PIX防火墙模拟器pixemu(pemu)使用简介

PIX防火墙模拟器pixemu(pemu)使用简介

经过努力,整理网络中各种牛人的经验,终于搞定,和大家分享。

在Win-XP中用pemu模拟Cisco PIX525防火墙

作者版权所有,转载请注明来自cu-yuhuohu.

1、下载软件

QUOTE:

网卡模拟器openvpn:

openvpn-2.0.9-install.rar(931.83 KB)

PIX模拟器pemu:

pemu_win32_02.rar(411.94 KB)

CPU使用率控制器BES:

BES(CPU使用率控制).zip(455.13 KB)

PIX的IOS文件:pix721.bin、pix722.bin、pix802.bin,大家可用google搜索下载地址

2、虚拟网卡

QUOTE:

安装openvpn-2.0.9-install.exe

在安装目录的bin目录下(一般为C:\Program Files\OpenVPN\bin)运行addtap.bat

每运行一次,添加一个虚拟网卡,名为本地链接2,本地链接3,本地链接4...

把虚拟网卡改名为tap0、tap1、tap2,后面在开启pix模拟器时可使用这三个网卡(inside,dmz,outside全有了,呵呵)

如果要删除虚拟网卡的话,运行deltapall.bat网卡也可用WinPcap软件来模拟,如果用WinPcap的话,对应的pemu运行参数中要用pcap来代替网卡类型关键字tap.还要修改ifname(可用pemu -e来查看)

3、PIX模拟

QUOTE:

安装pemu(旧版叫PixEmu),解压开即可

编辑pemu目录中的pemu.ini文件

serial和key指的是防火墙的序列号(serial number)和激活码(activation-key),可从真实的防火墙上获得,都是8位16进制数字,如果是10进制的数字请自行转换后使用。本文中的序列号和激活码均已替换为无效码请勿尝试免得浪费时间

image就是防火墙的IOS映像文件,可从网络下载

比如下载pix721.bin,那么image=pix721.bin。

如果不行,你可以尝试把pix721.bin改名成pix721.rar,然后解压,然后再把image=指向成新解压出来的文件,比如解出来的文件可能叫pix721,那么image=pix721

[Copy to clipboard][-] CODE:

serial=0x301D10D1

image=pix721

key=0x5236f5a1,0x97def6da,0x732a91f5,0xf5deef57

bios1=mybios_d8000

bios2=bios.bin

bios_checksum=1

到pemu目录中,dos界面运行以下命令(把三块虚拟的网卡都用上):pemu.exe -net nic,macaddr=00:aa:00:00:02:01 -net tap,ifname=tap0 -net nic,macaddr=00:aa:00:00:02:02 -net tap,ifname=tap1 -net nic,macaddr=00:aa:00:00:02:03 -net tap,ifname=tap2 -serial tcp::4444,server

QUOTE:

I:\cisco\ccsp\pix模拟软件\pemu_win32_02>pemu.exe -net nic,macaddr=00:aa:00:00:02

:01 -net tap,ifname=tap0 -net nic,macaddr=00:aa:00:00:02:02 -net tap,ifname=tap1

-net nic,macaddr=00:aa:00:00:02:03 -net tap,ifname=tap2 -serial tcp::4444,server

TAP-Win32 Driver Version 8.4 [Handle 768]

TAP-Win32 Driver Version 8.4 [Handle 74C]

TAP-Win32 Driver Version 8.4 [Handle 730]

QEMU waiting for connection on: :4444,server <------------------显示这个信息时就可以用telnet 127.0.0.1 4444登录Pix525了

Could not open '\\.\kqemu' - QEMU acceleration layer not activated

Values read from ini file:

Serial=301d10da (807211226)

Image="pix721"

key=5236f5a1,97def6da,732a91f5,f5deef57

bios1=mybios_d8000

bios2=bios.bin

bios_ckecksum=yes

BIOS file mybios_d8000 (3276

read 32768 bytes

BIOS file bios.bin (131072) read 131072 bytes

Image file read 18374703 bytes, @100000

Key set to: 5236f5a1,97def6da,732a91f5,f5deef57

Read 16777216 bytes from flash

注:如果运行时出现“没找到tap0接口”之类的错误,请把所有的虚拟网卡都删除,重启系统,再次添加虚拟网卡即可。

作者版权所有,转载请注明来自cu-yuhuohu.

用secureCRT登录防火强(telnet 127.0.0.1 端口4444)可看到启动信息

QUOTE:

128MB RAM

Total NICs found: 3

i82559 Ethernet at irq 11 MAC: 00aa.0000.0203

i82559 Ethernet at irq 11 MAC: 00aa.0000.0202

i82559 Ethernet at irq 9 MAC: 00aa.0000.0201

BIOS Flash=am29f400b @ 0xd8000

Initializing flashfs...

flashfs[7]: 3 files, 2 directories

flashfs[7]: 0 orphaned files, 0 orphaned directories

flashfs[7]: Total bytes: 16128000

flashfs[7]: Bytes used: 2560

flashfs[7]: Bytes available: 16125440

flashfs[7]: flashfs fsck took 1 seconds.

flashfs[7]: Initialization complete.

如果激活码(activation-key)不对的话,会出现以下红字信息

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

This activation key is not valid, use default settings only

This platform has an restricted (R) license.

--------------------------------------------------------------------------

. .

| |

||| |||

.|| ||. .|| ||.

.

|| | |||:..

|| | |||:.

C i s c o S y s t e m s

--------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.2(1)

****************************** Warning *******************************

This product contains cryptographic features and is

subject to United States and local country laws

governing, import, export, transfer, and use.

