基於上下文的防火牆

1、     拓撲圖

 

2、      地址規劃表

 

設別	接口	IP地址	子網掩碼	網關地址
R1	F0/0	10.102.10.3	255.255.255.0	N/A
	S0/1/0	10.102.20.1	255.255.255.0	N/A
R2	S0/1/0	10.102.20.2	255.255.255.0	N/A
	S0/1/1	10.102.30.2	255.255.255.0	N/A
R3	S0/1/0	10.102.30.1	255.255.255.0	N/A
	F0/0	10.102.40.1	255.255.255.0	N/A
PC-A	NIC	10.102.10.3	255.255.255.0	10.102.10.254
PC-C	NIC	10.102.40.3	255.255.255.0	10.102.40.254

 

3、     配置步驟

（一） 配置靜態路由使網絡通暢

R1(config)#ip route 10.102.30.0 255.255.255.0 10.102.20.2

R1(config)#ip route 10.102.40.0 255.255.255.0 10.102.20.2

R2(config)#ip route 10.102.40.0 255.255.255.0 10.102.30.1

R2(config)#ip route 10.102.10.0 255.255.255.0 10.102.20.1

R3(config)#ip route 10.102.20.0 255.255.255.0 10.102.20.2

R3(config)#ip route 10.102.10.0 255.255.255.0 10.102.30.2

 

 

Ping測試

PC-A PING PC-C

 

PC-C PING PC-A 

PC-C TELNET 到接口

PC-C登錄 PC-A網頁

 

（二） 配置R3區域防火牆

R3(config)#zone security IN-ZONE

R3(config-sec-zone)#zone security OUT-ZONE

R3(config)#access-list 101 permit ip 10.102.40.0 0.0.0.255 any

R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP

R3(config-cmap)#match access-group 101

R3(config)#policy-map type inspect IN-2-OUT-PMAP

R3(config-pmap)#class type inspect IN-NET-CLASS-MAP

R3 (config-pmap-c)# No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected

R3 (config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

R3 (config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

R3(config)#int f0/0

R3(config-if)#zone-member security IN-ZONE

R3(config)#int s0/0/1

R3(config-if)#zone-member security OUT-ZONE

R3(config-if)#show policy-map type inspect zone-pair sessions

 

PING 測試

可見 PC -C能成功ping PC-A