两端口路由器地址转换的例子

Two-interface Router With NAT

2514 Router

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname horton

!

enable secret 5 $1$GwRz$YS/82LXSYcgD1d5Nua9Ob1

enable password ww

!

ip subnet-zero

!

ip inspect name ethernetin cuseeme timeout 3600

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

ip inspect name ethernetin smtp timeout 3600

ip inspect name ethernetin sqlnet timeout 3600

ip inspect name ethernetin streamworks timeout 3600

ip inspect name ethernetin tcp timeout 3600

ip inspect name ethernetin tftp timeout 30

ip inspect name ethernetin udp timeout 15

ip inspect name ethernetin vdolive timeout 3600

!

interface Ethernet0

ip address 20.20.20.2 255.255.255.0

ip access-group 101 in

no ip directed-broadcast

ip nat inside

ip inspect ethernetin in

!

interface Ethernet1

no ip address

no ip directed-broadcast

shutdown

!

interface Serial0

ip address 150.150.150.1 255.255.255.0

ip access-group 112 in

no ip directed-broadcast

ip nat outside

clockrate 4000000

!

interface Serial1

no ip address

no ip directed-broadcast

shutdown

!

ip nat pool serialzero 150.150.150.3 150.150.150.255 netmask 255.255.255.0

ip nat inside source list 1 pool serialzero

ip classless

ip route 0.0.0.0 0.0.0.0 150.150.150.2

ip route 20.30.30.0 255.255.255.0 20.20.20.1

!

access-list 1 permit 20.0.0.0 0.255.255.255

access-list 101 permit tcp 20.0.0.0 0.255.255.255 any

access-list 101 permit udp 20.0.0.0 0.255.255.255 any

access-list 101 permit icmp 20.0.0.0 0.255.255.255 any

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 administratively-prohibited

access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo

access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq telnet

access-list 112 deny ip 127.0.0.0 0.255.255.255 any

access-list 112 deny ip any any

!

line con 0

transport input none

line aux 0

line vty 0 4

password ww

login

!

end

关于ip inspect name

if you deny SMTP mail on the external ACL, no external SMTP servers will ever be able to make a connection to the internal SMTP server.

CBAC is totally independent of access lists - CBAC is associated with ACLs because one function of CBAC is to ensure return traffic of a

session is permitted back to the source - however don't confuse CBAC by thinking ACLs are required. If you apply an inspect list to an interface, inspection takes place, no matter what ACLs are or are not in place. However, remember that ACLs are processed first, so the ACL must allow through the appropriate traffic to be passed thru to the inspection list.

I'm guessing your config would look something like this:

! Internal Interface

Interface e0 ip inspect WEB inbound

! External Interface

Interface e1 ip access-group 100 in

ip inspect SMTP inbound

access-list 100 permit tcp any host x.x.x.x eq smtp

access-list 100 deny ip any any

ip inspect name WEB http

ip inspect name WEB ftp

ip inspect name WEB smtp

ip inspect name WEB tcp

ip inspect name WEB udp

ip inspect name SMTP smtp

On your external ACL, you must have an opening to allow SMTP in - there is no way CBAC can automatically do this for you as traffic is first processed by the ACL and must pass. So once the SMTP traffic is allowed

in, it is passed to the inspection list SMTP, which applys SMTP protocol-based inspection (and opens up any ACLs if necessary - in this

example this function is not required).

Note that in this example you could place the SMTP inspection list on the internal interface in the outbound direction as well. This is a better placement option if you had say a DMZ interface that was also

receiving SMTP mail for the internal SMTP server, as you would only require a single inspection point (outbound on the internal interface)

rather than inbound on the external and DMZ interfaces.

