使用 Mcafee 设置 Cisco pix 501

我对此非常不了解，但如果有人能花时间帮助我，我将不胜感激。我们更新了 Mcafee Saas Protection，我正在尝试在我们的 cisco pix 501 中设置它们所需的 ip 地址，以便服务器可以通过 smtp 端口上的防火墙将电子邮件路由到我们的服务器。我整天都在做这件事，但似乎无法获得正确的配置。我现在认为 pix 中有一些不需要的条目。现在它们正在访问 Mcafee 服务器，但没有到达我们的服务器。我想我的问题如下：

1.) 如何删除不需要的条目并输入正确的条目？

2.) 如何让 pix 允许一串 IP 地址通过。我需要允许 208.65.144.0-208.65.151.255 和 208.81.64.0-208.81.71.255 通过

3.) 我该如何测试它以确保它能正常工作？

如果有人能给我提供一些相当容易理解的阅读材料，我不介意阅读这些内容。以下是我们图片框中的信息。

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <removed> encrypted
passwd <removed> encrypted
hostname PIXDaniels
domain-name danielsconstructioninc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.7 Exchange
name 10.0.0.8 Web1
access-list 101 permit icmp any any
access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq www
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq https
access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list acl_out permit tcp host 209.165.201.1 eq smtp any
access-list acl_out permit tcp host 208.65.144.0 eq smtp any
access-list acl_out permit tcp host 208.81.64.0 eq smtp any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.xxx.xxx.xx 255.255.255.252
ip address inside 10.0.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2 55 0 0
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 0 0
static (inside,outside) 208.65.144.0 24.xxx.xxx.xx netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set candle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer 24.xxx.xxx.xxx
crypto map transam 1 set transform-set candle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 103
crypto map transam 2 set peer 24.xxx.xxx.xxx
crypto map transam 2 set transform-set candle
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 104
crypto map transam 3 set peer 209.180.70.70
crypto map transam 3 set transform-set candle
crypto map transam 4 ipsec-isakmp
crypto map transam 4 match address 105
crypto map transam 4 set peer 24xxx.x.xxx
crypto map transam 4 set transform-set candle
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 106
crypto map transam 5 set peer 63.230.147.133
crypto map transam 5 set transform-set candle
crypto map transam 6 ipsec-isakmp
crypto map transam 6 match address 107
crypto map transam 6 set peer 24.xxx.xx.xxx
crypto map transam 6 set transform-set candle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.180.70.70 netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 63.230.147.133 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 208.65.144.0 255.255.255.255 outside
telnet 208.81.64.0 255.255.255.255 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet 208.65.144.0 255.255.255.255 inside
telnet 208.81.64.0 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.0.102.100-10.0.102.200 inside
dhcpd dns 22.xxx.x.xx 24.xxx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d391c84f416a746cf0e31df16ab7050e
: end

工作日志如下。您知道 VPN 和 OMA 可能发生了什么吗？

---

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname PIXDaniels
domain-name danielsconstructioninc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.7 Exchange
name 10.0.0.8 Web1
access-list 101 permit icmp any any
access-list 101 permit tcp any host 24.xxx.xxx.xx eq pptp
access-list 101 permit tcp any host 24.xxx.xxx.xxx eq www
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 24.xxx.xxx.xx eq smtp
access-list 101 permit tcp any host 24.xxx.xxx.xx eq https
access-list 102 permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list 103 permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list 104 permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 105 permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0
access-list 106 permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list 107 permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0
access-list acl_out permit tcp 208.65.144.0 255.255.255.0 any eq smtp log
access-list acl_out permit tcp 208.81.64.0 255.255.255.0 any eq smtp log
access-list acl_out deny ip any any log
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.x.xx.xx 255.255.255.252
ip address inside 10.0.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp Exchange pptp netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
 0 0
static (inside,outside) tcp interface www Web1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.2
55 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 24.xxx.xxx.xx x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00     
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set candle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer 24.111.168.154
crypto map transam 1 set transform-set candle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 103
crypto map transam 2 set peer 24.111.172.114
crypto map transam 2 set transform-set candle
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 104
crypto map transam 3 set peer 209.180.70.70
crypto map transam 3 set transform-set candle
crypto map transam 4 ipsec-isakmp
crypto map transam 4 match address 105
crypto map transam 4 set peer 24.111.4.142
crypto map transam 4 set transform-set candle
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 106
crypto map transam 5 set peer 63.230.147.133
crypto map transam 5 set transform-set candle
crypto map transam 6 ipsec-isakmp
crypto map transam 6 match address 107
crypto map transam 6 set peer 24.111.26.150
crypto map transam 6 set transform-set candle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.180.70.70 netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.x.xxx netmask 255.255.255.255
isakmp key ******** address 24.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 63.230.147.133 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.0.102.100-10.0.102.200 inside
dhcpd dns 22.xxx.x.xx 24.xxx.x.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d391c84f416a746cf0e31df16ab7050e
: end

再次感谢您的时间。

我的情况信息：

我们的兼职 IT 人员搬家了，无法为我们提供所需的服务。由于与 McAfee 的续约到期，他们停止通过他们的服务器传输我们的电子邮件，因此我们无法再接收电子邮件。我们重新开始思考这个问题。然后我们发现他们停止使用 Potsini 提供服务，开始使用自己的服务器过滤电子邮件。现在我们失去了一名 IT 人员，我正在努力满足我们的基本需求，直到我们找到合适的 IT 人员。所以我不得不重新配置我们的 PIX 盒以接受新的服务器地址，这是您帮助我做的。当我摆弄 PIX 盒时，我的手机无法接收电子邮件，我们的手动 VPN 停止工作。我的手机是 Droid 2 Global，正在尝试使用带有 SSL 的主动同步连接到 Exchange 服务器。起初我们遇到了一个问题，但我们做了以下操作来使其正常工作：使用 SSL 证书保护 OWA，并将端口 443 上的流量指向 OWA 网站，并将所有其他网络流量保持在 80 上。我们仍然遇到了一些问题，因此 IT 人员点击了这个链接，最终使我的 droid 电子邮件正常工作。

据我所知，我们的设置如下：

我们的办公室在 cisco pix 501 后面有一个 Web 服务器和 Exchange 服务器。我们有 (3) 个卫星办公室，它们设置了到 Exchange 服务器的 VPN 隧道，因此它们始终连接到网络。现在我的手机无法连接到服务器来接收电子邮件，我无法手动通过 VPN 连接到我们的办公室网络，但隧道正在运行。当我们切换新的 mcafee 服务器地址时，我手机上的手动 VPN 和电子邮件似乎停止工作了。