mds 0 Report post Posted April 25, 2007 bro...aku dah tukar..still takleh..lagi satu..kat router tu..aku pon tak paham sangat..tapi kat lan interface die ade gune rip 1..pastu ade both/none...mende ar kat rip tukene ejas pape tak kat router..yg dhcp tu lepak dulu ar.. Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 25, 2007 by default, kat router tak payah adjust apa2. Aku ada buat untuk sebuah company hari ni, dia pakai Aztech DSL600EU, ip modem dia 10.1.1.1/8 , jadi aku reserved 10.1.1.2 tu untuk outside interface, company kecik jer just untuk establish vpn ke hq dia jer... jadi aku configure PIX tu kat ofis aku, bukan kat tempat dia, selesai aku setup PIX tu,aku bawa pix tu pi tempat dia, just plug & plug PIX yg aku dah configure, automatic pc2 kat belakang boleh access internet & vpn pun establish dengan jayanya. Sebabnya aku dah tau ip modem/router dia 10.1.1.1ni confignya untuk rujukan ko, macam mana pulak PIX ko tak menjadi, PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xx encrypted passwd xx encrypted hostname xxxx domain-name xxxx fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip host 192.168.1.9 192.168.100.0 255.255.255.0 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 100 permit ip host 192.168.1.2 192.168.100.0 255.255.255.0 access-list 100 permit ip host 192.168.1.11 192.168.100.0 255.255.255.0 access-list acl_in deny ip any any access-list acl_in deny tcp any any access-list acl_in deny udp any any access-list acl_in deny icmp any any access-list outbound permit tcp host 192.168.1.2 any eq smtp access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq smtp access-list outbound permit ip any any access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 6891 access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 1544 pager lines 24 logging on logging monitor debugging logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 10.1.1.2 255.0.0.0 ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit name attackpolicy attack action alarm ip audit name informationpolicy info action alarm drop ip audit interface outside informationpolicy ip audit interface outside attackpolicy ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.100.1-192.168.100.254 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list 100 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group acl_in in interface outside access-group outbound in interface inside route outside 0.0.0.0 0.0.0.0 10.1.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local url-server (inside) vendor websense host 192.168.1.2 timeout 5 protocol TCP vers ion 1 filter url except 192.168.1.110 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 192.168.1.3 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 192.168.1.2 255.255.255.255 0.0.0.0 0.0.0.0 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 http server enable http 192.168.1.9 255.255.255.255 inside snmp-server host inside 192.168.1.2 no snmp-server location no snmp-server contact snmp-server community xxx snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map to-penang 10 ipsec-isakmp dynamic dynmap crypto map to-penang client configuration address initiate crypto map to-penang client configuration address respond crypto map to-penang client authentication LOCAL crypto map to-penang interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup xxx address-pool vpnpool vpngroup xxx split-tunnel 100 vpngroup xxx idle-time 5400 vpngroup xxx password ******** telnet 192.168.1.2 255.255.255.255 inside telnet timeout 60 ssh timeout 5RIP kat outside interface, takde kena mengena, sbb pix outside interface ko bukan public, tapi private..cuba jelajah lagi modem/router tu, kalau ada yg tak kena bagitau aku.. atau.. ip 192.168.1.2 tu dah digunakan? ehehe Share this post Link to post Share on other sites
mds 0 Report post Posted April 26, 2007 bR0..yg config ko bg tu..tak sume aku paham..lelagi yg access-list tu..heheaku ingat nak blaja mende tu dari ko..tapi nak basic connection pon tak lepas..cis..config kat opis..pasang kat tempat kejadian,ok je erk..power tol..ko agak2 ade pape command tak utk enable kan pix outside?..aku terlepas pape ke..nak tanye sket sambil tambah pengetahuan..global (outside) 10 interface <-- crite pasal ni sket..skali ngan NAT..filter url except 192.168.1.110 255.255.255.255 0.0.0.0 0.0.0.0 <--ape maksud ni erk?ngan ape kegunaan filter?pastu pasal router/modem tu..mende nie bleh firewall/NAT/routing..dan pape ntah lagik...ko agak2 kene mengena tak?yg ip 192.168.1.2 tak de org gune..aku yakin..bos aku pon meyakin kan aku..hehe. Share this post Link to post Share on other sites
