2. 技术人生
    3. 在pix或asa如何防止内网用户乱改ip配置案例

    在pix或asa如何防止内网用户乱改ip配置案例

    技术2022-05-11  55
    防止内网用户乱该ip地址,用户只能用给定的ip,如果改ip地址,则无法访问网络资源。 例如:做了下述配置后(arp inside 10.64.64.29 000f.b0d8.a504),mac地址为000f.b0d8.a504的pc只能使用ip10.64.64.29来访问网络资源,如果该ip则无法访问。 pix515e# sh run : Saved : PIX Version 7.2(1) ! hostname pix515e domain-name cisco enable password N7FecZuSHJlVZC2P encrypted 做名字解析 **************************************************** names name 10.64.64.113 chengxiaojie name 10.64.64.13 dhcp name 10.64.64.71 liuyongjun name 10.64.64.72 liuyongjun-ibm name 10.64.64.39 lixiaoliang name 10.64.64.103 lixuesong name 10.64.64.17 lulianying name 10.64.64.92 qizuomeng name 10.64.64.69 wangzhili name 10.64.64.105 xingzhonghe name 10.64.64.45 tanjun name 10.64.64.108 zhangyi name 10.64.64.178 hujian name 10.64.64.93 ibm220 name 10.64.64.62 jiling name 10.64.64.111 yangliu name 10.64.64.112 wangsishen name 10.64.64.158 wangyuguo name 10.64.64.52 lishihai name 10.64.64.78 office-teacher name 10.64.64.48 yangjin name 10.64.64.104 wutao name 10.64.64.63 zangdong name 10.64.64.80 xiaoguangyue name 10.64.64.14 ibm235 name 10.64.64.222 lixuesong-dell name 10.64.64.75 maxiaopeng name 10.64.64.215 lintao name 10.64.64.199 machi name 10.64.64.216 liuxuesong name 10.64.64.246 jiachangjing name 10.64.64.61 chufw **************************************************** ! interface Ethernet0  nameif outside  security-level 0  ip address X.X.76.26 255.255.255.0 ! interface Ethernet1  nameif inside  security-level 100  ip address 10.64.64.2 255.255.240.0 ! interface Ethernet2  nameif dmz  security-level 80  ip address 192.168.0.1 255.255.255.0 ! passwd N7FecZuSHJlVZC2P encrypted ! time-range worktime  periodic daily 8:00 to 17:00 ! ftp mode passive clock timezone CST 8 dns domain-lookup outside dns server-group DefaultDNS  name-server 219.150.32.132  domain-name cisco 做object-group以便在acl里被调用(注:object-group是个好东东,可以大大简化acl的配置) **************************************************** object-group network www  network-object host xingzhonghe  network-object host chengxiaojie  network-object host dhcp  network-object host liuxuesong  network-object host wangzhili  network-object host liuyongjun  network-object host liuyongjun-ibm  network-object host lulianying  network-object host chufw  network-object host jiachangjing  network-object host maxiaopeng  network-object host 10.64.64.255 object-group network guest  network-object 10.64.66.112 255.255.255.240 object-group network caiwu  network-object 10.64.66.0 255.255.255.224 object-group service netmeeting tcp  port-object range 1503 1503  port-object range h323 h323 object-group network worktime  network-object host wutao  network-object host zhangyi  network-object host yangliu  network-object host wangsishen  network-object host wangyuguo  network-object host 10.64.64.169  network-object host 10.64.64.18  network-object host machi  network-object host lintao  network-object host liuxuesong  network-object host lixuesong-dell  network-object host 10.64.64.247  network-object host 10.64.64.29  network-object host 10.64.64.30  network-object host yangjin  network-object host lishihai  network-object host 10.64.64.55  network-object host jiling  network-object host office-teacher **************************************************** access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any any object-group netmeeting 调用上述的object-group到acl **************************************************** access-list inside_access_in extended deny ip any 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit ip object-group caiwu 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit ip object-group www any access-list inside_access_in extended permit ip object-group guest any inactive access-list inside_access_in extended deny tcp any any eq 1863 access-list inside_access_in extended permit ip host lixiaoliang host 211.147.77.98 access-list inside_access_in extended permit ip host qizuomeng host 211.147.77.98 access-list inside_access_in extended permit ip object-group worktime any time-range worktime access-list inside_access_in extended permit ip host ibm235 any time-range worktime inactive **************************************************** access-list remote_splitTunnelAcl standard permit 10.64.64.0 255.255.240.0 access-list inside_nat0_outbound extended permit ip 10.64.64.0 255.255.240.0 1.1.