cisco 5520 acl 问题请教

ztsd

各位兄弟，我最近在防火墙配置了ACL，我的基本思路是允许所有的 ，拒绝一部分的公网地址不让人访问。可是下面的机器还能连接到，有些在我ACL列表中不让访问的公网地址，好像ACL没作用，下面的是我的配置。请大家帮忙指导下： 设备是CISCO ASA 5520

ASA Version 8.0(2)
!
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password PVSASRJovmamnVkD encrypted
names
name 168.168.165.250 cw
name 58.60.0.0 qq1
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd PVSASRJovmamnVkD encrypted
!
time-range http
!
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network BOSS
network-object host 168.168.165.23
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_access_in extended permit ip any any
access-list rule extended deny ip any qq1 255.255.0.0
access-list rule extended deny ip any host 58.251.62.17
access-list rule extended deny ip any host 58.60.9.247
access-list rule extended deny ip any host 58.60.14.183
access-list rule extended deny ip any host 58.61.164.168
access-list rule extended deny ip any host 219.133.63.15
access-list rule extended deny ip any host 219.133.38.47
access-list rule extended deny ip any host 121.14.101.163
access-list rule extended deny ip any host 219.133.49.14
access-list rule extended deny ip any host 219.133.49.13
access-list rule extended deny ip any host 58.61.32.11
access-list rule extended deny ip any host 119.147.19.213
access-list rule extended permit ip any any
access-list rule extended deny ip any host 58.251.62.17
access-list rule extended deny ip any host 58.251.62.17
access-list rule extended deny ip any host 219.133.49.8
access-list rule extended deny ip any host 219.133.49.22
access-list rule extended deny ip any host 58.60.14.183
access-list rule extended deny ip any host 219.133.49.211
access-list rule extended deny ip any host 219.133.49.10
access-list rule extended deny ip any host 58.251.63.126
access-list rule extended deny ip any host 58.60.9.247
access-list rule extended deny ip any host 121.14.100.89
access-list rule extended deny ip any host 58.61.165.248
access-list rule extended deny ip any host 121.14.74.138
access-list rule extended deny ip any host 121.14.96.46
access-list rule extended deny ip any host 219.133.48.109
access-list rule extended deny ip any host 121.14.97.12
access-list rule extended deny ip any host 219.133.49.7
access-list rule extended deny ip any host 58.251.58.12
access-list rule extended deny ip any host 219.133.49.125
access-list rule extended deny ip any host 121.14.97.32
access-list rule extended deny ip any host 121.14.101.172
access-list rule extended deny ip any host 58.60.14.45
access-list rule extended deny ip any host 121.14.77.249
access-list rule extended deny ip any host 219.133.60.153
access-list rule extended deny ip any host 121.14.95.42
access-list rule extended deny ip any host 58.61.165.249
access-list rule extended deny ip any host 58.61.34.21
access-list rule extended deny ip any host 219.133.60.25
access-list rule extended deny ip any host 219.133.48.100
access-list rule extended deny ip any host 58.60.9.66
access-list rule extended deny ip any host 58.60.14.199
access-list rule extended deny ip any host 58.60.14.191
access-list rule extended deny ip any host 58.251.62.14
access-list rule extended deny ip any host 121.14.101.150
access-list rule extended deny ip any host 219.133.41.74
access-list rule extended deny ip any host 219.133.60.246
access-list inside_access_in_2 extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip address 192.168.2.253 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
access-group rule in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.10.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70e7af5d083fba0087b8ee09eae14b1a
: end
ciscoasa(config)#

[ 本帖最后由 ztsd 于 2008-9-25 22:22 编辑 ]

ssffzz1

access-list rule extended deny ip any host 119.147.19.213
access-list rule extended permit ip any any  ##规则是顺序执行的，此处已经permit any 后续的永远就不会执行了。
access-list rule extended deny ip any host 58.251.62.17
access-list rule extended deny ip any host 58.251.62.17

ztsd

感谢！
这么说我把这句access-list rule extended permit ip any any 放到最后就可以实现了.
另外问句是不是所有的ACL都是按规则是顺序执行的吗？包括CISCO,华为网络设备

ssffzz1

通常来说是按照配置的顺序执行的。不过H3C的有几种特殊的情况：

1、先下发先执行，这个是最标准的了。
2、auto调整，即最严格的（掩码最长）的先执行。
3、后下发先执行，这个比较BT了

而CISCO的基本是先下发先执行。

ztsd

就好像就我这个ACL
access-list rule extended deny ip any host 58.61.32.11
access-list rule extended deny ip any host 119.147.19.213
access-list rule extended permit ip any any  执行到这句以后下面的都不在执行 不匹配就全部通过，是不是这样？

ssffzz1

你都permit any 了，有谁能够不匹配呢？

ztsd

好的，我明天改下，把access-list rule extended permit ip any any 放到最后，感谢你啊