZ端口地址

　　ip audit info action alarm

　　ip audit attack action alarm

　　ip local pool hhyy 192.168.170.1-192.168.170.254

　　建立名称为hhyy的地址池，起始地址段为：192.168.170.1-192.168.170.254

　　ip local pool yy 192.168.180.1-192.168.180.254

　　建立名称为yy 的地址池，起始地址段为：192.168.180.1-192.168.180.254

　　no failover

　　failover timeout 0:00:00

　　failover poll 15

　　no failover ip address outside

　　no failover ip address inside

　　no failover ip address dmz

　　no pdm history enable

　　arp timeout 14400