cisco 28xx 安全配置示例
来源:互联网 发布:厦门入学积分怎么算法 编辑:程序博客网 时间:2024/04/30 18:07
!---Enable the authentication, authorization, and accounting (AAA) access control model.
aaa new-model
!
!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a
!---AAA server group. In this example, the AAA server group is called "SJ."
aaa group server tacacs+ SJ
server 192.168.101.119
!
!---Enable AAA authentication at login and specify the authentication methods to try.
aaa authentication login default local group SJ none
!---Restrict user access to the network:
!---(a) Run authorization to determine if the user is allowed to run an EXEC shell.
!---(b) Enable authorization that applies specific security policies on a per-user basis.
!---You must use the "aaa authorization auth-proxy" command together with the
!---"ip auth-proxy <name>" command (later in this configuration). Together, these
!---commands set up the authorization policy to be retrieved by the firewall.
aaa authorization exec default group SJ none
aaa authorization auth-proxy default group SJ
!---Make sure that the same session ID is used for each AAA accounting service type
!---within a call.
aaa session-id common
.
.
.
!---Define a set of inspection rules. In this example, the set is called "myfw."
!---Include each protocol that you want the Cisco IOS firewall to inspect.
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http urlfilter timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw sqlnet timeout 3600
ip inspect name myfw streamworks timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw vdolive
!
!---(Optional) Set the length of time an authentication cache entry, along with its
!---associated dynamic user access control list, is managed after a period of inactivity.
ip auth-proxy inactivity-timer 120
!---Create an authentication proxy rule; in this example it is named "aprule."
!---Set HTTP to trigger the authentication proxy.
ip auth-proxy name aprule http
!
!---Configure the Cisco IOS Intrusion Protection System (IPS) feature:
!---Specify the location from which the router loads the Signature Definition File (SDF).
!---(Optional) Specify the maximum number of event notifications that are placed
!---in the router's event queue.
!---Disable the audit of any signatures that your deployment scenario deems unnecessary.
!---Name the IPS rule, so that you can apply the rule to an interface.
!---Later in this example, this rule (named "ids-policy") is applied to FE 0/0.
ip ips sdf location tftp://192.168.1.3/attack-drop.sdf
ip ips po max-events 100
ip ips signature 1107 0 disable
ip ips signature 3301 0 disable
ip ips name ids-policy
!
!---Configure the Firewall Websense URL Filtering feature:
!---(Optional) Set the maximum number of destination IP addresses that can be cached
!---into the cache table, which consists of the most recently requested IP addresses
!---and respective authorization status for each IP address.
!---Specify domains for which the firewall should permit or deny all traffic
!---without sending lookup requests to the Firewall Websense URL filtering server (UFS).
!---Specify the IP address of the Firewall Websense UFS.
ip urlfilter cache 0
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.1.116
.
.
.
!---Configure the firewall interface that connects to the branch office PCs
!---and the Firewall Websense UFS:
!---Apply access lists and inspection rules to control access to the interface.
!---In this example, access list 116 is used to filter outbound packets, and
!---the inspection rule named "myfw" is used to filter inbound packets.
!---Enable the authentication proxy rule for dynamic, per-user authentication
!---and authorization. See the previous "
aaa authorization auth-proxy default group SJ
"
!---and "
ip auth-proxy name aprule http
" command entries.
!---Apply the Cisco IPS rule to outbound traffic.
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip access-group 116 out
ip inspect myfw in
ip auth-proxy aprule
ip ips ids-policy out
.
.
.
!---Configure the interface that connects to the
!---Cisco Secure Authentication Control Server (Cisco Secure ACS).
!---Apply access lists to control access to the interface.
!---In this example, access list 111 is used to filter inbound packets.
interface FastEthernet0/1
ip address 192.168.101.2 255.255.255.0
ip access-group 111 in
.
.
