Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Zone-Based FW Map - Low Setting

    Загружено:

    Je Rel
    6 просмотров4 страницы
    Zone-Based FW Map

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Zone-Based FW Map

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    6 просмотров4 страницы

    Zone-Based FW Map - Low Setting

    Загружено:

    Je Rel
    Zone-Based FW Map

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 4

    Zone-based Firewall – SDM’s “Low” setting In-zone Created by Nick Sendelbach

    out-zone
    zone security out-zone
    self 1
    zone security in-zone
    (also self zone)

    interface FastEthernet0/1
    2
    ip address 192.168.3.1 255.255.255.0
    zone-member security in-zone 3

    interface Serial0/1
    ip address 10.2.2.1 255.255.255.252
    zone-member security out-zone

    1. zone-pair security sdm-zp-self-out source self destination out-zone


    service-policy type inspect sdm-permit-icmp-reply

    policy-map type inspect sdm-permit-icmpreply

    class type inspect sdm-icmp-access class-map type inspect match-all sdm-icmp-access


    • inspect • match class-map sdm-cls-icmp-access
    class class-default
    • pass class-map type inspect match-any sdm-cls-icmp-access
    • match protocol icmp
    • match protocol tcp
    • match protocol udp
    2. zone-pair security sdm-zp-out-self source out-zone destination self
    service-policy type inspect sdm-permit

    policy-map type inspect sdm-permit

    class-map type inspect match-all SDM_EIGRP_PT


    class type inspect SDM_EIGRP_PT
    • match class-map SDM_EIGRP_TRAFFIC
    • pass
    class class-default
    class-map type inspect match-any SDM_EIGRP_TRAFFIC
    • drop (implicit) • match class-map SDM_EIGRP

    class-map type inspect match-any SDM_EIGRP


    • match access-group name SDM_EIGRP

    ip access-list extended SDM_EIGRP


    • permit eigrp any any
    3. zone-pair security sdm-zp-in-out source in-zone destination out-zone
    service-policy type inspect sdm-inspect

    policy-map type inspect sdm-inspect


    access-list 100 permit ip host 255.255.255.255 any
    class type inspect sdm-invalid-src class-map type inspect match-all sdm-invalid-src access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    drop log • match access-group 100 access-list 100 permit ip 10.2.2.0 0.0.0.3 any

    class type inspect sdm-insp-traffic


    class-map type inspect match-all sdm-insp-traffic class-map type inspect match-all sdm-cls-insp-traffic
    inspect
    • match class-map sdm-cls-insp-traffic • match class-map sdm-cls-insp-traffic

    class type inspect sdm-protocol-http class-map type inspect match-all sdm-protocol-http


    inspect • match protocol http class-map type inspect match-any sdm-cls-insp-traffic
    • match protocol cuseeme
    • match protocol dns
    class type inspect SDM-Voice-permit class-map type inspect match-all SDM-Voice-permit • match protocol ftp
    inspect • match protocol h323 • match protocol h323
    • match protocol skinny • match protocol https
    • match protocol sip • match protocol icmp
    class class-default • match protocol imap
    pass • match protocol pop3
    • match protocol netshow
    • match protocol shell
    • match protocol realmedia
    • match protocol rtsp
    • match protocol smtp extended
    • match protocol sql-net
    • match protocol streamworks
    • match protocol tftp
    • match protocol vdolive
    • match protocol tcp
    • match protocol udp
    class-map type inspect match-any sdm-cls-insp-traffic class type inspect sdm-insp-traffic
    match protocol cuseeme inspect
    match protocol dns class type inspect sdm-protocol-http
    match protocol ftp inspect
    match protocol h323 class type inspect SDM-Voice-permit
    match protocol https inspect
    match protocol icmp class class-default
    match protocol imap pass
    match protocol pop3 policy-map type inspect sdm-permit
    match protocol netshow class type inspect SDM_EIGRP_PT
    match protocol shell pass
    match protocol realmedia class class-default
    match protocol rtsp !
    match protocol smtp extended zone security out-zone
    match protocol sql-net zone security in-zone
    match protocol streamworks zone-pair security sdm-zp-self-out source self destination
    match protocol tftp out-zone
    match protocol vdolive service-policy type inspect sdm-permit-icmpreply
    match protocol tcp zone-pair security sdm-zp-out-self source out-zone
    match protocol udp destination self
    class-map type inspect match-all sdm-insp-traffic service-policy type inspect sdm-permit
    match class-map sdm-cls-insp-traffic zone-pair security sdm-zp-in-out source in-zone destination
    class-map type inspect match-any SDM_EIGRP out-zone
    match access-group name SDM_EIGRP service-policy type inspect sdm-inspect
    class-map type inspect match-any SDM_EIGRP_TRAFFIC !
    match class-map SDM_EIGRP !
    class-map type inspect match-all SDM_EIGRP_PT interface FastEthernet0/1
    match class-map SDM_EIGRP_TRAFFIC description $FW_INSIDE$
    class-map type inspect match-any SDM-Voice-permit ip address 192.168.3.1 255.255.255.0
    match protocol h323 zone-member security in-zone
    match protocol skinny duplex auto
    match protocol sip speed auto
    class-map type inspect match-any sdm-cls-icmp-access !
    match protocol icmp interface Serial0/1
    match protocol tcp description $FW_OUTSIDE$
    match protocol udp ip address 10.2.2.1 255.255.255.252
    class-map type inspect match-all sdm-icmp-access zone-member security out-zone
    match class-map sdm-cls-icmp-access !
    class-map type inspect match-all sdm-invalid-src router eigrp 1
    match access-group 100 network 10.2.2.0 0.0.0.3
    class-map type inspect match-all sdm-protocol-http network 192.168.3.0
    match protocol http no auto-summary
    ! !
    policy-map type inspect sdm-permit-icmpreply ip access-list extended SDM_EIGRP
    class type inspect sdm-icmp-access remark SDM_ACL Category=1
    inspect permit eigrp any any
    class class-default !
    pass access-list 100 remark SDM_ACL Category=128
    policy-map type inspect sdm-inspect access-list 100 permit ip host 255.255.255.255 any
    class type inspect sdm-invalid-src access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    drop log access-list 100 permit ip 10.2.2.0 0.0.0.3 any

    Вам также может понравиться