在pix或asa如何防止内网用户乱改ip配置案例

　　access-list inside_access_in extended deny ip any 192.168.0.0 255.255.255.0

　　access-list inside_access_in extended permit ip object-group caiwu 192.168.0.0 255.255.255.0

　　access-list inside_access_in extended permit ip object-group www any

　　access-list inside_access_in extended permit ip object-group guest any inactive

　　access-list inside_access_in extended deny tcp any any eq 1863

　　access-list inside_access_in extended permit ip host lixiaoliang host 211.147.77.98

　　access-list inside_access_in extended permit ip host qizuomeng host 211.147.77.98

　　access-list inside_access_in extended permit ip object-group worktime any time-range worktime

　　access-list inside_access_in extended permit ip host ibm235 any time-range worktime inactive

　　****************************************************

　　access-list remote_splitTunnelAcl standard permit 10.64.64.0 255.255.240.0

　　access-list inside_nat0_outbound extended permit ip 10.64.64.0 255.255.240.0 1.1.1.0 255.255.255.0

　　access-list outside_cryptomap extended permit ip any 1.1.1.0 255.255.255.0

　　access-list caiwu_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

　　access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.0

　　access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0

　　pager lines 24

　　mtu outside 1500

　　mtu inside 1500

　　mtu dmz 1500

　　ip local pool remote 1.1.1.1-1.1.1.254 mask 255.255.255.0

　　ip local pool caiwu 2.2.2.1-2.2.2.254 mask 255.255.255.0

　　no failover

　　asdm image flash:/asdm.bin

　　no asdm history enable

　　把ip和mac绑定

　　****************************************************

　　arp inside 10.64.64.29 000f.b0d8.a504

　　arp inside 10.64.64.247 000b.2f04.7dd8

　　arp inside 10.64.64.169 0016.17f2.2eb3

　　arp inside lintao 000a.e6b2.c4c6

　　arp inside liuxuesong 00e0.4c58.b7cd

　　arp inside lishihai 000a.e69b.f4dc

　　arp inside ibm235 0009.6ba5.49c5

　　arp inside maxiaopeng 000c.764d.6aa8

　　arp inside xiaoguangyue 0011.09b4.6f25

　　arp inside zangdong 00e0.4cc1.2a14

　　arp inside wutao 0013.d47d.0c36

　　arp inside office-teacher 0090.9626.7da7

　　arp inside yangjin 00e0.4d01.6b1b

　　arp inside wangyuguo 00e0.4c21.471d

　　arp inside wangsishen 0015.c50f.92a5

　　arp inside yangliu 0015.f299.7f6c

　　arp inside jiling 00e0.4cc1.2a34

　　arp inside hujian 0011.252f.8613

　　arp inside ibm220 0002.556d.0037

　　arp inside jiachangjing 00e0.4d01.6b30

　　arp inside tanjun 0013.7222.5fe5

　　arp inside wangzhili 000d.6004.c197

　　arp inside lixiaoliang 0014.782f.b989

　　arp inside liuyongjun-ibm 0010.c6de.2686

　　arp inside lulianying 0016.3563.db1b

　　arp inside liuyongjun 0000.e25a.8580

　　arp inside lixuesong 0017.3152.8e78

　　arp inside chengxiaojie 0016.3564.8a6b

　　arp inside xingzhonghe 00e0.4c60.a8da

　　arp inside dhcp 0014.5e2b.77b5

　　arp inside zhangyi 0013.7222.4819

　　arp inside lixuesong-dell 0018.8ba2.d1c5

　　arp inside machi 000a.e6b5.0600

　　arp inside 10.64.64.18 0015.c510.12d4

　　****************************************************

　　arp timeout 14400

　　global (outside) 1 interface

　　nat (inside) 0 access-listinside_nat0_outbound

　　nat (inside) 1 10.64.64.0 255.255.240.0

　　nat (dmz) 0 access-list dmz_nat0_outbound

　　static (inside,outside) tcp interface 1503 chufw 1503 netmask 255.255.255.255

　　static (inside,outside) tcp interface h323 chufw h323 netmask 255.255.255.255

　　access-group outside_access_in in interface outside

　　应用acl到inside端口

　　****************************************************

　　access-group inside_access_in in interface inside

　　****************************************************

　　route outside 0.0.0.0 0.0.0.0 X.X.76.25 1

　　timeout xlate 3:00:00

　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

　　timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

　　timeout sip0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

　　timeout uauth 0:05:00 absolute

　　group-policy caiwu internal

　　group-policy caiwu attributes

　　dns-server value 219.150.32.132

　　vpn-tunnel-protocol IPSec

　　split-tunnel-policy tunnelspecified

　　split-tunnel-network-list value caiwu_splitTunnelAcl

　　group-policy remote internal

　　group-policy remote attributes

　　dns-server value 219.150.32.132

　　vpn-tunnel-protocol IPSec

　　split-tunnel-policy tunnelspecified

　　split-tunnel-network-list value remote_splitTunnelAcl

　　username chufw password hs6C0g7Y0Zza/dVN encrypted privilege 15

　　username chufw attributes

　　vpn-group-policy remote

　　vpn-framed-ip-address 1.1.1.111 255.255.255.0

　　http server enable

　　http chufw 255.255.255.255 inside

　　http 219.148.242.228 255.255.255.255 outside

　　http 219.148.242.227 255.255.255.255 outside

　　http 1.1.1.111 255.255.255.255 outside

　　no snmp-server location

　　no snmp-server contact

　　snmp-server enable traps snmp authentication linkup linkdown coldstart

　　crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

　　crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

　　crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

　　crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

　　crypto map outside_map interface outside

　　crypto isakmp enable outside

　　crypto isakmp policy 10

　　authentication pre-share

　　encryption 3des

　　hash sha

　　group 2

　　lifetime 86400

　　crypto isakmp policy 65535

　　authentication pre-share

　　encryption 3des

　　hash sha

　　group 2

　　lifetime 86400

　　crypto isakmp nat-traversal 20

　　tunnel-group remote type ipsec-ra

　　tunnel-group remote general-attributes

　　address-pool remote

　　default-group-policy remote

　　tunnel-group remote ipsec-attributes

　　pre-shared-key *

　　tunnel-group caiwu type ipsec-ra

　　tunnel-group caiwu general-attributes

　　address-pool remote

　　default-group-policy caiwu

　　tunnel-group caiwu ipsec-attributes

　　pre-shared-key *

　　telnet chufw 255.255.255.255 inside

　　telnet timeout 5

　　ssh 0.0.0.0 0.0.0.0 outside

　　ssh timeout 5

　　console timeout 0

　　!

　　class-map inspection_default

　　match default-inspection-traffic

　　!

　　!

　　policy-map type inspect dns preset_dns_map

　　parameters

　　message-length maximum 512

　　policy-map global_policy

　　class inspection_default

　　inspect dns preset_dns_map

　　inspect ftp

　　inspect h323 h225

　　inspect h323 ras

　　inspect netbios

　　inspect rsh

　　inspect rtsp

　　inspect skinny

　　inspect esmtp

　　inspect sqlnet

　　inspect sunrpc

　　inspect tftp

　　inspect sip

　　inspect xdmcp

　　!

　　service-policy global_policy global

　　ntp server 207.46.130.100 source outside

　　tftp-server inside chufw pix

　　prompt hostname context

　　Cryptochecksum:c02e836587f08fa6ce4699df28408774

　　: end

　　pix515e#