高手快来帮忙啊，关于路由问题！...

请教高手，现在如下的网络：外部网通过广电的专线接入，地址为202.98.156.a，网关为202.98.156.b;自己内部有一个局域网，划分为一个网段，地址为172.16.1.0这个网段，网关设为172.16.1.254;并且自己还有一个办公专网，与内网和外网都处于隔离状态，地址为10.15.12.0这个网段（属自己划分），网关设为10.15.12.254; 现用一防火墙来完成几个网之间的连接，并使内网所有地址可以访问外网，外网能门市部内网的其中某一台机器，比如地址为172.16.1.8，办公专网与内网和外网三者之间均不能互访，但办公专网要受到防火墙的保护; 请问高手该如何完成上面所须的功能？主要是在防火墙里怎样加路由，端口及规则这些我都会，就是路由这儿不知道应该怎样加，请高手给予帮忙，谢谢

forwarding · 发表于 2003-10-15 09:42:00

我给你个配置，你参考一下！ PIX Version 6.1(4) nameif ethernet0 outside security0-------------------指定outside端口安全系数 nameif ethernet1 inside security100-----------------指定inside端口安全系数 nameif ethernet2 dmz security50-----------------------指定dmz端口安全系数 enable password Gdc3HRDV9JsazXRX encrypted---指定enable密码 passwd 2KFQnbNIdI.2KYOU encrypted------------------指定一般模式密码 hostname nmgjw fixup protocol ftp 21-----------------------------------协议端口修正 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_out permit ip any any------------------------设置访问列表（应用于outside端口） access-list acl_dmz permit icmp any any-------------------设置访问列表（应用于dmz端口） pager lines 24 interface ethernet0 auto-----------------------------------------端口速率设定 interface ethernet1 auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 61.xxx.xx.xx 255.255.255.248---------------指定outside端口地址 ip address inside 192.168.1.253 255.255.255.0-----------------指定inside端口地址 ip address dmz 192.168.10.254 255.255.255.0-----------------指定dmz端口地址 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 61.xxx..xx.xx1 netmask 255.255.255.248----------------设立outside区全局地址 global (outside) 1 61.xxx..xx.xx-------------------------------------------------设定outside区PAT global (dmz) 1 192.168.10.10-192.168.10.20 netmask 255.255.255.0-----设立dmz区全局地址 global (dmz) 1 192.168.10.21-----------------------------------------------------设定dmz区PAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0------------------------------------------------inside区ip nat条件 nat (dmz) 1 192.168.10.0 255.255.255.0 0 0-----------------------------------dmz区ip nat条件 static (dmz,outside) 61.xxx.xx.xx 192.168.10.253 netmask 255.255.255.255 0 0---dmz/outside静态地址转换 static (inside,outside) 61.xxx.xxx.xx 192.168.1.252 netmask 255.255.255.255 0 0----inside/outside区静态地址转换 access-group acl_out in interface outside-----应用acl-out列表于outside端口 rip inside passive version 1 rip inside default version 1 route outside 0.0.0.0 0.0.0.0 61.xxx.xx.xx 1--------缺省路由 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 192.168.0.99 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:86c885d69355bf7443a59bcdfa2f2bfb