在pix或asa如何防止内网用户乱改ip配置案例
防止内网用户乱该ip地址,用户只能用给定的ip,如果改ip地址,则无法访问网络资源。
例如:做了下述配置后(arp inside 10.64.64.29 000f.b0d8.a504),mac地址为000f.b0d8.a504的pc 只能使用ip10.64.64.29来访问网络资源,如果该ip则无法访问。 pix515e# sh run : Saved : PIX Version 7.2(1) ! hostname pix515e domain-name cisco enable password N7FecZuSHJlVZC2P encrypted 做名字解析
**************************************************** names name 10.64.64.113 chengxiaojie name 10.64.64.13 dhcp name 10.64.64.71 liuyongjun name 10.64.64.72 liuyongjun-ibm name 10.64.64.39 lixiaoliang name 10.64.64.103 lixuesong name 10.64.64.17 lulianying name 10.64.64.92 qizuomeng name 10.64.64.69 wangzhili name 10.64.64.105 xingzhonghe name 10.64.64.45 tanjun name 10.64.64.108 zhangyi name 10.64.64.178 hujian name 10.64.64.93 ibm220 name 10.64.64.62 jiling name 10.64.64.111 yangliu name 10.64.64.112 wangsishen name 10.64.64.158 wangyuguo name 10.64.64.52 lishihai name 10.64.64.78 office-teacher name 10.64.64.48 yangjin name 10.64.64.104 wutao name 10.64.64.63 zangdong name 10.64.64.80 xiaoguangyue name 10.64.64.14 ibm235 name 10.64.64.222 lixuesong-dell name 10.64.64.75 maxiaopeng name 10.64.64.215 lintao name 10.64.64.199 machi name 10.64.64.216 liuxuesong name 10.64.64.246 jiachangjing name 10.64.64.61 chufw **************************************************** ! interface Ethernet0 nameif outside security-level 0 ip address X.X.76.26 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.64.64.2 255.255.240.0 ! interface Ethernet2 nameif dmz security-level 80 ip address 192.168.0.1 255.255.255.0 ! passwd N7FecZuSHJlVZC2P encrypted ! time-range worktime periodic daily 8:00 to 17:00 ! ftp mode passive clock timezone CST 8 dns domain-lookup outside dns server-group DefaultDNS name-server 219.150.32.132 domain-name cisco 做object-group以便在acl里被调用(注:object-group是个好东东,可以大大简化acl的配置)
**************************************************** object-group network www network-object host xingzhonghe network-object host chengxiaojie network-object host dhcp network-object host liuxuesong network-object host wangzhili network-object host liuyongjun network-object host liuyongjun-ibm network-object host lulianying network-object host chufw network-object host jiachangjing network-object host maxiaopeng network-object host 10.64.64.255 object-group network guest network-object 10.64.66.112 255.255.255.240 object-group network caiwu network-object 10.64.66.0 255.255.255.224 object-group service netmeeting tcp port-object range 1503 1503 port-object range h323 h323 object-group network worktime network-object host wutao network-object host zhangyi network-object host yangliu network-object host wangsishen network-object host wangyuguo network-object host 10.64.64.169 network-object host 10.64.64.18 network-object host machi network-object host lintao network-object host liuxuesong network-object host lixuesong-dell network-object host 10.64.64.247 network-object host 10.64.64.29 network-object host 10.64.64.30 network-object host yangjin network-object host lishihai network-object host 10.64.64.55 network-object host jiling network-object host office-teacher **************************************************** access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any any object-group netmeeting 调用上述的object-group到acl
**************************************************** access-list inside_access_in extended deny ip any 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit ip object-group caiwu 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit ip object-group www any access-list inside_access_in extended permit ip object-group guest any inactive access-list inside_access_in extended deny tcp any any eq 1863 access-list inside_access_in extended permit ip host lixiaoliang host 211.147.77.98 access-list inside_access_in extended permit ip host qizuomeng host 211.147.77.98 access-list inside_access_in extended permit ip object-group worktime any time-range worktime access-list inside_access_in extended permit ip host ibm235 any time-range worktime inactive **************************************************** access-list remote_splitTunnelAcl standard permit 10.64.64.