科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道在pix或asa如何防止内网用户乱改ip配置案例

在pix或asa如何防止内网用户乱改ip配置案例

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

防止内网用户乱该ip地址,用户只能用给定的ip,如果改ip地址,则无法访问网络资源。

作者:论坛整理 来源:zdnet网络安全 2008年3月12日

关键字: 防火墙 CISCO 思科 PIX防火墙 思科PIX防火墙

  • 评论
  • 分享微博
  • 分享邮件

在本页阅读全文(共2页)

  access-list inside_access_in extended deny ip any 192.168.0.0 255.255.255.0

  access-list inside_access_in extended permit ip object-group caiwu 192.168.0.0 255.255.255.0

  access-list inside_access_in extended permit ip object-group www any

  access-list inside_access_in extended permit ip object-group guest any inactive

  access-list inside_access_in extended deny tcp any any eq 1863

  access-list inside_access_in extended permit ip host lixiaoliang host 211.147.77.98

  access-list inside_access_in extended permit ip host qizuomeng host 211.147.77.98

  access-list inside_access_in extended permit ip object-group worktime any time-range worktime

  access-list inside_access_in extended permit ip host ibm235 any time-range worktime inactive

  ****************************************************

  access-list remote_splitTunnelAcl standard permit 10.64.64.0 255.255.240.0

  access-list inside_nat0_outbound extended permit ip 10.64.64.0 255.255.240.0 1.1.1.0 255.255.255.0

  access-list outside_cryptomap extended permit ip any 1.1.1.0 255.255.255.0

  access-list caiwu_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

  access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.0

  access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0

  pager lines 24

  mtu outside 1500

  mtu inside 1500

  mtu dmz 1500

  ip local pool remote 1.1.1.1-1.1.1.254 mask 255.255.255.0

  ip local pool caiwu 2.2.2.1-2.2.2.254 mask 255.255.255.0

  no failover

  asdm image flash:/asdm.bin

  no asdm history enable

  把ip和mac绑定

  ****************************************************

  arp inside 10.64.64.29 000f.b0d8.a504

  arp inside 10.64.64.247 000b.2f04.7dd8

  arp inside 10.64.64.169 0016.17f2.2eb3

  arp inside lintao 000a.e6b2.c4c6

  arp inside liuxuesong 00e0.4c58.b7cd

  arp inside lishihai 000a.e69b.f4dc

  arp inside ibm235 0009.6ba5.49c5

  arp inside maxiaopeng 000c.764d.6aa8

  arp inside xiaoguangyue 0011.09b4.6f25

  arp inside zangdong 00e0.4cc1.2a14

  arp inside wutao 0013.d47d.0c36

  arp inside office-teacher 0090.9626.7da7

  arp inside yangjin 00e0.4d01.6b1b

  arp inside wangyuguo 00e0.4c21.471d

  arp inside wangsishen 0015.c50f.92a5

  arp inside yangliu 0015.f299.7f6c

  arp inside jiling 00e0.4cc1.2a34

  arp inside hujian 0011.252f.8613

  arp inside ibm220 0002.556d.0037

  arp inside jiachangjing 00e0.4d01.6b30

  arp inside tanjun 0013.7222.5fe5

  arp inside wangzhili 000d.6004.c197

  arp inside lixiaoliang 0014.782f.b989

  arp inside liuyongjun-ibm 0010.c6de.2686

  arp inside lulianying 0016.3563.db1b

  arp inside liuyongjun 0000.e25a.8580

  arp inside lixuesong 0017.3152.8e78

  arp inside chengxiaojie 0016.3564.8a6b

  arp inside xingzhonghe 00e0.4c60.a8da

  arp inside dhcp 0014.5e2b.77b5

  arp inside zhangyi 0013.7222.4819

  arp inside lixuesong-dell 0018.8ba2.d1c5

  arp inside machi 000a.e6b5.0600

  arp inside 10.64.64.18 0015.c510.12d4

  ****************************************************

  arp timeout 14400

  global (outside) 1 interface

  nat (inside) 0 access-listinside_nat0_outbound

  nat (inside) 1 10.64.64.0 255.255.240.0

  nat (dmz) 0 access-list dmz_nat0_outbound

  static (inside,outside) tcp interface 1503 chufw 1503 netmask 255.255.255.255

  static (inside,outside) tcp interface h323 chufw h323 netmask 255.255.255.255

  access-group outside_access_in in interface outside

  应用acl到inside端口

  ****************************************************

  access-group inside_access_in in interface inside

  ****************************************************

  route outside 0.0.0.0 0.0.0.0 X.X.76.25 1

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

  timeout sip0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

  timeout uauth 0:05:00 absolute

  group-policy caiwu internal

  group-policy caiwu attributes

  dns-server value 219.150.32.132

  vpn-tunnel-protocol IPSec

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value caiwu_splitTunnelAcl

  group-policy remote internal

  group-policy remote attributes

  dns-server value 219.150.32.132

  vpn-tunnel-protocol IPSec

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value remote_splitTunnelAcl

  username chufw password hs6C0g7Y0Zza/dVN encrypted privilege 15

  username chufw attributes

  vpn-group-policy remote

  vpn-framed-ip-address 1.1.1.111 255.255.255.0

  http server enable

  http chufw 255.255.255.255 inside

  http 219.148.242.228 255.255.255.255 outside

  http 219.148.242.227 255.255.255.255 outside

  http 1.1.1.111 255.255.255.255 outside

  no snmp-server location

  no snmp-server contact

  snmp-server enable traps snmp authentication linkup linkdown coldstart

  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

  crypto map outside_map interface outside

  crypto isakmp enable outside

  crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 86400

  crypto isakmp policy 65535

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 86400

  crypto isakmp nat-traversal 20

  tunnel-group remote type ipsec-ra

  tunnel-group remote general-attributes

  address-pool remote

  default-group-policy remote

  tunnel-group remote ipsec-attributes

  pre-shared-key *

  tunnel-group caiwu type ipsec-ra

  tunnel-group caiwu general-attributes

  address-pool remote

  default-group-policy caiwu

  tunnel-group caiwu ipsec-attributes

  pre-shared-key *

  telnet chufw 255.255.255.255 inside

  telnet timeout 5

  ssh 0.0.0.0 0.0.0.0 outside

  ssh timeout 5

  console timeout 0

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  policy-map type inspect dns preset_dns_map

  parameters

  message-length maximum 512

  policy-map global_policy

  class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  !

  service-policy global_policy global

  ntp server 207.46.130.100 source outside

  tftp-server inside chufw pix

  prompt hostname context

  Cryptochecksum:c02e836587f08fa6ce4699df28408774

  : end

  pix515e#

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章