应用情况为,两个接口outside应用在广域网,inside端口位于局域网,跑OSPF路由协议,将局域网能够被广域网访问的服务器和端口打开,否则不允许访问。这个应用的情况比较简单,日后可以继续扩展,如服务器区等等。
sh run
: Saved
:
FWSM Version 3.2(2)
!
hostname SDDL-Internal-FW
domain-name sddl.com
enable password Z1UFjQZdKfrZkYLf encrypted
names
!
interface Vlan254
nameif outside
security-level 0
ip address X.Y.254.254 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
interface Vlan2254
nameif Internal
security-level 99
ip address X.Y.254.1 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
passwd Z1UFjQZdKfrZkYLf encrypted
ftp mode passive
<--- More --->
access-list acl-in extended permit ip any any
access-list SHJT_to_SDDL extended permit tcp any any eq telnet
access-list SHJT_to_SDDL extended permit icmp any any
access-list SHJT_to_SDDL extended permit ospf any any
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389
access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080
access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000
<--- More --->
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39
access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32
access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Internal 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Internal
no failover
failover lan unit secondary
icmp permit any outside
<--- More --->
icmp permit any Internal
no asdm history enable
arp timeout 14400
access-group SHJT_to_SDDL in interface outside
access-group acl-in in interface Internal
!
router ospf 100
network X.Y.254.1 255.255.255.255 area 0
network X.Y.254.254 255.255.255.255 area 0
router-id X.Y.254.254
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username sddl password QZbkfU0FC8LZLZ6k encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http X.Y.160.0 255.255.255.0 Internal
<--- More --->
http X.Y.128.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt nodnsalias inbound
sysopt nodnsalias outbound
sysopt noproxyarp outside
sysopt noproxyarp Internal
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
<--- More --->
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect ctiqbe
inspect dcerpc
inspect http
inspect icmp
inspect ils
inspect mgcp
inspect rtsp
inspect sip
inspect snmp
class class_sip_tcp
inspect sip
!
service-policy global_policy global
<--- More --->
prompt hostname context
Cryptochecksum:3224aa347a06e32ac4f006510f5606f0
: end
SDDL-Internal-FW# exit
考试大温馨提示:本内容来源于网络,仅代表作者个人观点,与本站立场无关,仅供您学习交流使用。其中可能有部分文章经过多次转载而造成文章内容缺失、错误或文章作者不详等问题,请您谅解。如有侵犯您的权利,请联系我们,本站会立即予以处理。
编辑推荐:
路由器ATM接口ping自己
H3CIPv6全网解决方案
简谈DHCP服务器的迁移