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.64.64.0 255.255.240.0 1.1.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip any 1.1.1.0 255.255.255.0 access-list caiwu_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip local pool remote 1.1.1.1-1.1.1.254 mask 255.255.255.0 ip local pool caiwu 2.2.2.1-2.2.2.254 mask 255.255.255.0 no failover asdm image flash:/asdm.bin no asdm history enable 把ip和mac绑定
**************************************************** arp inside 10.64.64.29 000f.b0d8.a504 arp inside 10.64.64.247 000b.2f04.7dd8 arp inside 10.64.64.169 0016.17f2.2eb3 arp inside lintao 000a.e6b2.c4c6 arp inside liuxuesong 00e0.4c58.b7cd arp inside lishihai 000a.e69b.f4dc arp inside ibm235 0009.6ba5.49c5 arp inside maxiaopeng 000c.764d.6aa8 arp inside xiaoguangyue 0011.09b4.6f25 arp inside zangdong 00e0.4cc1.2a14 arp inside wutao 0013.d47d.0c36 arp inside office-teacher 0090.9626.7da7 arp inside yangjin 00e0.4d01.6b1b arp inside wangyuguo 00e0.4c21.471d arp inside wangsishen 0015.c50f.92a5 arp inside yangliu 0015.f299.7f6c arp inside jiling 00e0.4cc1.2a34 arp inside hujian 0011.252f.8613 arp inside ibm220 0002.556d.0037 arp inside jiachangjing 00e0.4d01.6b30 arp inside tanjun 0013.7222.5fe5 arp inside wangzhili 000d.6004.c197 arp inside lixiaoliang 0014.782f.b989 arp inside liuyongjun-ibm 0010.c6de.2686 arp inside lulianying 0016.3563.db1b arp inside liuyongjun 0000.e25a.8580 arp inside lixuesong 0017.3152.8e78 arp inside chengxiaojie 0016.3564.8a6b arp inside xingzhonghe 00e0.4c60.a8da arp inside dhcp 0014.5e2b.77b5 arp inside zhangyi 0013.7222.4819 arp inside lixuesong-dell 0018.8ba2.d1c5 arp inside machi 000a.e6b5.0600 arp inside 10.64.64.18 0015.c510.12d4 **************************************************** arp timeout 14400
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 10.64.64.0 255.255.240.0 nat (dmz) 0 access-list dmz_nat0_outbound static (inside,outside) tcp interface 1503 chufw 1503 netmask 255.255.255.255 static (inside,outside) tcp interface h323 chufw h323 netmask 255.255.255.255 access-group outside_access_in in interface outside 应用acl到inside端口
**************************************************** access-group inside_access_in in interface inside **************************************************** route outside 0.0.0.0 0.0.0.0 X.X.76.25 1 本文出自 51CTO.COM技术博客timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy caiwu internal group-policy caiwu attributes dns-server value 219.150.32.132 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value caiwu_splitTunnelAcl group-policy remote internal group-policy remote attributes dns-server value 219.150.32.132 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value remote_splitTunnelAcl username chufw password hs6C0g7Y0Zza/dVN encrypted privilege 15 username chufw attributes vpn-group-policy remote vpn-framed-ip-address 1.1.1.111 255.255.255.0 http server enable http chufw 255.255.255.255 inside http 219.148.242.228 255.255.255.255 outside http 219.148.242.227 255.255.255.255 outside http 1.1.1.111 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group remote type ipsec-ra tunnel-group remote general-attributes address-pool remote default-group-policy remote tunnel-group remote ipsec-attributes pre-shared-key * tunnel-group caiwu type ipsec-ra tunnel-group caiwu general-attributes address-pool remote default-group-policy caiwu tunnel-group caiwu ipsec-attributes pre-shared-key * telnet chufw 255.255.255.255 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global ntp server 207.46.130.100 source outside tftp-server inside chufw pix prompt hostname context Cryptochecksum:c02e836587f08fa6ce4699df28408774 : end pix515e# |
subchen
博客统计信息
热门文章
最新评论
友情链接