CBAC
ZFW
CBAC (Context-Based Access Control)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0 description outside ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 description inside ip address 192.168.0.1 255.255.255.0 Router#show hosts | i IP
external_host None (perm, OK) 0 IP 192.168.1.2 internal_host None (perm, OK) 0 IP 192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#access-list 100 deny ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 100 in
internal_host#ping external_host
....
Router(config)#ip inspect name allow_icmp icmp
Router(config)#int fa0/0
Router(config-if)#ip inspect allow_icmp out
internal_host#ping external_host
!!!!!
ZFW (Zone-Based Policy Firewall)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0 description outside ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 description inside ip address 192.168.0.1 255.255.255.0 Router#show hosts | i IP
external_host None (perm, OK) 0 IP 192.168.1.2 internal_host None (perm, OK) 0 IP 192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#zone security outside_zone
Router(config)#zone security inside_zone
Router(config)#int fa0/0
Router(config-if)#zone-member security outside_zone
Router(config-if)#int fa0/1
Router(config-if)#zone-member security inside_zone
internal_host#ping external_host
....
Router(config)#class-map type inspect match-any icmp_map
Router(config-cmap)#match protocol icmp
Router(config)#policy-map type inspect icmp_policy
Router(config-pmap)#class type inspect icmp_map
Router(config-pmap-c)#inspect
Router(config)#zone-pair security inside2outside source inside_zone destination outside_zone
Router(config-sec-zone-pair)#service-policy type inspect icmp_policy
internal_host#ping external_host
!!!!!
No comments:
Post a Comment