《信息安全超详细资料》由会员分享,可在线阅读,更多相关《信息安全超详细资料(4页珍藏版)》请在金锄头文库上搜索。
1、包过滤拓扑图R1开放www服务R5(c on fig)#access-list101permittcpanyhost192.168.1.1 eq 80R2开放FTP服务R5(c on fig)#access-list101permitudpanyhost192.168.1.2 eq 20R5(c on fig)#access-list101permitudpanyhost192.168.1.2 eq 21R3开放SFTP服务R5(c on fig)#access-list101permittcpanyhost192.168.1.3 eq 25应用到端口R5(config)#int s1/3R5
2、(c on fig-if)#ip access-group 101 out允许内部访问外部外部响应内部的数据包通过.R5(c on fig)#ip access-list exte nded outbo undR5(c on fig-ext-n acl)#permiticmp any any reflecticmp_trafficR5(c on fig-ext -n acl)#exitR5(c on fig)#ip access-list exte nded inboundR5(c on fig-ext-n acl)#evaluate icmp_trafficR5(c on fig-ext -
3、n acl)#exit应用到端口R5(config)#int s1/3R5(c on fig-if)#ip access-group inbound inR5(c on fig-if)#ip access-group outbo und out二、 VPN配置IPR1R1(co nfig)#i nt s1/1R1(config-if)#ip address 192.168.12.1 255.255.255.0R1(config-if)#clock rate 64000R1(config-if)#no shutdownR1(c on fig)#router ripR1(co nfig-route
4、r)# n etwork 192.168.12.0R2Router(c on fig)#i nt s!/0Router(config-if)#ip address 192.168.12.2 255.255.255.0Router(config-if)#clock rate 64000Router(config-if)#no shutdownRouter(co nfig)# int s”1Router(config-if)#ip address 192.168.23.1 255.255.255.0Router(config-if)#clock rate 64000Router(config-if
5、)#no shutdownR3R3(co nfig)#i nt s1/0R3(config-if)#ip address 192.168.23.2 255.255.255.0R3(config-if)#clock rate 64000R3(config-if)#no shutdownR3(co nfig)#i nt s1/1R3(config-if)#ip address 192.168.34.1 255.255.255.0R3(config-if)#clock rate 64000R3(config-if)#no shutdownR4Router(c on fig)#i nt s!/0Rou
6、ter(c on fig-if)#ip address 192.168.34.2 255.255.255.0Router(config-if)#clock rate 64000Router(config-if)#no shutdown4(c on fig)#router ripR4(c on fig-router)# n etwork 192.168.34.0配置R2R2(c on fig)#router ripR2(co nfig-router)# n etwork 192.168.12.0R2(co nfig-router)# n etwork 192.168.23.0R2(c on fi
7、g)#logg ing alarm in formati onalR2(config)#access-list 101 permit ip host 192.168.12.1host 192.168.23.22(c on fig)#crypto isakmp policy 10R2(c on fig-isakmp)# encr 3desR2(config-isakmp)# authentication pre-shareR2(c on fig-isakmp)# group 2R2(c on fig-isakmp)#crypto isakmp key cisco address192.168.2
8、3.2R2(c on fig)#crypto map vpn map 10 ipsec-isakmpR2(co nfig-crypto-map)# set peer 192.168.23.2R2(c on fig-crypto-map)# set tra nsform-set vpn testR2(c on fig-crypto-map)# match address 101R2(co nfig)#i nterface Serial”1R2(c on fig-if)# crypto map vpn map配置R3R3(c on fig)#router ripR3(config-router)#
9、 network 192.168.23.0R3(config-router)# network 192.168.34.0R3(c on fig)#logg ing alarm informati onalR3(config)#access-list 101 permit ip host 192.168.34.2host 192.168.12.1R3(c on fig)#crypto isakmp policy 10R3(c on fig-isakmp)# encr 3desR3(config-isakmp)# authentication pre-shareR3(c on fig-isakmp
10、)# group 2R3(c on fig-isakmp)#crypto isakmp key cisco address 192.168.23.1R3(config)#crypto ipsec transform-set vpntest esp-3des esp-sha-hmacR3(c 馆-crypto-tra ns)#crypto map vpn map 10 ipsec-isakmpR3(co nfig-crypto-map)# set peer 192.168.23.1R3(c on fig-crypto-map)# set tra nsform-set vpn testR3(c o
11、n fig-crypto-map)# match address 101R3(co nfig)#i nterface Serial1/0R3(c on fig-if)# crypto map vpn mapCCNA标准版R1(config-if)#clock rate 64000R1(config-if)#no shutdownR2R2(co nfig)#i nt s!/3R2(config-if)#ip address 192.168.1.1 255.255.255.0R2(config-if)#clock rate 64000R2(config-if)#no shutdownR2(co n
12、fig)#i nt s1/1R2(config-if)#ip address 193.168.1.1 255.255.255.0R2(config-if)#clock rate 64000R2(config-if)#no shutdownR3R3(co nfig-if)#i nt s1/0R3(config-if)#ip address 193.168.1.2 255.255.255.0R3(config-if)#clock rate 64000R3(config-if)#no shutdownR2: (MD5 加密)R2(co nfig)#i nt s1/0R2(c on fig-if)#i
13、p ospf message-digest-key 1 md5 ciscoR2(co nfig)#i nt s1/1R2(c on fig-if)#ip ospf message-digest-key 1 md5 ciscoR2(co nfig)#router ospf 64R2(co nfig-router)# network 192.168.1.0 0.0.0.255 area 0R2(co nfig-router)# network 193.168.1.0 0.0.0.255 area 1R2(c on fig-router)#area 0 auth message-digestR2(c
14、 on fig-router)#area 1 auth message-digestR1配置R1(co nfig)#i nt s1/1R1(c on fig-if)#ip ospf message-digest-key 1 md5 ciscoR1(co nfig-if)#exitR1(co nfig)#router ospf 64R1(co nfig-router)# network 192.168.1.0 0.0.0.255 area 0R1(c on fig-router)#area 0 auth message-digestR3配置R3(co nfig)#i nt s1/0R3(c on
15、 fig-if)#ip ospf message-digest-key 1 md5 ciscoR3(co nfig-if)#exitR3(co nfig)#router ospf 64R3(co nfig-router)# network 193.168.1.0 0.0.0.255 area 1R3(c on fig-router)#area 1 auth message-digest路由之间交换路由更新时使用MD5加密配置IP地址R1:R1(config-if)#ip address 192.168.1.2 255.255.255.0FaO/OFaO/OSJL/JLSl/OSl/2Sl/2I四、身份认证p配置配置R1的ipR1(config)#int s1/1R1(c on fig-if)#ip address