202实验指导三接口IOS防火墙.docx
《202实验指导三接口IOS防火墙.docx》由会员分享,可在线阅读,更多相关《202实验指导三接口IOS防火墙.docx(25页珍藏版)》请在冰豆网上搜索。
202实验指导三接口IOS防火墙
实验指导(三接口IOS防火墙)
一、实验任务
任务:
DMZ区放置有DNS、WEB、FTP、邮箱服务器、telnet服务器;R1的telnet端口为3100
1、从内网能主动访问DMZ区、外网(FTP、telnet、TCP、UDP、ICMP),反之不然
2、DMZ区的电子邮件、DNS请求、telnet请求能发到外网,DMZ的计算机不能主动访问内网以及外网的计算机
3、外网能主动访问DMZ区的服务器
二、实验步骤
1、预配:
-------------------------
R1:
hostnameR1
interfaceloo0
noshutdown
ipaddress10.1.1.1255.255.255.0
interfaceSerial1/1
noshutdown
ipaddress10.12.12.1255.255.255.0
iproute0.0.0.00.0.0.0Serial1/1
linevty04
rotary100
passwordcisco
login
-------------------------
R2:
hostnameR2
interfaceSerial1/0
noshutdown
ipaddress10.12.12.2255.255.255.0
!
interfaceSerial1/1
noshutdown
ipaddress10.23.23.2255.255.255.0
interfacee0/0
noshutdown
duplexfull
ipaddress10.24.24.50255.255.255.0
iproute10.1.1.0255.255.255.0Serial1/0
iproute10.3.3.0255.255.255.0Serial1/1
iproute10.4.4.0255.255.255.010.24.24.150
-------------------------
R3:
hostnameR3
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
interfaceSerial1/0
noshutdown
ipaddress10.23.23.3255.255.255.0
iproute0.0.0.00.0.0.0Serial1/0
linevty04
rotary100
passwordcisco
login
-------------------------
R4:
hostnameR4
interfaceLoopback0
ipaddress10.4.4.4255.255.255.0
interfacee0/0
noshutdown
duplexfull
ipaddress10.24.24.150255.255.255.0
iproute0.0.0.00.0.0.010.24.24.50
linevty04
rotary100
passwordcisco
login
-------------------------
PC:
IP地址配置为10.24.24.1XX(XX为计算机编号)
从ftp:
//10.3.24.56/software/servU/下载FTP软件并安装,
配置FTP服务器,建立用户test,密码为cisco。
预配测试:
●从R3和R4telnet10.1.1.1、telnet10.1.1.13100
●从R1和R3,copyrunftp:
//test:
cisco@10.24.24.100(PC的IP地址)
2、配置任务
(1)
-------------------------
R2:
ipaccess-listextendedDMZ_IN
denyipanyany
ipaccess-listextendedINSIDE_IN
permitipanyany
ipaccess-listextendedOUTSIDE_IN
denyipanyany
ipinspectnameTEST1ftp
ipinspectnameTEST1telnet
ipinspectnameTEST1icmp
ipinspectnameTEST1tcp
ipinspectnameTEST1udp
interfaceSerial1/0
ipaccess-groupOUTSIDE_INin
interfaceSerial1/1
ipaccess-groupINSIDE_INin
ipinspectTEST1in
interfaceEthernet0/0
ipaccess-groupDMZ_INin
3、配置任务
(2)
-------------------------
R2:
ipaccess-listextendedDMZ_IN
1denyipany10.23.23.00.0.0.255
2denyipany10.3.3.00.0.0.255
3permittcpanyanyeqtelnet
4permittcpanyanyeqsmtp
5permittcpanyanyeqdomain
ipinspectnameTEST2telnet
ipinspectnameTEST2dns
ipinspectnameTEST2smtp
interfaceEthernet0/0
ipinspectTEST2in
4、配置任务(3)
-------------------------
R2:
ipaccess-listextendedOUTSIDE_IN
1permitudpany10.24.24.00.0.0.255eqdomain
2permittcpany10.24.24.00.0.0.255eqsmtp
3permittcpany10.24.24.00.0.0.255eqpop3
4permittcpany10.24.24.00.0.0.255eqwww
5permittcpany10.24.24.00.0.0.255eqftp
6permittcpany10.24.24.00.0.0.255eqtelnet
ipinspectnameTEST3dns
ipinspectnameTEST3smtp
ipinspectnameTEST3pop3
ipinspectnameTEST3http
ipinspectnameTEST3ftp
ipinspectnameTEST3telnet
interfaceSerial1/0
ipinspectTEST3in
5、配置PAM
-------------------------
R2:
access-list10permithost10.1.1.1
ipport-maptelnetporttcp3100list10
6、测试
●从R3telnetR1(10.1.1.1)是否成功?