Delivery of Cisco cryptographic products does not

imply third-party authority to import, export,

distribute, or use encryption. Importers, exporters,

distributors and users are responsible for compliance

with U.S. and local country laws. By using this

product you agree to comply with applicable laws and

regulations. If you are unable to comply with U.S.

and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.

******************************* Warning *******************************

Copyright (c) 1996-2006 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Type help or '?' for a list of available commands.

如果是PIX7.X以上版本的IOS或者激活码不对,此时,show version可看到由于激活码无效使防火墙处于受限功能状态。可按以下步骤操作开启PIX防火墙的无限制模式:

输入激活码

退出防火墙

关闭并重新运行模拟器(因为模拟的防火墙并不能真正的重启(reload))

[Copy to clipboard][-] CODE:

pixfirewall> en

en

Password:

pixfirewall# ac 5236f5a1 97def6d1 732a91f1 f5deef51

pixfirewall# exit

pixfirewall> exit

注:如果输入指令时发现有回显问题,可在SecureCRT的telnet配置中选择“force character at a time”

因为从pix 7.x开始,无法在pemu.ini中指定激活码,因此需要启动后手工录入,录入后会写在flash中,因此不用担心信息丢失。

重新运行模拟器后,再看看防火墙的状态,已经是无限制的全功能版本了!!!

[Copy to clipboard][-] CODE:

pixfirewall> sh ver

sh ver

Cisco PIX Security Appliance Software Version 7.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is "Unknown, monitor mode tftp booted image"

Config file at boot was "startup-config"

pixfirewall up 1 min 18 secs

Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 00aa.0000.0201, irq 9

1: Ext: Ethernet1 : address is 00aa.0000.0202, irq 11

2: Ext: Ethernet2 : address is 00aa.0000.0203, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 707211225

Running Activation Key: 0x12345678 0x97def6da 0x732a91f5 0xf5deef57

Configuration has not been modified since last system restart.

作者版权所有,转载请注明来自cu-yuhuohu.

4、限制CPU

QUOTE:

如果不限制pemu将尽可能高的使用CPU,这将意味着你再也别想在你的机器上干别的活了

还好,限制某个进程的CPU使用率很简单,安装BES软件,然后运行,把pemu进程的CPU使用率控制一下就OK了

点击“TARGET”,选择防火墙模拟器的进程“pemu.exe”

点击“LIMIT this”

点击“CONTROL”,限制CPU使用率

5、bat脚本

QUOTE:

为了方便不用每次都开bes和pemu,可一次写在bat文件中:

[Copy to clipboard][-] CODE:

I:\cisco\ccsp\pix模拟软件\BES\BES.exe

I:\cisco\ccsp\pix模拟软件\pemu_win32_02\pemu.exe -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net tap,vlan=1,script=if1up,ifname=tap0 -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net tap,vlan=2,script=if2up,ifname=tap1 -net nic,vlan=3,macaddr=00:aa:00:00:02:03 -net tap,vlan=3,script=if3up,ifname=tap2 -serial tcp::4444,server

XP中可删除script=if1up script=if2up script=if3up,这些是在linux中需要用的选项。

BAT文件第一次运行无效,关闭再来一次就OK了

pix-e0----------------tap0

pix-e1----------------tap1

pix-e2----------------tap2

你只要为PIX的e0配上IP并激活接口,为XP的tap0配上IP,就可以互Ping了

作者版权所有,转载请注明来自cu-yuhuohu.

6、构建网络

QUOTE:

虚拟机-----edit----vitual network settings---host virtual network mapping

vnet3选择openvpn创建的第2块网卡(tap1)

vnet4选择openvpn创建的第3块网卡(tap2)vnet3、4自动变成桥接方式

在虚拟机的操作界面,把虚拟操作系统的网卡属性选择加入vnet3 or vnet4

搞定了,防火墙的inside,outside,dmz全都有主机连接了,可以开工练手了,哈哈

最后,如果Pix要联入本机(winxp)所在的网络的话,可在xp中网络连接(网上邻居-属性)中选择虚拟网卡(tap0)和物理网卡,然后右键选择桥接即可。

作者版权所有,转载请注明来自cu-yuhuohu.

7、终极模拟的网络结构图

QUOTE:

8、虚拟两台pix-525防火墙做failover

QUOTE:

虚拟多个tap网卡,并改名为tap11,tap12,tap13,tap14...

在xp的网络连接中,同选tap12,tap14建立桥接

复制pemu目录,然后修改配置文件

pix1的启动bat文件

[Copy to clipboard][-] CODE:

pemu.exe -net nic,vlan=1,macaddr=00:aa:00:01:02:01 -net tap,vlan=1,ifname=tap11 -net nic,vlan=2,macaddr=00:aa:00:01:02:02 -net tap,vlan=2,ifname=tap12 -serial tcp::4445,server

pix2的启动bat文件

[Copy to clipboard][-] CODE:

pemu.exe -net nic,vlan=1,macaddr=00:aa:00:02:02:01 -net tap,vlan=1,ifname=tap13 -net nic,vlan=2,macaddr=00:aa:00:02:02:02 -net tap,vlan=2,ifname=tap14 -serial tcp::4446,server

启动pix1开始常规配置

启动pix1开始failover所必须的配置

启动pix2开始failover所必须的配置记住:如果采用Lan-based failover的话,别忘了把做failover接口的网卡"no shut"一下,不然failover死活起不来哦

本文转自gauyanm 51CTO博客,原文链接:http://blog.51cto.com/gauyanm/239982,如需转载请自行联系原作者

上一篇:Centos7 防火墙 firewalld 实用操作
下一篇:深入浅出Netfilter/iptables防火墙框架(入门篇)