cisco 基于区域的策略防火墙

网络工程 思科 防火墙 思科-ios
2022-03-06 18:01:14

如何限制连接到服务的每个主机的已建立连接数?在策略设置中,我发现只有半开连接数阻塞。

parameter-map type inspect DoS
 max-incomplete low  20
 max-incomplete high 200
 one-minute low 100
 one-minute high 1000 
 tcp max-incomplete host 5 block-time 3 
 sessions maximum 2147483647

class-map type inspect match-any IN_OUT_PROT
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ssh
 match protocol ftp
 match protocol tftp
class-map type inspect match-any OUT_IN_PROT
 match protocol tcp
 match protocol ssh
 match protocol ftp

policy-map type inspect IN_OUT_policy
 class type inspect IN_OUT_PROT
  inspect
 class class-default
policy-map type inspect OUT_IN_policy
 class type inspect OUT_IN_PROT
  inspect DoS
 class class-default
!
zone security IN
 description local network
zone security OUT
 description external network
zone-pair security IN_OUT source IN destination OUT
 service-policy type inspect IN_OUT_policy
zone-pair security OUT_IN source OUT destination IN
 service-policy type inspect OUT_IN_policy

interface FastEthernet0/0
 ip address 192.168.100.1 255.255.255.0
 zone-member security IN
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 zone-member security OUT
 duplex auto
 speed auto
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇如何在 ASR 1001-X 版本 16.09.02 上运行自动安全后启用 webgui 下一篇来自 WAN 的 Wake-On-Lan (WOL) 不适用于 Unifi(USG/交换机)