●从R3pingR1(10.1.1.1)是否成功?
●从R3telnetR4(10.4.4.4)是否成功?
●从R3pingR4(10.4.4.4)是否成功?
在R2上执行:
R2#showipinspectsessions
R2#showipinspectconfig
●从R1telnetR1(10.3.3.3)是否成功?
●从R1pingR1(10.3.3.3.)是否成功?
●从R1telnetR4(10.24.24.150)是否成功?
●从R1pingR4(10.24.24.150)是否成功?
●从R4telnetR1(10.1.1.1)是否成功?
●从R4pingR1(10.1.1.1)是否成功?
三、完整配置
-----------------------------R1------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoo0
ipaddress10.1.1.1255.255.255.0
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
ipaddress10.12.12.1255.255.255.0
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial1/1
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
rotary100
!
!
end
-----------------------------R2------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
ipinspectnameTEST1ftp
ipinspectnameTEST1telnet
ipinspectnameTEST1icmp
ipinspectnameTEST1tcp
ipinspectnameTEST1udp
ipinspectnameTEST2telnet
ipinspectnameTEST2dns
ipinspectnameTEST2smtp
ipinspectnameTEST3dns
ipinspectnameTEST3smtp
ipinspectnameTEST3pop3
ipinspectnameTEST3http
ipinspectnameTEST3ftp
ipinspectnameTEST3telnet
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceEthernet0/0
ipaddress10.24.24.50255.255.255.0
ipaccess-groupDMZ_INin
ipinspectTEST2in
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
ipaddress10.12.12.2255.255.255.0
ipaccess-groupOUTSIDE_INin
ipinspectTEST3in
serialrestart-delay0
!
interfaceSerial1/1
ipaddress10.23.23.2255.255.255.0
ipaccess-groupINSIDE_INin
ipinspectTEST1in
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute10.1.1.0255.255.255.0Serial1/0
iproute10.3.3.0255.255.255.0Serial1/1
iproute10.4.4.0255.255.255.010.24.24.150
!
!
!
ipaccess-listextendedDMZ_IN
denyipany10.23.23.00.0.0.255
denyipany10.3.3.00.0.0.255
permittcpanyanyeqtelnet
permittcpanyanyeqsmtp
permittcpanyanyeqdomain
denyipanyany
ipaccess-listextendedINSIDE_IN
permitipanyany
ipaccess-listextendedOUTSIDE_IN
permitudpany10.24.24.00.0.0.255eqdomain
permittcpany10.24.24.00.0.0.255eqsmtp
permittcpany10.24.24.00.0.0.255eqpop3
permittcpany10.24.24.00.0.0.255eqwww
permittcpany10.24.24.00.0.0.255eqftp
permittcpany10.24.24.00.0.0.255eqtelnet
denyipanyany
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
End
-----------------------------R3------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
ipport-maptelnetporttcp3100list10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
!
interfaceEthernet0/0
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
ipaddress10.23.23.3255.255.255.0
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial1/0
!
!
access-list10permit10.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
rotary100
!
!
End
-----------------------------R4------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR4
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.4.4.4255.255.255.0
!
interfaceEthernet0/0
ipaddress10.24.24.4255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.010.24.24.2
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
rotary100
!
!
End
升级会员 