prontoxp 2 Report post Posted April 26, 2007 Kalau tanya pendapat aku... sebelum ko fix kan PIX dgn segala2 network tu.. baik test modem tu dulu.. Bridge mode dgn PPPoe/PPPoA mesti la PASS. Aku dah penah kena 2 kali dgn modem ni customer set mcm mana pun dia tak leh out pi internet.. sekalipun dan reset balik... tak de la dia rosak cuma aku pelik aje kenape dlm tu ada satu option Using Default Route = NO Share this post Link to post Share on other sites
mds 0 Report post Posted April 26, 2007 protoxp..act..internet memang ade..skg nie sume pc direct g ke router tu..jadi skang nie,aku nak pasang firewall ni..sblom tu..aku nak test dulu..aku takpasang la direct ke router..aku bubuh kat switch dulu..tapi tula..masalah nye..bile aku wat camtu..outside aku nye interface skang nie..bila nak try ping memane pc melaui outside nye port tak dapat..inside nye ok je..lagik satu..yg modem tu nak kene wat pe?dault route sume yes..ppoe tu pon ok ar kot..klu tak..tade la tenet..kan?hurm...ke ade mende simple len aku tak wat..huhu..segan la plak Share this post Link to post Share on other sites
prontoxp 2 Report post Posted April 26, 2007 protoxp..act..internet memang ade..skg nie sume pc direct g ke router tu..jadi skang nie,aku nak pasang firewall ni..sblom tu..aku nak test dulu..aku takpasang la direct ke router..aku bubuh kat switch dulu..tapi tula..masalah nye..bile aku wat camtu..outside aku nye interface skang nie..bila nak try ping memane pc melaui outside nye port tak dapat..inside nye ok je..lagik satu..yg modem tu nak kene wat pe?dault route sume yes..ppoe tu pon ok ar kot..klu tak..tade la tenet..kan?hurm...ke ade mende simple len aku tak wat..huhu..segan la plaksusah gak aku nak faham...tapi diagram network mmg sama kut dgn aku punya... jap lagi aku bagi diagram firewall kat opis.. Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 26, 2007 Ya, itu brader Pronto datang, ko cuba test modem tu dulu, sori, aku tengah sibuk cari coffee cup aku yg hilang nih, hehehe,ko agak2 ade pape command tak utk enable kan pix outside?..aku terlepas pape ke..Berdasarkan show interface yg.ko bagi, semua protocol up, kalau pix outside tak enable, dia akan bagitau 'down'global (outside) 10 interface <-- crite pasal ni sket..skali ngan NAT..nat (inside) 10 0.0.0.0 0.0.0.0 0 0kenapa ada 10? tu kira cam identitinya, kalau global 10, nat pun 10, kalau 1, nat pun 1, gitulah.Global create which ip to use for NAT Inside, dalam kes ko ni, dipanggil PAT, guna satu jer global address 192.168.1.2, pc2 dibelakang guna address tu untuk keluar, 192.168.1.2 ialah interface outside dia kan? sebab tu global (outside) 10 interfacefilter url except 192.168.1.110 255.255.255.255 0.0.0.0 0.0.0.0url-server (inside) vendor websense host 192.168.1.2 timeout 5 protocol TCP version 1Company ni ada websense, jadi PIX ni link dengan websense ni untuk bekerjasamapastu pasal router/modem tu..mende nie bleh firewall/NAT/routing..dan pape ntah lagik...ko agak2 kene mengena tak?Kalau diikutkan, memang takde kene mengena, seperti customer aku, modem dia DSL600EU, semuanya default setting, pun boleh gak PIX beroperasi... or.. port switch tempat outside interface connected tu problem? Share this post Link to post Share on other sites
mds 0 Report post Posted April 26, 2007 susah ke nak paham?..adeh..camne erk..opis aku nie internet ade..router <--- switch1 <--- PC ...camnie la skng nie...yg firewall plak..aku letak camnierouter <---- switch1 <---- pix firewall <--- switch2 <--pc aku..wat masa nie sume pc smbung kat switch1 ...sume pc ade tenet...kecuali yg mane sambung kat switch2 tu je la..pc aku je kat switch 2..nak wat kajian..yg tak jadi2..heheok tak?paham? Share this post Link to post Share on other sites
gegule 0 Report post Posted April 26, 2007 aku rasa ngko yang tak paham kut? pasai crypto design network diagram tuh sebijik cam ngko citer tuh? Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 26, 2007 (edited) Ya, aku memang paham, ehehe, rujuk semulaKalau camni kena enable syslog, apa yg terjadi sebenarnya..firewall(config)#logging on firewall(config)#logging monitor debugging firewall(config)#logging buffered debugging ! Then, kat pc kat switch 2 tu.. firewall(config)#telnet 10.0.0.2 255.0.0.0 firewall(config)#password 12345 ! Kat pc ko: click run > type > telnet 10.0.0.1 > and masukkan password 12345 masuk global mode firewall(config)#terminal monitor ! PC kat switch 1, cuba ping pix outside interface ! Perhatikan Log kat terminal monitor tu, apa yg keluar... ! Sebelum tu, buka semua port firewall(config)#access-list inbound permit ip any any firewall(config)#access-list inbound permit tcp any any firewall(config)#access-group inbound in interface outside firewall(config)#access-list outbound permit ip any any firewall(config)#access-list outbound permit tcp any any firewall(config)#access-group outbound in interface inside firewall(config)#icmp permit any outside firewall(config)#icmp permit any inside Edited April 26, 2007 by crypto.md5 Share this post Link to post Share on other sites
