# 공통 설정
en
conf t
no ip domain lookup
line c 0
logg syn
exec-timeout 0
exit
ali exec c conf t
ali exec r sh run
ali exec i sh ip route
ali exec b sh ip int b
hostname
# IP address
FW]
int f0/1
no shut
ip add 1.1.100.5 255.255.255.252
exit
int f0/0
no shut
ip add 200.1.2.254 255.255.255.0
exit
int f2/0
no shut
ip add 200.1.1.254 255.255.255.0
exit
int f1/0
no shut
ip add 1.1.100.1 255.255.255.252
CE]
int f0/0
no shut
ip add 1.1.100.2 255.255.255.252
exit
int f1/0
no shut
ip add 2.2.2.254 255.255.255.0
exit
int f0/1
mac-address ffff.ffff.ffff
no shut
ip add dhcp
exit
DMZ]
int f0/1
no shut
ip add 100.1.1.254 255.255.255.0
exit
int f0/0
no shut
ip add 1.1.100.6 255.255.255.252
# routing
FW]
ip route 100.1.1.0 255.255.255.0 f0/0 1.1.100.6
ip route 0.0.0.0 0.0.0.0 f1/0 1.1.100.2
DMZ]
ip route 0.0.0.0 0.0.0.0 f0/0 1.1.100.5
CE]
ip route 1.1.100.4 255.255.255.252 f0/0 1.1.100.1
ip route 100.1.1.0 255.255.255.0 f0/0 1.1.100.1
ip route 200.1.1.0 255.255.255.0 f0/0 1.1.100.1
ip route 200.1.2.0 255.255.255.0 f0/0 1.1.100.1
# NAT
CE]
ip access-list standard BIBI
permit 100.1.1.0 0.0.0.255
permit 200.1.1.0 0.0.0.255
permit 200.1.2.0 0.0.0.255
permit 2.2.2.0 0.0.0.255
exit
ip nat inside source list BIBI int f0/1 overload
int f0/0
ip nat inside
exit
int f1/0
ip nat inside
exit
int f0/1
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 f0/1 10.0.0.1
* CPL은 QoS 명령어 체계인 MQC(Modular QoS Command)와 거의 동일하다.
* ZFW은 ASA 방화벽 장비의 'MPF(Modular Policy Framework)' 기능과 거의 동일하다.
# ZBF(ZoneBaseFirewall)
FW]
zone security inside
exit
zone security DMZ
exit
zone security Outside
exit
int f0/0
zone-member security inside
exit
int f2/0
zone-member security inside
exit
int f0/1
zone-member security DMZ
exit
int f1/0
zone-member security Outside
end
show zone security
1. IN -> OUT : 모든 트래픽 허용
FW]
access-list 100 permit ip any any
class-map type inspect IN->OUT_C
match access-group 100
exit
policy-map type inspect IN->OUT_P
class type inspect IN->OUT_C
class type inspect IN->OUT_C
inspect
exit
exit
zone-pair security inside source inside destination Outside => 존페어 네임, 출발 /목적지
service-policy type inspect IN->OUT_P
end
show zone-pair security
show policy-map type insepct zone-pair session
=> IN에서 인터넷이 된다.
2. inside -> DMZ : DNS, HTTP, HTTPs, SMTP, POP3, IMAP, FTP 허용
FW]
class-map type inspect match-any WEB => match-all이 default(and연산으로 되어 있음) OR연산으로 되어야함 그래서 match-any
match protocol http
match protocol https
exit
access-list 101 permit ip any host 100.1.1.251
access-list 102 permit ip any host 100.1.1.250
class-map type inspect WEB_SER
match access-group 101
match class-map WEB
exit
class-map type inspect DNS_SER
match access-group 102
match protocol dns
class-map type inspect match-any MAIL_SERVICE
match protocol smtp
match protocl pop3
match protocol imap
class-map type insepct FTP_C
match protocol ftp
exit
policy-map type inspect IN->DMZ_P
class type inspect WEB_SER
inspect
exit
class type inspect DNS_SER
inspect
exit
class type inspect MAIL_SERVICE
inspect
exit
class type inspect FTP_C
inspect
exit
exit
zone-pair security IN->DMZ ource inside destination DMZ
service-policy type inspect IN->DMZ_P
end
show policy-map type inspect IN->DMZ_P
3. DMZ -> inside : 없음 (모든 트래픽 차단)
4. DMZ -> Outside : DNS, SMTP 허용
FW]
class-map type inspect DNS_C
match protocol dns
exit
class-map type inspect SMTP_C
match protocol smtp
exit
policy-map type inspct DMZ->OUT_P
class type inspect DNS_C
inspect
exit
class type insepct SMTP_C
inspect
exit
zone-pair DMZ->OUT source DMZ destination Outside
service-policy type inspect DMZ->OUT_P
exit
5. Out -> inside : 없음 (모든트래픽 차단)
6. Outside -> DMZ : DNS, HTTP, HTTPs, SMTP, FTP 허용
FW]
policy-map type inspect OUT->DMZ_P
class type inspect WEB_SER
inspect
exit
class type inspect DNS_SER
inspect
exit
class type inspect FTP_C
inspect
class tpye insepct SMTP_C
inspect
exit
exit
zone-pair security OUT->DMZ source Outside destination DMZ
service-policy tpye inspect OUT->DMZ_P
댓글남기기