CBAC
ZFW
CBAC (Context-Based Access Control)
Router#show run | i ^interface|^ description|^ ipinterface FastEthernet0/0 description outside ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 description inside ip address 192.168.0.1 255.255.255.0 Router#show hosts | i IPexternal_host None (perm, OK) 0 IP 192.168.1.2 internal_host None (perm, OK) 0 IP 192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#access-list 100 deny ip any anyRouter(config)#int fa0/0Router(config-if)#ip access-group 100 in
internal_host#ping external_host
....
Router(config)#ip inspect name allow_icmp icmpRouter(config)#int fa0/0Router(config-if)#ip inspect allow_icmp out
internal_host#ping external_host
!!!!!
ZFW (Zone-Based Policy Firewall)
Router#show run | i ^interface|^ description|^ ipinterface FastEthernet0/0 description outside ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 description inside ip address 192.168.0.1 255.255.255.0 Router#show hosts | i IPexternal_host None (perm, OK) 0 IP 192.168.1.2 internal_host None (perm, OK) 0 IP 192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#zone security outside_zoneRouter(config)#zone security inside_zoneRouter(config)#int fa0/0Router(config-if)#zone-member security outside_zoneRouter(config-if)#int fa0/1Router(config-if)#zone-member security inside_zone
internal_host#ping external_host
....
Router(config)#class-map type inspect match-any icmp_mapRouter(config-cmap)#match protocol icmpRouter(config)#policy-map type inspect icmp_policyRouter(config-pmap)#class type inspect icmp_mapRouter(config-pmap-c)#inspectRouter(config)#zone-pair security inside2outside source inside_zone destination outside_zoneRouter(config-sec-zone-pair)#service-policy type inspect icmp_policy
internal_host#ping external_host
!!!!!
No comments:
Post a Comment