天下网吧 >> 网吧方案 >> 方案实例 >> 正文

CBAC配置教程例举


  
  
  2514 Router
  version 11.3.3.T
  !
  no service tcp-small-servers
  no service udp-small-servers
  service password-encryption
  no cdp running
  no ip source-route
  enable secret
  !
  !--- Here we have a syslog server.
  !
  logging 192.168.27.131
  !
  !--- This command enables the logging of session information (addresses and bytes).
  !
  ip inspect audit-trail
  !
  !--- Sets the length of time a TCP session is still managed after no activity.
  !
  ip inspect tcp idle-time 14400
  !
  !--- Sets the length of time a UDP session is still managed after no activity.
  !
  ip inspect udp idle-time 1800
  !
  !--- Sets the length of time a DNS name lookup session is still managed
  !--- after no activity.
  !
  ip inspect dns-timeout 7
  !
  !--- Sets up inspection list "standard"
  !--- to be used for inspection of inbound Ethernet 0
  !--- and inbound serial (applied to both interfaces).
  !
  ip inspect name standard cuseeme
  ip inspect name standard ftp
  ip inspect name standard h323
  ip inspect name standard http
  ip inspect name standard rcmd
  ip inspect name standard realaudio
  ip inspect name standard smtp
  ip inspect name standard sqlnet
  ip inspect name standard streamworks
  ip inspect name standard tcp
  ip inspect name standard tftp
  ip inspect name standard udp
  ip inspect name standard vdolive
  
  interface ethernet 0
  
  ip address 192.168.27.129 255.255.255.128
  !
  !--- Apply access list to allow all legitimate traffic from inside network
  !--- but prevent spoofing.
  !
  ip access-group 101 in
  !
  !--- Apply an access list to allow some ICMP traffic; deny all else.
  !--- The inspection list will add entries to this list to permit
  !--- return traffic for connections established from inside.
  !
  ip access-group 102 out
  !
  !--- Apply inspection list "standard" for
  !--- inspection of inbound Ethernet traffic.
  !
  ip inspect standard in
  
  no ip directed-broadcast
  no cdp enable
  
  interface ethernet 1
  ip address 192.168.27.1 255.255.255.128
  
  !
  !--- Apply the access list to permit DMZ traffic (except spoofing)
  !--- DMZ interface inbound.
  !
  ip access-group 111 in
  !
  !--- Apply the access list to permit DNS, www, FTP, SMTP, POP3, Telnet
  !--- to DMZ interface outbound.
  !
  !--- Inspection configured on other interfaces will add temporary entries
  !--- to this list.
  !
  ip access-group 112 out
  
  no ip directed-broadcast
  no cdp enable
  
  interface serial 0
  
  ip address 200.200.200.1 255.255.255.0
  
  !
  !--- Apply the access list to prevent spoofing.
  !
  ip access-group 121 in
  
  !
  !--- Allow ping replies from inside or DMZ; permit inside traffic back out.
  !--- Inspection will add temporary entries to this list.
  !
  ip access-group 122 out
  
  !
  !--- Apply inspection list "standard" for
  !--- inspection of inbound serial traffic.
  !
  ip inspect standard in
  
  
  no ip directed-broadcast
  no cdp enable
  
  !
  !--- Access list 20 will be used to control which
  !--- network management stations can access via SNMP.
  !
  access-list 20 permit 192.168.27.5
  !
  !--- We use an access list to allow all legitimate traffic from
  !--- the inside network but prevent spoofing.
  !
  access-list 101 permit ip 192.168.27.128 0.0.0.127 any
  access-list 101 deny ip any any
  !
  !--- Allow some ICMP traffic; deny all else.
  !--- The inspection list will add entries to this list to permit
  !--- return traffic for connections established from inside.
  !
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 administratively-prohibited
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo-reply
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 packet-too-big
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 time-exceeded
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 traceroute
  access-list 102 permit icmp any 192.168.27.128 0.0.0.127 unreachable
  access-list 102 deny ip any any
  !
  !
  !--- The access list permits DMZ traffic (except spoofing)
  !--- on DMZ interface inbound.
  !
  access-list 111 permit ip 192.168.27.0 0.0.0.127 any
  access-list 111 deny ip any any
  !
  !
  !--- This access list permits DNS, www, FTP, SMTP, POP3, Telnet to DMZ
  !--- interface outbound. Inspection configured on other interfaces
  !--- will add temporary entries to this list.
  !
  access-list 112 permit udp any host 192.168.27.3 eq domain
  access-list 112 permit tcp any host 192.168.27.3 eq domain
  access-list 112 permit tcp any host 192.168.27.3 eq www
  access-list 112 permit tcp any host 192.168.27.3 eq ftp
  access-list 112 permit tcp any host 192.168.27.3 eq smtp
  access-list 112 permit tcp 192.168.27.128 0.0.0.127 host 192.168.27.3 eq pop3
  access-list 112 permit tcp 192.168.27.128 0.0.0.127 any eq telnet
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 administratively-prohibited
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo-reply
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 packet-too-big
  access-list 112 permit icmp any 192.169.27.0 0.0.0.127 time-exceeded
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 traceroute
  access-list 112 permit icmp any 192.168.27.0 0.0.0.127 unreachable
  access-list 112 deny ip any any
  !
  !--- Access list to prevent spoofing.
  !
  access-list 121 deny ip 192.168.27.0 0.0.0.255 any
  access-list 121 deny ip 127.0.0.0 0.255.255.255 any
  access-list 121 permit ip any any
  !
  !
  !--- Access list for ping replies from inside or DMZ; permit inside traffic back out.
  !--- Inspection will add temporary entries to this list.
  !
  access-list 122 permit icmp 192.168.27.0 0.0.0.255 any echo-reply
  access-list 122 permit icmp 192.168.27.0 0.0.0.255 any time-exceeded
  access-list 122 deny ip 192.168.27.0 0.0.0.127 any
  access-list 122 permit ip 192.168.27.128 0.0.0.127 any
  !
  !--- Apply access list 20 for SNMP process.
  !
  snmp-server community secret RO 20
  !
  line con 0
  exec-timeout 5 0
  password 7 14191D1815023F2036
  login local
  line vty 0 4
  exec-timeout 5 0
  password 7 14191D1815023F2036
  login local
  length 35
  end
  

本文来源:天下网吧 作者:网吧方案

声明
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系Email:support@txwb.com,系统开号,技术支持,服务联系QQ:1175525021本站所有有注明来源为天下网吧或天下网吧论坛的原创作品,各位转载时请注明来源链接!
天下网吧·网吧天下