pfSense IPsec 站点到站点VPN拓扑图

 云计算, 路由与交换技术  No Responses »
7 月 282020
 

防火墙IPSEC规则方向:入站方向

Firewall -> Rules -> IPsec

[SITE A][10.25.100.0/22] 
Allow Protocol IPv4 * Source 10.25.112.0/22 Port * to Destination 10.25.100.0/22 Port *

[SITE B][10.25.112.0/22]
Allow Protocol IPv4 * Source 10.25.100.0/22 Port * to Destination 10.25.112.0/22 Port *

基于隧道的路由测试A节点

[A][10.25.100.4]

[root@test ~]# ip route add 10.25.112.0/22 via 10.25.100.3 dev ens7 metric 101 proto static

[root@test ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=64 time=0.455 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=64 time=0.540 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=64 time=0.465 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=64 time=0.455 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 116ms
rtt min/avg/max/mdev = 0.455/0.478/0.540/0.044 ms
[root@test ~]#
[root@test ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=63 time=36.0 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=63 time=35.9 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 35.860/35.922/36.009/0.145 ms
[root@test ~]#

基于隧道的路由测试B节点

[B][10.25.112.4]

[root@test2 ~]# ip route add 10.25.100.0/22 via 10.25.112.3 dev ens7 metric 101 proto static

[root@test2 ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=64 time=0.573 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=64 time=0.558 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=64 time=0.458 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=64 time=0.469 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 93ms
rtt min/avg/max/mdev = 0.458/0.514/0.573/0.056 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=63 time=35.9 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=63 time=35.8 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=63 time=35.7 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=63 time=35.7 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 35.663/35.783/35.947/0.170 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.4
PING 10.25.100.4 (10.25.100.4) 56(84) bytes of data.
64 bytes from 10.25.100.4: icmp_seq=1 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=2 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=3 ttl=62 time=36.3 ms
64 bytes from 10.25.100.4: icmp_seq=4 ttl=62 time=36.5 ms

--- 10.25.100.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 36.300/36.448/36.535/0.162 ms
[root@test2 ~]#

节点A与节点B均需要配置静态路由,即必须有双向路由,节点间才可正常通信。

Cisco ASA 5505 开启SSH和Telnet服务

 未分类  No Responses »
12 月 312013
 

添加用户

ciscoasa(config)# username admin password admin privilege 15

开启本地用户数据库验证

ciscoasa(config)# aaa authorization command LOCAL

取消后,直接使用管理密码验证登录(cisco)
添加后,使用虚拟用户帐户验证登录

ciscoasa(config)# aaa authentication ssh console LOCAL

asa-5505-ssh-telnet-enable-01 asa-5505-ssh-telnet-enable-02

生成服务密钥

ciscoasa(config)# crypto key generate rsa modulus 1024
 INFO: The name for the keys will be: <Default-RSA-Key>
 Keypair generation process begin. Please wait...
ciscoasa(config)#

开启内网及外网所有网段的SSH服务

ciscoasa(config)# ssh 192.168.15.0 255.255.255.0 inside
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# telnet 0 0 inside

指定SSH服务版本

ciscoasa(config)# ssh version 2

开启内网指定网段的Telnet服务

ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 192.168.15.0 255.255.255.0 inside

设置时区,时间并查看当前系统时间

ciscoasa(config)# clock timezone HKST 8
ciscoasa(config)# clock set 18:45:40 9 Jan 2014
ciscoasa(config)# sh clock
18:46:00.019 HKST Thu Jan 9 2014

Cisco ASA 5505 防火墙初始化配置信息

 未分类  No Responses »
12 月 232013
 

清除配置

5505-1(config)# write erase
Erase configuration in flash memory? [confirm]

重启

5505-1# reload
Proceed with reload? [confirm]

提示是否进行预配置

Pre-configure Firewall now through interactive prompts [yes]? no
Type help or ‘?’ for a list of available commands.
ciscoasa> ?

clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
traceroute Trace route to destination

进入特权模式(密码为空)查看初始配置信息

ciscoasa> en
 Password:
 ciscoasa# show run
 : Saved
 :
 ASA Version 8.4(2)
 !
 hostname ciscoasa
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 shutdown
 !
 interface Ethernet0/1
 shutdown
 !
 interface Ethernet0/2
 shutdown
 !
 interface Ethernet0/3
 shutdown
 !
 interface Ethernet0/4
 shutdown
 !
 interface Ethernet0/5
 shutdown
 !
 interface Ethernet0/6
 shutdown
 !
 interface Ethernet0/7
 shutdown
 !
 interface Vlan1
 no nameif
 no security-level
 no ip address
 !
 ftp mode passive
 pager lines 24
 no failover
 icmp unreachable rate-limit 1 burst-size 1
 no asdm history enable
 arp timeout 14400
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 user-identity default-domain LOCAL
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 telnet timeout 5
 ssh timeout 5
 console timeout 0
threat-detection basic-threat
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect ip-options
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
 !
 service-policy global_policy global
 prompt hostname context
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/De
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
 : end
 ciscoasa#

