CBAC配置教程例举
2514 Router
version 11.3.3.T
!
no service tcp-small-servers
no service udp-small-servers
service password-encryption
no cdp running
no ip source-route
enable secret
!
!--- Here we have a syslog server.
!
logging 192.168.27.131
!
!--- This command enables the logging of session information (addresses and bytes).
!
ip inspect audit-trail
!
!--- Sets the length of time a TCP session is still managed after no activity.
!
ip inspect tcp idle-time 14400
!
!--- Sets the length of time a UDP session is still managed after no activity.
!
ip inspect udp idle-time 1800
!
!--- Sets the length of time a DNS name lookup session is still managed
!--- after no activity.
!
ip inspect dns-timeout 7
!
!--- Sets up inspection list "standard"
!--- to be used for inspection of inbound Ethernet 0
!--- and inbound serial (applied to both interfaces).
!
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard http
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
interface ethernet 0
ip address 192.168.27.129 255.255.255.128
!
!--- Apply access list to allow all legitimate traffic from inside network
!--- but prevent spoofing.
!
ip access-group 101 in
!
!--- Apply an access list to allow some ICMP traffic; deny all else.
!--- The inspection list will add entries to this list to permit
!--- return traffic for connections established from inside.
!
ip access-group 102 out
!
!--- Apply inspection list "standard" for
!--- inspection of inbound Ethernet traffic.
!
ip inspect standard in
no ip directed-broadcast
no cdp enable
interface ethernet 1
ip address 192.168.27.1 255.255.255.128
!
!--- Apply the access list to permit DMZ traffic (except spoofing)
!--- DMZ interface inbound.
!
ip access-group 111 in
!
!--- Apply the access list to permit DNS, www, FTP, SMTP, POP3, Telnet
!--- to DMZ interface outbound.
!
!--- Inspection configured on other interfaces will add temporary entries
!--- to this list.
!
ip access-group 112 out
no ip directed-broadcast
no cdp enable
interface serial 0
ip address 200.200.200.1 255.255.255.0
!
!--- Apply the access list to prevent spoofing.
!
ip access-group 121 in
!
!--- Allow ping replies from inside or DMZ; permit inside traffic back out.
!--- Inspection will add temporary entries to this list.
!
ip access-group 122 out
!
!--- Apply inspection list "standard" for
!--- inspection of inbound serial traffic.
!
ip inspect standard in
no ip directed-broadcast
no cdp enable
!
!--- Access list 20 will be used to control which
!--- network management stations can access via SNMP.
!
access-list 20 permit 192.168.27.5
!
!--- We use an access list to allow all legitimate traffic from
!--- the inside network but prevent spoofing.
!
access-list 101 permit ip 192.168.27.128 0.0.0.127 any
access-list 101 deny ip any any
!
!--- Allow some ICMP traffic; deny all else.
!--- The inspection list will add entries to this list to permit
!--- return traffic for connections established from inside.
!
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 administratively-prohibited
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo-reply
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 packet-too-big
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 time-exceeded
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 traceroute
access-list 102 permit icmp any 192.168.27.128 0.0.0.127 unreachable
access-list 102 deny ip any any
!
!
!--- The access list permits DMZ traffic (except spoofing)
!--- on DMZ interface inbound.
!
access-list 111 permit ip 192.168.27.0 0.0.0.127 any
access-list 111 deny ip any any
!
!
!--- This access list permits DNS, www, FTP, SMTP, POP3, Telnet to DMZ
!--- interface outbound. Inspection configured on other interfaces
!--- will add temporary entries to this list.
!
access-list 112 permit udp any host 192.168.27.3 eq domain
access-list 112 permit tcp any host 192.168.27.3 eq domain
access-list 112 permit tcp any host 192.168.27.3 eq www
access-list 112 permit tcp any host 192.168.27.3 eq ftp
access-list 112 permit tcp any host 192.168.27.3 eq smtp
access-list 112 permit tcp 192.168.27.128 0.0.0.127 host 192.168.27.3 eq pop3
access-list 112 permit tcp 192.168.27.128 0.0.0.127 any eq telnet
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 administratively-prohibited
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo-reply
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 packet-too-big
access-list 112 permit icmp any 192.169.27.0 0.0.0.127 time-exceeded
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 traceroute
access-list 112 permit icmp any 192.168.27.0 0.0.0.127 unreachable
access-list 112 deny ip any any
!
!--- Access list to prevent spoofing.
!
access-list 121 deny ip 192.168.27.0 0.0.0.255 any
access-list 121 deny ip 127.0.0.0 0.255.255.255 any
access-list 121 permit ip any any
!
!
!--- Access list for ping replies from inside or DMZ; permit inside traffic back out.
!--- Inspection will add temporary entries to this list.
!
access-list 122 permit icmp 192.168.27.0 0.0.0.255 any echo-reply
access-list 122 permit icmp 192.168.27.0 0.0.0.255 any time-exceeded
access-list 122 deny ip 192.168.27.0 0.0.0.127 any
access-list 122 permit ip 192.168.27.128 0.0.0.127 any
!
!--- Apply access list 20 for SNMP process.
!
snmp-server community secret RO 20
!
line con 0
exec-timeout 5 0
password 7 14191D1815023F2036
login local
line vty 0 4
exec-timeout 5 0
password 7 14191D1815023F2036
login local
length 35
end
天下网吧·网吧天下
闽公网安备35010202000238号