.
ip classless
!---The following command establishes a static route to the HTTP server,
!---which in this example has an IP address of 192.168.102.119.
ip route 192.168.102.0 255.255.255.0 FastEthernet0/1
!
!---Enable the HTTP server on your system.
!---Also, specify that the authentication method used for AAA login service
!---should be used for authenticating HTTP server users.
ip http server
ip http authentication aaa
no ip http secure-server
!
!---Configure the access list for the interface that connects to the
!---Cisco Secure ACS.
access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit icmp any any
access-list 111 deny ip any any
!
!---Configure the access list for the firewall interface that connects to the
!---branch office PCs and the Websense URL Filtering Server (UFS).
access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq www
access-list 116 deny tcp host 192.168.1.118 any
access-list 116 deny udp host 192.168.1.118 any
access-list 116 deny icmp host 192.168.1.118 any
access-list 116 permit tcp 192.168.1.0 0.0.0.255 any
access-list 116 permit udp 192.168.1.0 0.0.0.255 any
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any
!
!
!---Specify the Cisco Secure ACS, in this case a TACACS+ server.
!---Set the authentication encryption key used for all TACACS+ communications
!---between the access server and the TACACS+ daemon. This key must match the key
!---used on the TACACS+ daemon.
tacacs-server host 192.168.101.119
tacacs-server directed-request
tacacs-server key cisco
----------------------------------------------------------------------------
aaa new-model
!
!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a
!---AAA server group. In this example, the AAA server group is called "SJ."
aaa group server tacacs+ SJ
server 192.168.101.119
!
!---Enable AAA authentication at login and specify the authentication methods to try.
aaa authentication login default local group SJ none
!---Restrict user access to the network:
!---(a) Run authorization to determine if the user is allowed to run an EXEC shell.
!---(b) Enable authorization that applies specific security policies on a per-user basis.
!---You must use the "aaa authorization auth-proxy" command together with the
!---"ip auth-proxy <name>" command (later in this configuration). Together, these
!---commands set up the authorization policy to be retrieved by the firewall.
aaa authorization exec default group SJ none
aaa authorization auth-proxy default group SJ
!---Make sure that the same session ID is used for each AAA accounting service type
!---within a call.
aaa session-id common
.
.
.
!---Define a set of inspection rules. In this example, the set is called "myfw."
!---Include each protocol that you want the Cisco IOS firewall to inspect.
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http urlfilter timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw sqlnet timeout 3600
ip inspect name myfw streamworks timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw vdolive
!
!---(Optional) Set the length of time an authentication cache entry, along with its
!---associated dynamic user access control list, is managed after a period of inactivity.
ip auth-proxy inactivity-timer 120
!---Create an authentication proxy rule; in this example it is named "aprule."
!---Set HTTP to trigger the authentication proxy.
ip auth-proxy name aprule http
!
!---Configure the Cisco IOS Intrusion Protection System (IPS) feature:
!---Specify the location from which the router loads the Signature Definition File (SDF).
!---(Optional) Specify the maximum number of event notifications that are placed
!---in the router's event queue.
!---Disable the audit of any signatures that your deployment scenario deems unnecessary.
!---Name the IPS rule, so that you can apply the rule to an interface.
!---Later in this example, this rule (named "ids-policy") is applied to FE 0/0.
ip ips sdf location tftp://192.168.1.3/attack-drop.sdf
ip ips po max-events 100
ip ips signature 1107 0 disable
ip ips signature 3301 0 disable
ip ips name ids-policy
!
!---Configure the Firewall Websense URL Filtering feature:
!---(Optional) Set the maximum number of destination IP addresses that can be cached
!---into the cache table, which consists of the most recently requested IP addresses
!---and respective authorization status for each IP address.
!---Specify domains for which the firewall should permit or deny all traffic
!---without sending lookup requests to the Firewall Websense URL filtering server (UFS).
!---Specify the IP address of the Firewall Websense UFS.
ip urlfilter cache 0
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.1.116
.
