科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道路由交换 一个FWSM路由模式配置实例

一个FWSM路由模式配置实例

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

应用情况为,两个接口outside应用在广域网,inside端口位于局域网,跑OSPF路由协议,将局域网能够被广域网访问的服务器和端口打开,否则不允许访问。这个应用的情况比较简单,日后可以继续扩展,如服务器区等等。

来源:chinaitlab 2011年4月16日

关键字: 网络管理 网络技术

  • 评论
  • 分享微博
  • 分享邮件

  应用情况为,两个接口outside应用在广域网,inside端口位于局域网,跑OSPF路由协议,将局域网能够被广域网访问的服务器和端口打开,否则不允许访问。这个应用的情况比较简单,日后可以继续扩展,如服务器区等等。

  sh run

  : Saved

  :

  FWSM Version 3.2(2)

  !

  hostname SDDL-Internal-FW

  domain-name sddl.com

  enable password Z1UFjQZdKfrZkYLf encrypted

  names

  !

  interface Vlan254

  nameif outside

  security-level 0

  ip address X.Y.254.254 255.255.255.252

  ospf hello-interval 1

  ospf dead-interval 3

  !

  interface Vlan2254

  nameif Internal

  security-level 99

  ip address X.Y.254.1 255.255.255.252

  ospf hello-interval 1

  ospf dead-interval 3

  !

  passwd Z1UFjQZdKfrZkYLf encrypted

  ftp mode passive

  <--- More --->

  access-list acl-in extended permit ip any any

  access-list SHJT_to_SDDL extended permit tcp any any eq telnet

  access-list SHJT_to_SDDL extended permit icmp any any

  access-list SHJT_to_SDDL extended permit ospf any any

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080

  access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982

  access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148

  access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148

  access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143

  access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389

  access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000

  access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000

  access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000

  <--- More --->

  access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000

  access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080

  access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39

  access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44

  access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32

  access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982

  access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982

  pager lines 24

  logging enable

  logging asdm informational

  mtu outside 1500

  mtu Internal 1500

  ip verify reverse-path interface outside

  ip verify reverse-path interface Internal

  no failover

  failover lan unit secondary

  icmp permit any outside

  <--- More --->

  icmp permit any Internal

  no asdm history enable

  arp timeout 14400

  access-group SHJT_to_SDDL in interface outside

  access-group acl-in in interface Internal

  !

  router ospf 100

  network X.Y.254.1 255.255.255.255 area 0

  network X.Y.254.254 255.255.255.255 area 0

  router-id X.Y.254.254

  log-adj-changes

  !

  timeout xlate 3:00:00

  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

  timeout sip-invite 0:03:00 sip-disconnect 0:02:00

  timeout uauth 0:05:00 absolute

  aaa-server TACACS+ protocol tacacs+

  aaa-server RADIUS protocol radius

  username sddl password QZbkfU0FC8LZLZ6k encrypted

  http server enable

  http 0.0.0.0 0.0.0.0 outside

  http X.Y.160.0 255.255.255.0 Internal

  <--- More --->

  http X.Y.128.0 255.255.255.0 Internal

  no snmp-server location

  no snmp-server contact

  snmp-server community public

  snmp-server enable traps snmp authentication linkup linkdown coldstart

  sysopt nodnsalias inbound

  sysopt nodnsalias outbound

  sysopt noproxyarp outside

  sysopt noproxyarp Internal

  telnet 0.0.0.0 0.0.0.0 outside

  telnet 0.0.0.0 0.0.0.0 Internal

  telnet timeout 5

  ssh timeout 5

  console timeout 0

  !

  class-map class_sip_tcp

  match port tcp eq sip

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  policy-map global_policy

  class inspection_default

  inspect dns maximum-length 512

  <--- More --->

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect ctiqbe

  inspect dcerpc

  inspect http

  inspect icmp

  inspect ils

  inspect mgcp

  inspect rtsp

  inspect sip

  inspect snmp

  class class_sip_tcp

  inspect sip

  !

  service-policy global_policy global

  <--- More --->

  prompt hostname context

  Cryptochecksum:3224aa347a06e32ac4f006510f5606f0

  : end

  SDDL-Internal-FW# exit

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章