Cisco 基于区域的防火墙

网络工程 思科 防火墙 思科-ios
2022-02-25 01:07:15

我用 CBAC 的 ZBF 配置了 Cisco 891F。现在,路由器是开放的 SSH/443 或我的公共地址正在监听的任何东西,这不是我想要的。我的意图是只允许 IMCP 进入。还有其他地方我需要应用限制吗?

Parakoopa891F#show run
ip ssh version 2
!
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
  description Allowed_Protocols_From_INSIDE_to_OUTSIDE
 match protocol http
 match protocol https
 match protocol dns
 match protocol udp
 match protocol tcp
 match protocol icmp
class-map type inspect match-any OUTSIDE-TO-INSIDE-CLASS
  description Allowed_Protocols_From_OUTSIDE_to_INSIDE
 match protocol icmp
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
! 
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet8
 description Outside
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
!
interface Vlan1
 description Internal
 ip address 10.69.69.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list extended ACLNATOVERLOAD
 permit ip 10.69.69.0 0.0.0.255 any
!
end

任何见解将不胜感激。

1个回答

在查看更多配置(显示区域安全)后,我找到了自我区域。可以创建外部到自我区域。

其它你可能感兴趣的问题
上一篇如何分析 Dell SonicWall 的数据包监视器导出? 下一篇通过具有持久性的负载平衡器的站点到站点 IPSEC