Cisco的防火墙设置
开启CBAC,配置嘛,确实很麻烦,不过确实是很有用。以下是我自己26的全配置,任何包含CBAC和inspect的部分都是有关防火墙的。CBAC定义审查的协议,ACL定义缺省阻塞的数据。对于Cisco的防火墙设置基本上不是那么简单的,具体最好参看Cisco文档。
Current configuration : 3012 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2600-VPDN
!
logging queue-limit 100
!
aaa new-model
!
!
aaa authentication login xvty local
aaa authentication login nouse none
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
!
ip inspect one-minute high 1200
ip inspect one-minute low 800
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name 1 tcp
ip inspect name 1 udp
ip inspect name 1 icmp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2600-VPDN
!
logging queue-limit 100
!
aaa new-model
!
!
aaa authentication login xvty local
aaa authentication login nouse none
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
!
ip inspect one-minute high 1200
ip inspect one-minute low 800
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name 1 tcp
ip inspect name 1 udp
ip inspect name 1 icmp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 192.168.51.26 255.255.255.0
ip nat inside
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group CBAC in
ip nat outside
ip inspect 1 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username sy_xxxxx password 0 xxxxx
!
ip nat inside source list vpdn interface Dialer1 overload
ip nat inside source static tcp 192.168.51.101 32323 interface Dialer1 32323
ip nat inside source static udp 192.168.51.101 32323 interface Dialer1 32323
ip nat inside source static tcp 192.168.51.100 11111 interface Dialer1 11111
ip nat inside source static udp 192.168.51.100 11111 interface Dialer1 11111
ip nat inside source static udp 192.168.51.100 3333 interface Dialer1 3333
ip nat inside source static tcp 192.168.51.100 3333 interface Dialer1 3333
ip nat inside source static tcp 192.168.51.100 23232 interface Dialer1 23232
ip nat inside source static udp 192.168.51.100 23232 interface Dialer1 23232
ip nat inside source static udp 192.168.51.101 55555 interface Dialer1 55555
ip nat inside source static tcp 192.168.51.101 55555 interface Dialer1 55555
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list standard vpdn
permit 192.168.51.0 0.0.0.255
ip access-list standard xvtyacl
permit 192.168.51.0 0.0.0.255
!
ip access-list extended CBAC
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any ttl-exceeded
permit icmp any any time-exceeded
permit tcp any any eq 55555
permit udp any any eq 55555
permit udp any any eq 32323
permit tcp any any eq 32323
permit tcp any any eq 3333
permit udp any any eq 3333
permit tcp any any eq 11111
permit udp any any eq 11111
permit tcp any any eq 23232
permit udp any any eq 23232
!
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high tcp 3333
priority-list 1 protocol ip high udp 3333
priority-list 1 default low
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
login authentication nouse
line aux 0
line vty 0 4
access-class xvtyacl in
login authentication xvty
!
ntp clock-period 17208481
ntp server 192.43.244.18
!
end
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 192.168.51.26 255.255.255.0
ip nat inside
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group CBAC in
ip nat outside
ip inspect 1 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username sy_xxxxx password 0 xxxxx
!
ip nat inside source list vpdn interface Dialer1 overload
ip nat inside source static tcp 192.168.51.101 32323 interface Dialer1 32323
ip nat inside source static udp 192.168.51.101 32323 interface Dialer1 32323
ip nat inside source static tcp 192.168.51.100 11111 interface Dialer1 11111
ip nat inside source static udp 192.168.51.100 11111 interface Dialer1 11111
ip nat inside source static udp 192.168.51.100 3333 interface Dialer1 3333
ip nat inside source static tcp 192.168.51.100 3333 interface Dialer1 3333
ip nat inside source static tcp 192.168.51.100 23232 interface Dialer1 23232
ip nat inside source static udp 192.168.51.100 23232 interface Dialer1 23232
ip nat inside source static udp 192.168.51.101 55555 interface Dialer1 55555
ip nat inside source static tcp 192.168.51.101 55555 interface Dialer1 55555
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list standard vpdn
permit 192.168.51.0 0.0.0.255
ip access-list standard xvtyacl
permit 192.168.51.0 0.0.0.255
!
ip access-list extended CBAC
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any ttl-exceeded
permit icmp any any time-exceeded
permit tcp any any eq 55555
permit udp any any eq 55555
permit udp any any eq 32323
permit tcp any any eq 32323
permit tcp any any eq 3333
permit udp any any eq 3333
permit tcp any any eq 11111
permit udp any any eq 11111
permit tcp any any eq 23232
permit udp any any eq 23232
!
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high tcp 3333
priority-list 1 protocol ip high udp 3333
priority-list 1 default low
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
login authentication nouse
line aux 0
line vty 0 4
access-class xvtyacl in
login authentication xvty
!
ntp clock-period 17208481
ntp server 192.43.244.18
!
end