maxxlinx 0 Report post Posted April 26, 2007 aku dah folo dah camne brader crypto tu suruh..tu ar..still takleh..crypto..diagram aku dah anta melalui brader pronto..sbb tak explore lagik camne nak upload kat sini..or tak reti lagik..k..aku a.k.a mdshah..aku gune pc bos aku.hehe.die login sini Share this post Link to post Share on other sites
mds 0 Report post Posted April 26, 2007 aku masih bersemangat.. Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 26, 2007 Hehehe, sori Bro, terlogout dari ym conference tadi, switch kondem, kehkehkehkeh, ok, ko ada modem/router lain lagi tak?kalau takde, suruh Pronto korek2 belakang stor dia, pinjam kat ko... kehkehkehkeh Share this post Link to post Share on other sites
mds 0 Report post Posted April 27, 2007 MODEM ROUTER len...k...nak wat yg dhcp ke?maybe ade kot..aku tanye bos aku..klu sambung LAN nye port je bleh erk? Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 27, 2007 Ko cuba pakai Router jer pun boleh, asalkan ko boleh access router tu dari inside pix, success dah. aku dah tanya cisco engineer, dia suruh cuba lain router (brand lain) sebab nak kata outside port rosak tak patut gak, sebab takde error msg masa bootup kan? try router lain dulu. Share this post Link to post Share on other sites
mds 0 Report post Posted April 27, 2007 k..boss aku aku petang la plak..petang ni ar aku wat utk dhcp..ade satu lagik router tak salah aku..petang ni la aku inform lagik..ko nak aku wat pe lagik crypo?selaen dhcp?..boss aku pon cam dah tak larat je psl mende ni..tapi aku bersemangat...heh.. Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 27, 2007 Buat masa sekarang, aku tunggu result ko guna router lain. Share this post Link to post Share on other sites
mds 0 Report post Posted April 27, 2007 ok..nnt aku bitau..bos aku bz la plak..nak suruh die amik router spare kat server room..aku tak leh la plak masuk situ..budak baru la katakan kat sini..kang org len kata apa.. Share this post Link to post Share on other sites
mds 0 Report post Posted April 27, 2007 yo crypto..aku tak wat lagik dhcp..nnt aku post ar bile dah wat.. Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 27, 2007 Hehehe, take your time boy... jangan pressure2 slalu Share this post Link to post Share on other sites
mds 0 Report post Posted April 30, 2007 yo bRo..sori ar lama sangat nak reply..aku sabtu ahad dok umah jerk..tenet tade kat umah..aku dah wat dhcp tu...result die hampeh gak..camne aku rasa dhcp aku ni ok?aku dah test gak pc..manually obtain ....jadik kat pcaku gune wireless router..nak dhcp nye pasal..interface outside aku wat 100full..bile wat auto..die tak detect...pastu kat router ni lak..die kelip2 je..so..apa pendapat ko? Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted April 30, 2007 huh , dhcp tak dapat received?aisehhhhhhhhmen.masa ko buatfirewall(config)#ip address outside dhcp setrouteapa error msg yg keluar?sepatutnya dia ada dot dot ..... sampai dia received ip baru success Share this post Link to post Share on other sites
mds 0 Report post Posted April 30, 2007 setelah berbincang dengan bRO crypto dan prontoxp..dengan ini..di istihar kan..pix aku tu rosak port nye..bos aku ternampak kat conference masa tu..dengan bangga nye ..perkataan "dispose" di layang kan..bleh tutup kot topik ni..tapi aku still nak blaja wat rules..bleh ka crypto Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted May 2, 2007 Kalau nak dispose, jangan dispose mana2, dispose kat aku, kehkehkeh , pix tu berharga rm4xxx, sayang tul... NIC dia built-in, kalau PIX515 series ke atas, bolehlah just tukar NIC..Belajar rules? boleh... kalo ko penah pegang cisco router, should be no problem for you.. Share this post Link to post Share on other sites
mds 0 Report post Posted May 3, 2007 yo..lama aku tak jenguk sini.. lama tak lama 2hari je..maklum ar cuti..pix ni rupenye di dispose kat bos aku gak..siot gak bos aku ni..cisco router?pernah gak ar gune..tapi yg acl ni..kurang sket..bile bleh start nih?hehape kata bukak topik baru..sbb bawah topik firewall nie cam tak sesuai..mana tau ade org nak blaja gak skali ngan aku..bleh tutup sini..yg code sume aku dah salin.. Share this post Link to post Share on other sites