文章录入:csh    责任编辑:csh

(0)

相关推荐

  • 两端口路由器地址转换的例子

    Two-interface Router With NAT 2514 Router Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname horton ! enable secret 5 $1$GwRz$YS/82LXSYcgD1d5Nua9Ob1 enable pas

  • PHP实现将优酷土豆腾讯视频html地址转换成flash swf地址的方法

    本文实例讲述了PHP实现将优酷土豆腾讯视频html地址转换成flash swf地址的方法.分享给大家供大家参考,具体如下: 很多用户不知道如何复制flash地址,只能在程序中帮他们替换了: <?php /** * 支持优酷.土豆.腾讯视频html到swf转换 */ function convert_html_to_swf($url = '') { if(!is_string($url) || empty($url)) return ; if(strpos($url, 'swf')) return

  • C语言中判断两个IPv4地址是否属于同一个子网的代码

    问题描述: 现给定两个IPv4地址,和一个子网掩码,判断是否属于同一个子网,若属于,输出1,否则输出0. 例如输入: 172.16.1.3 172.16.1.35 255.255.255.224 输出: 0 解决方案: 首先将字符串格式的IP地址转化为4字节的IP地址,然后使用与(&)运算,分别将两个IP地址与掩码相与,若最后的值相同,则为同一个子网,否则不是. 以下函数的作用是将字符串格式的IP转化为4字节的IP(因为是4字节,所以使用int,但不同平台的int所占的字节好像不同哈~不太确定)

  • Java编程实现遍历两个MAC地址之间所有MAC的方法

    本文实例讲述了Java编程实现遍历两个MAC地址之间所有MAC的方法.分享给大家供大家参考,具体如下: 在对发放的设备进行后台管理时,很多时候会用到设备MAC这个字段,它可以标识唯一一个设备.然而在数据库批量的存储MAC地址时,如果使用解析文本逐行添加的方式,难免会显得操作复杂,而且事先还需生成MAC地址文本.事实上MAC地址是按照十六进制逐一递增的,所以只需要给出一个区间便有可能枚举出所有MAC地址.以下是笔者封装的一个通过两个MAC地址枚举区间内所有MAC的函数. /** 输出两个MAC区间

  • js实现一个链接打开两个链接地址的方法

    本文实例讲述了js实现一个链接打开两个链接地址的方法.分享给大家供大家参考.具体如下: <script type="text/javascript"> <!-- function adClick(ad, site) { window.open(ad); window.location = site; } --> </script> <a href="javascript:adClick('http://www.163.com/','h

  • python将ip地址转换成整数的方法

    本文实例讲述了python将ip地址转换成整数的方法.分享给大家供大家参考.具体分析如下: 有时候我们用数据库存储ip地址时可以将ip地址转换成整数存储,整数占用空间小,索引也会比较方便,下面的python代码自定义了一个ip转换成整数的函数,非常简单,代码同时还提供了整数转换成ip地址的方法. import socket, struct def ip2long(ip): """ Convert an IP string to long """

  • javascript判断两个IP地址是否在同一个网段的实现思路

    1)基本思路: 要判断两个IP地址是否在同一个网段,将它们的IP地址分别与子网掩码做与运算,得到的结果为网络号,如果网络号相同,就在同一子网,否则,不在同一子网. 2)具体实现: 复制代码 代码如下: /** * [isEqualIPAddress 判断两个IP地址是否在同一个网段] * @param {[String]} addr1 [地址一] * @param {[String]} addr2 [地址二] * @param {[String]} mask [子网掩码] * @return {

  • Python使用指定端口进行http请求的例子

    使用requests库 class SourcePortAdapter(HTTPAdapter): """"Transport adapter" that allows us to set the source port.""" def __init__(self, port, *args, **kwargs): self.poolmanager = None self._source_port = port super().

  • layui switch 开关监听 弹出确定状态转换的例子

    不废话,直接上图: 原始状态: 点击确定: 点击取消或者X 代码: <!doctype html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Document</title> <link rel="stylesheet" href="static/layui/css/layui.css"

  • Cisco 路由器动态和静态地址转换

    NAT Router ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0 ip nat inside source list 7 pool test ip nat inside source static 10.10.10.1 172.16.131.1 interface e 0 ip address 10.10.10.254 255.255.255.0 ip nat inside interface s 0 ip

随机推荐