配置如下: PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname 3GMfirewall
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list pcanywhere deny tcp any gt 10000 host 02.102.245.119 eq www
access-list pcanywhere permit tcp any any eq 3389
access-list pcanywhere permit tcp host 1.1.1.1 any
access-list pcanywhere permit tcp host 2.2.2.2 any
access-list pcanywhere permit ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 3.3.3.3 255.255.255.128
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 3.3.3.4 192.168.0.2 netmask 255.255.255.255 3000 1500
access-group pcanywhere in interface outside
route outside 0.0.0.0 0.0.0.0 3.3.3.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
privilege 15
terminal width 80
Cryptochecksum:8e44ef2980a5bf572f087c420575497f
: end
我已经用ACL和在映射的时候做了连接数和端口的限制了,但是现在在服务器上用监测软件还是能发现高于10000的端连接到服务器的80端口,而且服务器上的半连接达到了5600多,服务器还是用一段时间就崩馈了!
请问是不是配置存在问题啊!
还是策略设置的不合适?
怎么解决好呢!?>
帮帮我啊!!!
比较急!!!
帮帮忙啊!3GMfirewall# sho conn4996 in use, 5003 most used
TCP out 218.84.65.198:1384 in 192.168.0.2:80 idle 0:00:57 Bytes 3551 flags UIOB
TCP out 211.90.227.125:45970 in 192.168.0.2:80 idle 0:00:57 Bytes 2223 flags UIO
B
TCP out 221.233.128.93:2865 in 192.168.0.2:80 idle 0:12:24 Bytes 11122 flags UIO
B
TCP out 218.77.39.166:38415 in 192.168.0.2:80 idle 0:05:08 Bytes 21081 flags UIO
B
TCP out 220.187.206.200:4821 in 192.168.0.2:80 idle 0:00:50 Bytes 2112 flags UIO
B
TCP out 61.145.236.58:1745 in 192.168.0.2:80 idle 0:10:33 Bytes 46018 flags UIOB
TCP out 222.77.101.102:2751 in 192.168.0.2:80 idle 0:02:44 Bytes 41292 flags UIO
B
TCP out 61.55.44.179:3680 in 192.168.0.2:80 idle 0:01:09 Bytes 992 flags UIOB
TCP out 61.150.69.120:1088 in 192.168.0.2:80 idle 0:11:27 Bytes 2117 flags UIOB
TCP out 219.131.36.159:31078 in 192.168.0.2:80 idle 0:00:00 Bytes 0 flags aB
TCP out 220.178.182.32:4585 in 192.168.0.2:80 idle 0:15:56 Bytes 20004 flags UIO
B
TCP out 220.187.95.173:1274 in 192.168.0.2:80 idle 0:38:53 Bytes 7508 flags UIOB
TCP out 218.75.16.96:31430 in 192.168.0.2:80 idle 0:03:07 Bytes 1631 flags UIOB
TCP out 61.136.230.65:2701 in 192.168.0.2:80 idle 0:14:54 Bytes 3008 flags UIOB
TCP out 219.239.17.103:64943 in 192.168.0.2:80 idle 0:00:29 Bytes 2955 flags UIO
B
TCP out 218.5.236.66:50242 in 192.168.0.2:80 idle 0:11:39 Bytes 3586 flags UIOB
TCP out 61.187.56.152:62490 in 192.168.0.2:80 idle 0:00:01 Bytes 0 flags UB
TCP out 222.133.49.24:3046 in 192.168.0.2:80 idle 0:00:07 Bytes 11912 flags UIOB
TCP out 61.157.198.142:51081 in 192.168.0.2:80 idle 0:00:45 Bytes 673 flags UIOB
TCP out 210.83.212.230:4839 in 192.168.0.2:80 idle 0:08:10 Bytes 1117 flags UIOB
TCP out 218.19.150.223:3391 in 192.168.0.2:80 idle 0:47:18 Bytes 2117 flags UIOB
TCP out 218.2.122.157:4936 in 192.168.0.2:80 idle 0:00:00 Bytes 1799 flags UIOB
TCP out 61.149.118.20:1634 in 192.168.0.2:80 idle 0:00:20 Bytes 531
不知道,帮你顶,可以把half-closed 0:10:00 的时间减少timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
dinguse parameter in static command