基于上下文的防火墙
一、 拓扑图
二、 地址规划表
|
设别 |
接口 |
IP地址 |
子网掩码 |
网关地址 |
|
R1 |
F0/0 |
10.102.10.3 |
255.255.255.0 |
N/A |
|
S0/1/0 |
10.102.20.1 |
255.255.255.0 |
N/A |
|
|
R2 |
S0/1/0 |
10.102.20.2 |
255.255.255.0 |
N/A |
|
S0/1/1 |
10.102.30.2 |
255.255.255.0 |
N/A |
|
|
R3 |
S0/1/0 |
10.102.30.1 |
255.255.255.0 |
N/A |
|
F0/0 |
10.102.40.1 |
255.255.255.0 |
N/A |
|
|
PC-A |
NIC |
10.102.10.3 |
255.255.255.0 |
10.102.10.254 |
|
PC-C |
NIC |
10.102.40.3 |
255.255.255.0 |
10.102.40.254 |
三、 配置步骤
(一) 配置静态路由使网络通畅
R1(config)#ip route 10.102.30.0 255.255.255.0 10.102.20.2
R1(config)#ip route 10.102.40.0 255.255.255.0 10.102.20.2
R2(config)#ip route 10.102.40.0 255.255.255.0 10.102.30.1
R2(config)#ip route 10.102.10.0 255.255.255.0 10.102.20.1
R3(config)#ip route 10.102.20.0 255.255.255.0 10.102.20.2
R3(config)#ip route 10.102.10.0 255.255.255.0 10.102.30.2
Ping测试
PC-A PING PC-C
PC-C PING PC-A
PC-C TELNET 到接口
PC-C登陆 PC-A网页
(二) 配置R3区域防火墙
R3(config)#zone security IN-ZONE
R3(config-sec-zone)#zone security OUT-ZONE
R3(config)#access-list 101 permit ip 10.102.40.0 0.0.0.255 any
R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)#match access-group 101
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
R3 (config-pmap-c)# No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected
R3 (config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
R3 (config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP
R3(config)#int f0/0
R3(config-if)#zone-member security IN-ZONE
R3(config)#int s0/0/1
R3(config-if)#zone-member security OUT-ZONE
R3(config-if)#show policy-map type inspect zone-pair sessions
PING 测试
可见 PC -C能成功ping PC-A
浙公网安备 33010602011771号