扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
应用情况为,两个接口outside应用在广域网,inside端口位于局域网,跑OSPF路由协议,将局域网能够被广域网访问的服务器和端口打开,否则不允许访问。这个应用的情况比较简单,日后可以继续扩展,如服务器区等等。
sh run
: Saved
:
FWSM Version 3.2(2)
!
hostname SDDL-Internal-FW
domain-name sddl.com
enable password Z1UFjQZdKfrZkYLf encrypted
names
!
interface Vlan254
nameif outside
security-level 0
ip address X.Y.254.254 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
interface Vlan2254
nameif Internal
security-level 99
ip address X.Y.254.1 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
passwd Z1UFjQZdKfrZkYLf encrypted
ftp mode passive
<--- More --->
access-list acl-in extended permit ip any any
access-list SHJT_to_SDDL extended permit tcp any any eq telnet
access-list SHJT_to_SDDL extended permit icmp any any
access-list SHJT_to_SDDL extended permit ospf any any
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389
access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080
access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000
<--- More --->
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39
access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32
access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Internal 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Internal
no failover
failover lan unit secondary
icmp permit any outside
<--- More --->
icmp permit any Internal
no asdm history enable
arp timeout 14400
access-group SHJT_to_SDDL in interface outside
access-group acl-in in interface Internal
!
router ospf 100
network X.Y.254.1 255.255.255.255 area 0
network X.Y.254.254 255.255.255.255 area 0
router-id X.Y.254.254
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username sddl password QZbkfU0FC8LZLZ6k encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http X.Y.160.0 255.255.255.0 Internal
<--- More --->
http X.Y.128.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt nodnsalias inbound
sysopt nodnsalias outbound
sysopt noproxyarp outside
sysopt noproxyarp Internal
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
<--- More --->
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect ctiqbe
inspect dcerpc
inspect http
inspect icmp
inspect ils
inspect mgcp
inspect rtsp
inspect sip
inspect snmp
class class_sip_tcp
inspect sip
!
service-policy global_policy global
<--- More --->
prompt hostname context
Cryptochecksum:3224aa347a06e32ac4f006510f5606f0
: end
SDDL-Internal-FW# exit
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者