.
.
!---Configure the firewall interface that connects to the branch office PCs
!---and the Firewall Websense UFS:
!---Apply access lists and inspection rules to control access to the interface.
!---In this example, access list 116 is used to filter outbound packets, and
!---the inspection rule named "myfw" is used to filter inbound packets.
!---Enable the authentication proxy rule for dynamic, per-user authentication
!---and authorization. See the previous "
aaa authorization auth-proxy default group SJ
"
!---and "
ip auth-proxy name aprule http
" command entries.
!---Apply the Cisco IPS rule to outbound traffic.
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip access-group 116 out
ip inspect myfw in
ip auth-proxy aprule
ip ips ids-policy out
.
.
.
!---Configure the interface that connects to the
!---Cisco Secure Authentication Control Server (Cisco Secure ACS).
!---Apply access lists to control access to the interface.
!---In this example, access list 111 is used to filter inbound packets.
interface FastEthernet0/1
ip address 192.168.101.2 255.255.255.0
ip access-group 111 in
.
.
.
ip classless
!---The following command establishes a static route to the HTTP server,
!---which in this example has an IP address of 192.168.102.119.
ip route 192.168.102.0 255.255.255.0 FastEthernet0/1
!
!---Enable the HTTP server on your system.
!---Also, specify that the authentication method used for AAA login service
!---should be used for authenticating HTTP server users.
ip http server
ip http authentication aaa
no ip http secure-server
!
!---Configure the access list for the interface that connects to the
!---Cisco Secure ACS.
access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit icmp any any
access-list 111 deny ip any any
!
!---Configure the access list for the firewall interface that connects to the
!---branch office PCs and the Websense URL Filtering Server (UFS).
access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq www
access-list 116 deny tcp host 192.168.1.118 any
access-list 116 deny udp host 192.168.1.118 any
access-list 116 deny icmp host 192.168.1.118 any
access-list 116 permit tcp 192.168.1.0 0.0.0.255 any
access-list 116 permit udp 192.168.1.0 0.0.0.255 any
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any
!
!
!---Specify the Cisco Secure ACS, in this case a TACACS+ server.
!---Set the authentication encryption key used for all TACACS+ communications
!---between the access server and the TACACS+ daemon. This key must match the key
!---used on the TACACS+ daemon.
tacacs-server host 192.168.101.119
tacacs-server directed-request
tacacs-server key cisco
----------------------------------------------------------------------------
- cisco 28xx 安全配置示例
- 安全配置cisco路由器
- Cisco路由器安全配置方案
- Cisco路由器安全配置方案
- Cisco路由器安全配置方案
- Cisco 设备基本安全配置
- Cisco路由器的安全配置简易方案
- Cisco路由器安全配置简易方案
- Cisco路由器的安全配置方案
- Cisco路由器访问控制的安全配置
- 交换机SPAN技术简介+Cisco配置示例
- 交换机SPAN技术简介+Cisco配置示例
- cisco SSH 配置示例及详解
- Cisco Easy VPN综合配置示例
- Cisco路由器的安全配置简易方案 [转载]
- 保护网络从路由器做起--浅谈CISCO路由器安全配置
- Cisco IOS防火墙的安全规则和配置方案
- 转贴-- CISCO CPOS STM配置示例
- 关于AI的经典网址
- modem池配置
- Visual Studio .NET已检测到指定的Web服务器运行的不是ASP.NET 1.1 版问题的解决
- BGP学习精华
- IS-IS 中文说明
- cisco 28xx 安全配置示例
- Cisco网站的CCIE R&S资源资源导航
- good ebook net
- 关于路由器CPU利用率过高的解决方案
- Cisco路由器上配置WRED的必要性
- 记录Telnet后所使用的命令
- NTP white paper
- 收藏.IBM.WebSphere新手入门
- CISCO路由器配置前缀列表解疑
