网络安全 频道
IT168首页 > 网络安全 > 网络安全应用 > 正文

思科IOS防火墙配置案例

作者:妖界之箭 编辑: 杨京京 2009-07-16 10:36 来源:IT168
分享

    如下是简要配置,希望对大家有所帮助,共同提高

    ip inspect hashtable-size 2048 //改善IOS防火墙的性能
    ip inspect name myfw cuseeme
    ip inspect name myfw ftp
    ip inspect name myfw h323
    ip inspect name myfw appfw h80
    ip inspect name myfw http
    ip inspect name myfw netshow
    ip inspect name myfw rcmd
    ip inspect name myfw realaudio
    ip inspect name myfw smtp
    ip inspect name myfw sqlnet
    ip inspect name myfw streamworks
    ip inspect name myfw tftp
    ip inspect name myfw tcp
    ip inspect name myfw udp
    ip inspect name myfw vdolive
    no ip dhcp use vrf connected
    !
    !
    appfw policy-name h80 //定义应用程序HTTP防火墙策略
    application http
    port-misuse default action reset alarm
    !
    class-map match-any p2p //定义已知p2p类
    description any p2p
    match protocol gnutella
    match protocol kazaa2
    match protocol fasttrack
    match protocol pcanywhere
    match protocol napster
    match protocol novadigm
    match protocol cuseeme
    match protocol bittorrent
    match protocol edonkey
    match protocol sap-pgm
    match protocol sap-app
    match protocol sap-msg
    match protocol winmx
    !
    class-map match-all out-bt 
    match not access-group name acl-liu-1
    match class-map p2p
    !
    class-map match-all d3000
    match access-group name d3000
    !
    class-map match-all s3000
    match access-group name s3000
    !
    class-map match-all liu
    match not access-group name acl-liu
    match class-map p2p
    !
    !
    policy-map limit-s
    class s3000
    police cir 200000 bc 2000 be 2000
    conform-action transmit
    exceed-action drop
    violate-action drop
    class out-bt
    drop
    !
    policy-map limit-d
    class d3000
    police cir 200000 bc 2000 be 2000
    conform-action transmit
    exceed-action drop
    violate-action drop
    class liu
    drop
    !
    !
    interface Ethernet0/0
    ip address 内网地址
    ip access-group inside-2 in
    ip accounting output-packets
    ip nbar protocol-discovery
    ip inspect myfw in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    full-duplex
    service-policy input limit-d
    !
    !
    interface Ethernet0/1
    ip address 公网地址1
    ip access-group out-in in
    ip nbar protocol-discovery
    ip nat outside
    ip virtual-reassembly
    full-duplex
    service-policy input limit-s
    service-policy output limit-d
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 公网网关
    ip route 内部子网1 内部网关
    ip route 内部子网2 内部网关
    ip route 内部子网3 内部网关
    !
    no ip http server
    no ip http secure-server
    ip nat translation timeout 300
    ip nat translation tcp-timeout 1800
    ip nat translation max-entries list acl-jx 400 //限制其连接数
    ip nat translation max-entries host 内部特性主机地址 200 //限制其连接数
    ip nat pool pool-1 公网地址1 公网地址1 prefix-length 26
    ip nat pool pool-0 公网地址2 公网地址2 prefix-length 26
    ip nat pool pool-2 公网地址3 公网地址3 prefix-length 26
    ip nat pool pool-3 公网地址4 公网地址4 prefix-length 26
    ip nat pool pool-4 公网地址5 公网地址5 prefix-length 26
    ip nat pool pool-5 公网地址6 公网地址6 prefix-length 26
    ip nat inside source route-map bt pool pool-0 overload
    ip nat inside source route-map hz pool pool-2 overload
    ip nat inside source route-map jx pool pool-3 overload
    ip nat inside source route-map kjc pool pool-1 overload
    !
    ip access-list extended acl-hz
    permit ip 内部子网1 any
    ip access-list extended acl-jx
    permit ip 内部子网2 any
    ip access-list extended acl-kjc
    permit ip 内部子网3 any
    ip access-list extended acl-liu
    permit ip host 特性主机 any
    ip access-list extended acl-liu-1
    permit ip any host 公网地址1
    ip access-list extended d3000
    permit tcp any any gt 2000
    permit udp any any gt 2000
    ip access-list extended inside-2 //常规过滤和过滤已知蠕虫
    deny udp any any eq 135
    deny tcp any any eq 135
    deny udp any any eq netbios-ns
    deny tcp any any eq 137
    deny udp any any eq netbios-dgm
    deny tcp any any eq 138
    deny udp any any eq netbios-ss
    deny tcp any any eq 139
    deny udp any any eq 445
    deny tcp any any eq 445
    deny tcp any any eq 593
    deny tcp any any eq 707
    deny udp any any eq 1434
    deny tcp any any eq 4444
    deny tcp any any eq 8888
    deny tcp any any eq 7778
    deny tcp any any eq 8594
    deny tcp any any eq 8563
    deny tcp any any eq 33333
    deny tcp any any eq 6667
    deny tcp any any eq 11173
    permit ip 内网地址段1 any
    permit ip 内网地址段2 any
    !
    ip access-list extended out-in
    deny ip any any
    ip access-list extended s3000
    permit tcp any gt 2000 any
    permit udp any gt 2000 any
    !
    route-map hz permit 10
    description hang-zhang
    match ip address acl-hz
    !
    route-map jx permit 10
    description jian-xi
    match ip address acl-jx
    !
    route-map bt permit 10
    description p2p-download
    match ip address name acl-liu
    !
    route-map kjc permit 10
    description ke-ji-chu
    match ip address name acl-kjc

0
12查看全文
第1页:配置思路第2页:简要配置
相关文章
    盛拓传媒简介 关于IT168 广告服务 使用条款 投稿指南 联系我们
    北京盛拓优讯信息技术有限公司. 版权所有 中华人民共和国增值电信业务经营许可证 编号:京B2-20170206 北京市公安局海淀分局网监中心备案编号:11010802020118
    广播电视节目制作经营许可证:(京) 字第25315号 信息系统安全等级保护备案:11010813655-00001 京公网安备11010802020118号
    违法和不良信息举报电话 :010-58859066,18101376593,shengtuo20@it168.com