1、202实验指导三接口IOS防火墙实验指导(三接口IOS防火墙)一、 实验任务任务:DMZ区放置有DNS、WEB、FTP、邮箱服务器、telnet服务器;R1的telnet端口为31001、 从内网能主动访问DMZ区、外网(FTP、telnet、TCP、UDP、ICMP),反之不然2、 DMZ区的电子邮件、DNS请求、telnet请求能发到外网,DMZ的计算机不能主动访问内网以及外网的计算机3、 外网能主动访问DMZ区的服务器二、 实验步骤1、 预配:-R1:hostname R1 interface loo0no shutdown ip address 10.1.1.1 255.255.255
2、.0interface Serial1/1no shutdown ip address 10.12.12.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 Serial1/1line vty 0 4rotary 100 password cisco login-R2:hostname R2interface Serial1/0no shutdown ip address 10.12.12.2 255.255.255.0!interface Serial1/1no shutdown ip address 10.23.23.2 255.255.255.0interfa
3、ce e0/0 no shutdown duplex full ip address 10.24.24.50 255.255.255.0ip route 10.1.1.0 255.255.255.0 Serial1/0ip route 10.3.3.0 255.255.255.0 Serial1/1ip route 10.4.4.0 255.255.255.0 10.24.24.150-R3:hostname R3interface Loopback0 ip address 10.3.3.3 255.255.255.0interface Serial1/0no shutdown ip addr
4、ess 10.23.23.3 255.255.255.0ip route 0.0.0.0 0.0.0.0 Serial1/0line vty 0 4rotary 100password cisco login-R4:hostname R4interface Loopback0 ip address 10.4.4.4 255.255.255.0interface e0/0no shutdown duplex full ip address 10.24.24.150 255.255.255.0ip route 0.0.0.0 0.0.0.0 10.24.24.50line vty 0 4rotar
5、y 100password cisco login-PC:IP地址配置为10.24.24.1XX(XX为计算机编号)从ftp:/10.3.24.56/software/servU/下载FTP软件并安装,配置FTP服务器,建立用户test,密码为cisco。预配测试: 从R3和R4 telnet 10.1.1.1 、telnet 10.1.1.1 3100 从R1和R3,copy run ftp:/test:cisco10.24.24.100(PC的IP地址)2、 配置任务(1)-R2:ip access-list extended DMZ_IN deny ip any anyip access
6、-list extended INSIDE_IN permit ip any anyip access-list extended OUTSIDE_IN deny ip any anyip inspect name TEST1 ftpip inspect name TEST1 telnetip inspect name TEST1 icmpip inspect name TEST1 tcpip inspect name TEST1 udpinterface Serial1/0ip access-group OUTSIDE_IN ininterface Serial1/1 ip access-g
7、roup INSIDE_IN in ip inspect TEST1 ininterface Ethernet0/0 ip access-group DMZ_IN in3、 配置任务(2)-R2:ip access-list extended DMZ_IN 1 deny ip any 10.23.23.0 0.0.0.255 2 deny ip any 10.3.3.0 0.0.0.2553 permit tcp any any eq telnet4 permit tcp any any eq smtp5 permit tcp any any eq domainip inspect name
8、TEST2 telnetip inspect name TEST2 dnsip inspect name TEST2 smtpinterface Ethernet0/0ip inspect TEST2 in4、 配置任务(3)-R2:ip access-list extended OUTSIDE_IN 1 permit udp any 10.24.24.0 0.0.0.255 eq domain 2 permit tcp any 10.24.24.0 0.0.0.255 eq smtp 3 permit tcp any 10.24.24.0 0.0.0.255 eq pop3 4 permit
9、 tcp any 10.24.24.0 0.0.0.255 eq www 5 permit tcp any 10.24.24.0 0.0.0.255 eq ftp6 permit tcp any 10.24.24.0 0.0.0.255 eq telnetip inspect name TEST3 dnsip inspect name TEST3 smtpip inspect name TEST3 pop3ip inspect name TEST3 httpip inspect name TEST3 ftpip inspect name TEST3 telnetinterface Serial
10、1/0ip inspect TEST3 in5、 配置PAM -R2:access-list 10 permit host 10.1.1.1ip port-map telnet port tcp 3100 list 106、 测试 从R3 telnet R1(10.1.1.1) 是否成功? 从R3 ping R1(10.1.1.1) 是否成功? 从R3 telnet R4(10.4.4.4) 是否成功? 从R3 ping R4(10.4.4.4) 是否成功?在R2上执行:R2#show ip inspect sessionsR2#show ip inspect config 从R1 telne
11、t R1(10.3.3.3) 是否成功? 从R1 ping R1(10.3.3.3.) 是否成功? 从R1 telnet R4(10.24.24.150) 是否成功? 从R1 ping R4(10.24.24.150) 是否成功? 从R4 telnet R1(10.1.1.1) 是否成功? 从R4 ping R1(10.1.1.1) 是否成功?三、 完整配置-R1-!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptio
12、n!hostname R1!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !interface Loo0 ip address 10.1.1.1 255.255.255.0! interface Ethernet0/1 no ip address shutdown half-duplex!interface Ethernet0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdo
13、wn half-duplex!interface Serial1/0 no ip address shutdown serial restart-delay 0!interface Serial1/1 ip address 10.12.12.1 255.255.255.0 serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http
14、serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/1!control-plane! !line con 0line aux 0line vty 0 4 password cisco login rotary 100!end-R2-!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R2!boot-start-marke
15、rboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef!ip inspect name TEST1 ftpip inspect name TEST1 telnetip inspect name TEST1 icmpip inspect name TEST1 tcpip inspect name TEST1 udpip inspect name TEST2 telnetip inspect name TEST2 dnsip inspect name TEST2 smtpip inspect name TEST3 dnsip insp
16、ect name TEST3 smtpip inspect name TEST3 pop3ip inspect name TEST3 httpip inspect name TEST3 ftpip inspect name TEST3 telnet! ! !interface Ethernet0/0 ip address 10.24.24.50 255.255.255.0 ip access-group DMZ_IN in ip inspect TEST2 in full-duplex!interface Ethernet0/1 no ip address shutdown half-dupl
17、ex!interface Ethernet0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 ip address 10.12.12.2 255.255.255.0 ip access-group OUTSIDE_IN in ip inspect TEST3 in serial restart-delay 0!interface Serial1/1 ip address 10.23.23.2 255.255.255.
18、0 ip access-group INSIDE_IN in ip inspect TEST1 in serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!ip route 10.1.1.0 255.255.255.0 Serial1/0ip route 10.3.
19、3.0 255.255.255.0 Serial1/1ip route 10.4.4.0 255.255.255.0 10.24.24.150!ip access-list extended DMZ_IN deny ip any 10.23.23.0 0.0.0.255 deny ip any 10.3.3.0 0.0.0.255 permit tcp any any eq telnet permit tcp any any eq smtp permit tcp any any eq domain deny ip any anyip access-list extended INSIDE_IN
20、 permit ip any anyip access-list extended OUTSIDE_IN permit udp any 10.24.24.0 0.0.0.255 eq domain permit tcp any 10.24.24.0 0.0.0.255 eq smtp permit tcp any 10.24.24.0 0.0.0.255 eq pop3 permit tcp any 10.24.24.0 0.0.0.255 eq www permit tcp any 10.24.24.0 0.0.0.255 eq ftp permit tcp any 10.24.24.0 0
21、.0.0.255 eq telnet deny ip any any!control-plane! !line con 0line aux 0line vty 0 4!End-R3-!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R3!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef!ip
22、port-map telnet port tcp 3100 list 10! ! !interface Loopback0 ip address 10.3.3.3 255.255.255.0! interface Ethernet0/0 no ip address shutdown half-duplex!interface Ethernet0/1 no ip address shutdown half-duplex!interface Ethernet0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip addr
23、ess shutdown half-duplex!interface Serial1/0 ip address 10.23.23.3 255.255.255.0 serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay
24、0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/0!access-list 10 permit 10.1.1.1!control-plane!line con 0line aux 0line vty 0 4 password cisco login rotary 100!End-R4-!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-
25、encryption!hostname R4!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !interface Loopback0 ip address 10.4.4.4 255.255.255.0!interface Ethernet0/0 ip address 10.24.24.4 255.255.255.0 full-duplex!interface Ethernet0/1 no ip address shutdown half-duplex!interface Ethern
26、et0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 no ip address shutdown serial restart-delay 0! interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 10.24.24.2! !control-plane!line con 0line aux 0line vty 0 4 password cisco login rotary 100!End
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 