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip any 1.1.1.0 255.255.255.0 access-list caiwu_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip local pool remote 1.1.1.1-1.1.1.254 mask 255.255.255.0 ip local pool caiwu 2.2.2.1-2.2.2.254 mask 255.255.255.0 no failover asdm image flash:/asdm.bin no asdm history enable 把ip和mac绑定 **************************************************** arp inside 10.64.64.29 000f.b0d8.a504 arp inside 10.64.64.247 000b.2f04.7dd8 arp inside 10.64.64.169 0016.17f2.2eb3 arp inside lintao 000a.e6b2.c4c6 arp inside liuxuesong 00e0.4c58.b7cd arp inside lishihai 000a.e69b.f4dc arp inside ibm235 0009.6ba5.49c5 arp inside maxiaopeng 000c.764d.6aa8 arp inside xiaoguangyue 0011.09b4.6f25 arp inside zangdong 00e0.4cc1.2a14 arp inside wutao 0013.d47d.0c36 arp inside office-teacher 0090.9626.7da7 arp inside yangjin 00e0.4d01.6b1b arp inside wangyuguo 00e0.4c21.471d arp inside wangsishen 0015.c50f.92a5 arp inside yangliu 0015.f299.7f6c arp inside jiling 00e0.4cc1.2a34 arp inside hujian 0011.252f.8613 arp inside ibm220 0002.556d.0037 arp inside jiachangjing 00e0.4d01.6b30 arp inside tanjun 0013.7222.5fe5 arp inside wangzhili 000d.6004.c197 arp inside lixiaoliang 0014.782f.b989 arp inside liuyongjun-ibm 0010.c6de.2686 arp inside lulianying 0016.3563.db1b arp inside liuyongjun 0000.e25a.8580 arp inside lixuesong 0017.3152.8e78 arp inside chengxiaojie 0016.3564.8a6b arp inside xingzhonghe 00e0.4c60.a8da arp inside dhcp 0014.5e2b.77b5 arp inside zhangyi 0013.7222.4819 arp inside lixuesong-dell 0018.8ba2.d1c5 arp inside machi 000a.e6b5.0600 arp inside 10.64.64.18 0015.c510.12d4 **************************************************** arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 10.64.64.0 255.255.240.0 nat (dmz) 0 access-list dmz_nat0_outbound static (inside,outside) tcp interface 1503 chufw 1503 netmask 255.255.255.255 static (inside,outside) tcp interface h323 chufw h323 netmask 255.255.255.255 access-group outside_access_in in interface outside 应用acl到inside端口 **************************************************** access-group inside_access_in in interface inside **************************************************** route outside 0.0.0.0 0.0.0.0 X.X.76.25 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy caiwu internal group-policy caiwu attributes  dns-server value 219.150.32.132  vpn-tunnel-protocol IPSec  split-tunnel-policy tunnelspecified  split-tunnel-network-list value caiwu_splitTunnelAcl group-policy remote internal group-policy remote attributes  dns-server value 219.150.32.132  vpn-tunnel-protocol IPSec  split-tunnel-policy tunnelspecified  split-tunnel-network-list value remote_splitTunnelAcl username chufw password hs6C0g7Y0Zza/dVN encrypted privilege 15 username chufw attributes  vpn-group-policy remote  vpn-framed-ip-address 1.1.1.111 255.255.255.0 http server enable http chufw 255.255.255.255 inside http 219.148.242.228 255.255.255.255 outside http 219.148.242.227 255.255.255.255 outside http 1.1.1.111 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 crypto isakmp policy 65535  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 crypto isakmp nat-traversal  20 tunnel-group remote type ipsec-ra tunnel-group remote general-attributes  address-pool remote  default-group-policy remote tunnel-group remote ipsec-attributes  pre-shared-key * tunnel-group caiwu type ipsec-ra tunnel-group caiwu general-attributes  address-pool remote  default-group-policy caiwu tunnel-group caiwu ipsec-attributes  pre-shared-key * telnet chufw 255.255.255.255 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 ! class-map inspection_default  match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map  parameters   message-length maximum 512 policy-map global_policy  class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect netbios   inspect rsh   inspect rtsp   inspect skinny   inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip   inspect xdmcp ! service-policy global_policy global ntp server 207.46.130.100 source outside tftp-server inside chufw pix prompt hostname context Cryptochecksum:c02e836587f08fa6ce4699df28408774 : end pix515e#       

    专利

    最新回复(0)