思科路由器如何設置思科IOS防火墻

實驗步驟：

第一步：在R1 、 R2 、 R3上的預配置

r1(config)#int e0/0

r1(config-if)#ip add 172.16.1.1 255.255.255.0< BR> r1(config-if)#no sh

r1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2配置靜態路由

r1(config)#^Z

r2(config)#int e0/0

r2(config-if)#ip add 172.16.1.2 255.255.255.0

r2(config-if)#no sh

r2(config-if)#int e2/0

r2(config-if)#ip add 192.168.1.2 255.255.255.0

r2(config-if)#no sh

r3(config)#int e2/0

r3(config-if)#ip add 192.168.1.3 255.255.255.0

r3(config-if)#no sh

r3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2 配置靜態路由

r3(config)#^Z

r3(config)#li vty 0 4

r3(config-line)#pass

r3(config-line)#password cisco

r3(config-line)#exit

第二步：

在R2上配置zhang

r2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

r2(config)#ip inspect name zhang tcp 檢查TCP

r2(config)#ip inspect name zhang udp 檢查udp

r2(config)#ip inspect udp idle-time 60 檢查udp 的時間是60S

r2(config)#ip inspect name zhang icmp timeout 5 超時時間是5S

r2(config)#ip inspect name zhang http alert off 控制HTTP

r2(config)#

r2(config)#int e0/0

r2(config-if)#ip inspect zhang in 在e0/0接口檢查流量是否滿足以上所定義過的任何一條

r2(config-if)#exit

r2(config)#acce 100 deny ip any any log 做ACL拒絕IP的任何包通過

r2(config)#int e2/0

r2(config-if)#ip acce 100 in 將ACL要用到e2/0的進接口上

第三步：從R1上TELNET R3

r1#telnet 192.168.1.3

Trying 192.168.1.3 ... Open

User Access Verification

Password:

r3>

從R3上TELNET R1

r3#telnet 172.16.1.1

Trying 172.16.1.1 ...

% Destination unreachable; gateway or host down

第四步：

從R1上ping R2直連接口

r1#ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/54/92 ms

從R2上ping R1直連接口

r2#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/67/124 ms

從R2ping R3直連接口

r2#ping

*Mar 1 00:15:20.615: %SYS-5-CONFIG_I: Configured from console by console

r2#ping 192.168.1.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

*Mar 1 00:15:28.055: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 192.168.1.3 -> 192.168.1.2 (0/0), 1 packet..... //說明icmp包可以到達，但是沒有回包

Success rate is 0 percent (0/5)

從R3ing R2連接口

r3#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

U.U.U //說明icmp包不可以到達目的地

Success rate is 0 percent (0/5)

r1#ping 192.168.1.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/124/156 ms

r2#debug ip inspect icmp

INSPECT ICMP Inspection debugging is on

r2#

*Mar 1 00:35:09.187: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

*Mar 1 00:35:09.191: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

*Mar 1 00:35:09.263: CBAC: ICMP Echo Reply pkt 192.168.1.3 => 172.16.1.1

*Mar 1 00:35:09.375: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

*Mar 1 00:35:09.423: CBAC: ICMP Echo Reply pkt 192.168.1.3 => 172.16.1.1

*Mar 1 00:35:09.467: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

*Mar 1 00:35:09.531: CBAC: ICMP Echo Reply pkt 192.168.1.3 => 172.16.1.1

*Mar 1 00:35:09.563: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

r2#

*Mar 1 00:35:09.623: CBAC: ICMP Echo Reply pkt 192.168.1.3 => 172.16.1.1

*Mar 1 00:35:09.671: CBAC: ICMP Echo pkt 172.16.1.1 => 192.168.1.3

*Mar 1 00:35:09.735: CBAC: ICMP Echo Reply pkt 192.168.1.3 => 172.16.1.1

思科路由器如何設置思科IOS防火墻

admin 推薦閱讀：

發表評論：

思科路由器如何設置思科IOS防火墻

支付寶手機支付

admin 推薦閱讀：

發表評論：