在pix或asa如何防止内网用户乱改ip配置案例

　　防止内网用户乱该ip地址，用户只能用给定的ip，如果改ip地址，则无法访问网络资源。

　　例如：做了下述配置后(arp inside 10.64.64.29 000f.b0d8.a504)，mac地址为000f.b0d8.a504的pc只能使用ip10.64.64.29来访问网络资源，如果该ip则无法访问。

　　pix515e# sh run

　　: Saved

　　:

　　PIX Version 7.2(1)

　　!

　　hostname pix515e

　　domain-name cisco

　　enable password N7FecZuSHJlVZC2P encrypted

　　做名字解析

　　****************************************************

　　names

　　name 10.64.64.113 chengxiaojie

　　name 10.64.64.13 dhcp

　　name 10.64.64.71 liuyongjun

　　name 10.64.64.72 liuyongjun-ibm

　　name 10.64.64.39 lixiaoliang

　　name 10.64.64.103 lixuesong

　　name 10.64.64.17 lulianying

　　name 10.64.64.92 qizuomeng

　　name 10.64.64.69 wangzhili

　　name 10.64.64.105 xingzhonghe

　　name 10.64.64.45 tanjun

　　name 10.64.64.108 zhangyi

　　name 10.64.64.178 hujian

　　name 10.64.64.93 ibm220

　　name 10.64.64.62 jiling

　　name 10.64.64.111 yangliu

　　name 10.64.64.112 wangsishen

　　name 10.64.64.158 wangyuguo

　　name 10.64.64.52 lishihai

　　name 10.64.64.78 office-teacher

　　name 10.64.64.48 yangjin

　　name 10.64.64.104 wutao

　　name 10.64.64.63 zangdong

　　name 10.64.64.80 xiaoguangyue

　　name 10.64.64.14 ibm235

　　name 10.64.64.222 lixuesong-dell

　　name 10.64.64.75 maxiaopeng

　　name 10.64.64.215 lintao

　　name 10.64.64.199 machi

　　name 10.64.64.216 liuxuesong

　　name 10.64.64.246 jiachangjing

　　name 10.64.64.61 chufw

　　****************************************************

　　!

　　interface Ethernet0

　　nameif outside

　　security-level 0

　　ip address X.X.76.26 255.255.255.0

　　!

　　interface Ethernet1

　　nameif inside

　　security-level 100

　　ip address 10.64.64.2 255.255.240.0

　　!

　　interface Ethernet2

　　nameif dmz

　　security-level 80

　　ip address 192.168.0.1 255.255.255.0

　　!

　　passwd N7FecZuSHJlVZC2P encrypted

　　!

　　time-range worktime

　　periodic daily 8:00 to 17:00

　　!

　　ftp mode passive

　　clock timezone CST 8

　　dns domain-lookup outside

　　dns server-group DefaultDNS

　　name-server 219.150.32.132

　　domain-name cisco

　　做object-group以便在acl里被调用（注：object-group是个好东东，可以大大简化acl的配置）

　　****************************************************

　　object-group network www

　　network-object host xingzhonghe

　　network-object host chengxiaojie

　　network-object host dhcp

　　network-object host liuxuesong

　　network-object host wangzhili

　　network-object host liuyongjun

　　network-object host liuyongjun-ibm

　　network-object host lulianying

　　network-object host chufw

　　network-object host jiachangjing

　　network-object host maxiaopeng

　　network-object host 10.64.64.255

　　object-group network guest

　　network-object 10.64.66.112 255.255.255.240

　　object-group network caiwu

　　network-object 10.64.66.0 255.255.255.224

　　object-group service netmeeting tcp

　　port-object range 1503 1503

　　port-object range h323 h323

　　object-group network worktime

　　network-object host wutao

　　network-object host zhangyi

　　network-object host yangliu

　　network-object host wangsishen

　　network-object host wangyuguo

　　network-object host 10.64.64.169

　　network-object host 10.64.64.18

　　network-object host machi

　　network-object host lintao

　　network-object host liuxuesong

　　network-object host lixuesong-dell

　　network-object host 10.64.64.247

　　network-object host 10.64.64.29

　　network-object host 10.64.64.30

　　network-object host yangjin

　　network-object host lishihai

　　network-object host 10.64.64.55

　　network-object host jiling

　　network-object host office-teacher

　　****************************************************

　　access-list outside_access_in extended permit icmp any any echo-reply

　　access-list outside_access_in extended permit tcp any any object-group netmeeting

　　调用上述的object-group到acl

　　****************************************************