 

Cisco ASA防火墙对Postfix SMTP的影响

 邮件系统  No Responses »
3 月 272013
 

Postfix日志(/var/log/maillog)显示有关防火墙设置的信息

 Mar 27 12:05:02 pfx postfix/smtp[7463]: AF67B212CA6: enabling PIX workarounds: 
 disable_esmtp delay_dotcrlf for mx1.hotmail.com[65.55.37.104]:25 

使用Telnet从本地LAN网络或本机连接服务器25端口时显示的正常信息

220 pfx.sample.com ESMTP Postfix (2.8.14)
EHLO test.sample.com
250-pfx.sample.om
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Continue reading »

Postfix邮件服务基础网络环境配置

 邮件系统  No Responses »
3 月 022013
 

添加DNS记录

postfix-install-01

 

在Juniper SSG140防火墙接口添加公网IP地址映射并设置访问策略

postfix-install-02

设置映射IP与主机IP及子网掩码

postfix-install-03

postfix-install-03 postfix-install-04

安装PostfixAdmin 2.3.6的必要条件
– You are using Postfix 2.0 or higher.
– You are using Apache 1.3.27 / Lighttpd 1.3.15 or higher.
– You are using PHP 5.1.2 or higher.
– You are using MySQL 3.23 or higher (5.x recommended) OR PostgreSQL 7.4 (or higher)

 

查看当前主机MTA代理程序

[root@localhost ~]# alternatives --display mta
mta - status is auto.
 link currently points to /usr/sbin/sendmail.postfix
/usr/sbin/sendmail.postfix - priority 30
 slave mta-mailq: /usr/bin/mailq.postfix
 slave mta-newaliases: /usr/bin/newaliases.postfix
 slave mta-pam: /etc/pam.d/smtp.postfix
 slave mta-rmail: /usr/bin/rmail.postfix
 slave mta-sendmail: /usr/lib/sendmail.postfix
 slave mta-mailqman: /usr/share/man/man1/mailq.postfix.1.gz
 slave mta-newaliasesman: /usr/share/man/man1/newaliases.postfix.1.gz
 slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
 slave mta-aliasesman: /usr/share/man/man5/aliases.postfix.5.gz
Current `best' version is /usr/sbin/sendmail.postfix.
[root@localhost ~]#

测试postfix与mysql和dovecot兼容性

[root@mail postfix]# postconf -m |grep mysql
 mysql
 [root@mail postfix]# postconf -a |grep dovecot
 dovecot
 [root@mail postfix]#

 

 

 

 

Juniper SSG140接口IP及访问策略配置

 网络技术  No Responses »
1 月 172013
 

通过VPN登录SSG 140的WEB管理界面

ssg140-0-01

为防火墙接口配置IP地址

ssg140-0-02
为接口0/2配置电信IP地址

ssg140-0-03

为接口0/3配置联通IP地址

ssg140-0-04

为接口0/0配置私有网段IP地址

ssg140-0-05

为接口0/1配置私有网段IP地址

ssg140-0-06

指定接口开放的管理访问类型

 

ssg140-0-07

添加访问策略

ssg140-0-08

 

ssg140-0-09

 

ssg140-0-10

ssg140-0-12

查看位于私有网络内的一台主机的IP地址,并尝试ping外部网络

Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Users\Administrator>ipconfig

Windows IP 配置

以太网适配器 本地连接:

连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::f125:4c05:c072:ac2f%10
IPv4 地址 . . . . . . . . . . . . : 192.168.11.80
子网掩码 . . . . . . . . . . . . : 255.255.255.0
IPv4 地址 . . . . . . . . . . . . : 192.168.100.10
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.11.1

C:\Users\Administrator>ping www.qq.com

正在 Ping www.qq.com [119.147.15.17] 具有 32 字节的数据:
来自 119.147.15.17 的回复: 字节=32 时间=8ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55

119.147.15.17 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 3ms,最长 = 8ms,平均 = 4ms

C:\Users\Administrator>Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Users\Administrator>ipconfig
Windows IP 配置
以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::f125:4c05:c072:ac2f%10
IPv4 地址 . . . . . . . . . . . . : 192.168.11.80
子网掩码 . . . . . . . . . . . . : 255.255.255.0
IPv4 地址 . . . . . . . . . . . . : 192.168.100.10
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.11.1

C:\Users\Administrator>ping www.qq.com
正在 Ping www.qq.com [119.147.15.17] 具有 32 字节的数据:
来自 119.147.15.17 的回复: 字节=32 时间=8ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55
来自 119.147.15.17 的回复: 字节=32 时间=3ms TTL=55
119.147.15.17 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 3ms,最长 = 8ms,平均 = 4ms

C:\Users\Administrator>

查看策略流量日志

ssg140-0-13