扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共2页)
防止内网用户乱该ip地址,用户只能用给定的ip,如果改ip地址,则无法访问网络资源。
例如:做了下述配置后(arp inside 10.64.64.29 000f.b0d8.a504),mac地址为000f.b0d8.a504的pc只能使用ip10.64.64.29来访问网络资源,如果该ip则无法访问。
pix515e# sh run
: Saved
:
PIX Version 7.2(1)
!
hostname pix515e
domain-name cisco
enable password N7FecZuSHJlVZC2P encrypted
做名字解析
****************************************************
names
name 10.64.64.113 chengxiaojie
name 10.64.64.13 dhcp
name 10.64.64.71 liuyongjun
name 10.64.64.72 liuyongjun-ibm
name 10.64.64.39 lixiaoliang
name 10.64.64.103 lixuesong
name 10.64.64.17 lulianying
name 10.64.64.92 qizuomeng
name 10.64.64.69 wangzhili
name 10.64.64.105 xingzhonghe
name 10.64.64.45 tanjun
name 10.64.64.108 zhangyi
name 10.64.64.178 hujian
name 10.64.64.93 ibm220
name 10.64.64.62 jiling
name 10.64.64.111 yangliu
name 10.64.64.112 wangsishen
name 10.64.64.158 wangyuguo
name 10.64.64.52 lishihai
name 10.64.64.78 office-teacher
name 10.64.64.48 yangjin
name 10.64.64.104 wutao
name 10.64.64.63 zangdong
name 10.64.64.80 xiaoguangyue
name 10.64.64.14 ibm235
name 10.64.64.222 lixuesong-dell
name 10.64.64.75 maxiaopeng
name 10.64.64.215 lintao
name 10.64.64.199 machi
name 10.64.64.216 liuxuesong
name 10.64.64.246 jiachangjing
name 10.64.64.61 chufw
****************************************************
!
interface Ethernet0
nameif outside
security-level 0
ip address X.X.76.26 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.64.64.2 255.255.240.0
!
interface Ethernet2
nameif dmz
security-level 80
ip address 192.168.0.1 255.255.255.0
!
passwd N7FecZuSHJlVZC2P encrypted
!
time-range worktime
periodic daily 8:00 to 17:00
!
ftp mode passive
clock timezone CST 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server 219.150.32.132
domain-name cisco
做object-group以便在acl里被调用(注:object-group是个好东东,可以大大简化acl的配置)
****************************************************
object-group network www
network-object host xingzhonghe
network-object host chengxiaojie
network-object host dhcp
network-object host liuxuesong
network-object host wangzhili
network-object host liuyongjun
network-object host liuyongjun-ibm
network-object host lulianying
network-object host chufw
network-object host jiachangjing
network-object host maxiaopeng
network-object host 10.64.64.255
object-group network guest
network-object 10.64.66.112 255.255.255.240
object-group network caiwu
network-object 10.64.66.0 255.255.255.224
object-group service netmeeting tcp
port-object range 1503 1503
port-object range h323 h323
object-group network worktime
network-object host wutao
network-object host zhangyi
network-object host yangliu
network-object host wangsishen
network-object host wangyuguo
network-object host 10.64.64.169
network-object host 10.64.64.18
network-object host machi
network-object host lintao
network-object host liuxuesong
network-object host lixuesong-dell
network-object host 10.64.64.247
network-object host 10.64.64.29
network-object host 10.64.64.30
network-object host yangjin
network-object host lishihai
network-object host 10.64.64.55
network-object host jiling
network-object host office-teacher
****************************************************
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any any object-group netmeeting
调用上述的object-group到acl
****************************************************
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。