- 论坛徽章:
- 0
|
!-------------------------
!Create the Inspection Rule
!-------------------------
!
!Create the CBAC inspection rule "test", allowing inspection of the protocol traffic
!specified by the rule. This inspection rule sets the timeout value to 30 seconds for
!each protocol (except for RPC). The timeout value defines the maximum time that a
!connection for a given protocol can remain active without any traffic passing through
!the router. When these timeouts are reached, the dynamic ACLs that are inserted to
!permit the returning traffic are removed, and subsequent packets (possibly even valid
!ones) are not permitted.
ip inspect name test cuseeme timeout 30
ip inspect name test ftp timeout 30
ip inspect name test h323 timeout 30
ip inspect name test realaudio timeout 30
ip inspect name test rpc program-number 100000
ip inspect name test streamworks timeout 30
ip inspect name test vdolive timeout 30
!
!------------------------------
!Create the Access Control List
!------------------------------
!
!In this example, ACL 105 denies all TCP and UDP protocol traffic. ICMP traffic from
!subnet 192.168.1.0 is permitted to allow access for routing and control traffic.
!ACL 105 specifies that only the return traffic for protocols defined in the inspection
!rule is allow access through the interface where this rule is applied. The final deny
!statement is added for explicitness.
access-list 105 deny TCP any any
access-list 105 deny UDP any any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
access-list 105 permit icmp any 192.168.1.0 0.0.0.255 packet-too-big
access-list 105 permit icmp any 192.168.1.0 0.0.0.255 traceroute
access-list 105 permit icmp any 192.168.1.0 0.0.0.255 unreachable
access-list 105 deny ip any any
!
!---------------------------------
!Apply the Inspection Rule and ACL
!---------------------------------
!
!In this example, the inspection rule "test" is applied to traffic at interface ATM3/0
!for connections initiated in the outbound direction; that is, from hosts that are
!located on a local network. CBAC creates dynamic access list entries for traffic
!initiated by local hosts. These dynamic entries allow inbound (returning) traffic for
!that connection. ACL 105 is applied at interface ATM3/0 in the inbound direction to
!block traffic initiated from hosts on a remote network that is not part of an existing
!connection.
interface ATM3/0
ip address 10.1.10.1 255.0.0.0
ip access-group 105 in
no ip directed-broadcast
ip inspect test out
no shutdown
atm clock INTERNAL
atm pvc 7 7 7 aal5snap
map-group atm
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/33070/showart_317369.html |
|