路由器典型防火墙设置

来源:Cisco.com 作者: 2007-10-24 出处:pcdog.com

.net  access  arp  cisco  ios  

 show running-config                               

version 11.2                                                     
service timestamps debug datetime msec 
service timestamps log datetime msec     
service password-encryption                       
no service udp-small-servers                     
no service tcp-small-servers                     
!                                                                           
hostname fw-rtr                                               
!                                                                           
enable password cisco                                   
!                                                                           
username admin password cisco                   
username chw10.Sydney password cisco     
no ip source-route                                         
ip nat pool inside-p

ool 203.1.1.2 203.1.1.254 ne

tmask 255.255.255.0 



ip nat inside source

list 99 pool inside-pool 

ip domain-list domain.com                           
ip domain-name domain.com                           
ip name-server 192.168.1.1                         
ip inspect name internet smtp                   
ip inspect name inte

rnet http java-list 42 timeo

ut 60 

ip inspect name internet ftp                     
ip inspect name internet tcp                     
ip inspect name internet udp                     
ip inspect name internet realaudio         
ip inspect name internet h323                   
ip inspect name internet cuseeme             
isdn switch-type basic-net3                       
clock timezone AEST 10                                 
!                                                                           
interface Loopback0                                       
ip address 203.1.1.1 255.255.255.0         
!                                                                           
interface Ethernet0                                       
ip address 192.168.1.253 255.255.255.0 
ip nat inside                                                   
ip route-cache same-interface                   
!                                                                           
interface BRI0                                                 
no ip address                                                   
encapsulation ppp                                           
dialer pool-member 1                                     
no fair-queue                                                   
ppp authentication chap callin                 
ppp multilink                                                   
!                                                                           
interface Dialer0                                           
description BigPond Dialup Link               
ip address 139.130.98.32 255.255.254.0 
ip access-group 169 in                                 
ip access-group 158 out                               
no ip unreachables                                         
no ip directed-broadcast                             
no ip proxy-arp                                               
ip nat outside                                                 
ip inspect internet out                               
encapsulation ppp                                           
dialer remote-name chw10.Sydney               
dialer idle-timeout 999999                         
dialer string 84486000                                 
dialer load-threshold 1 either                 
dialer pool 1                                                   
dialer-group 1                                                 
no fair-queue                                                   
no cdp enable                                                   
ppp chap hostname anixte0                           
ppp multilink                                                   
!                                                                           
ip classless                                                     
ip route 0.0.0.0 0.0.0.0 139.130.98.1   
ip route 192.168.0.0 255.255.0.0

192.168.1.254 

ip http server                                                 
ip http access-class 1                                 
logging buffered 16000 debugging             
logging 192.168.1.1                                       
access-list 1 permit 192.168.1.0

0.0.0.255 

access-list 2 deny any                                 
access-list 42 permit any                           


access-list 99 permi

t 192.168.0.0 0.0.255.255 

access-list 101 deny udp any any

eq rip 

access-list 101 permit icmp any any       
access-list 101 permit ip any any           
access-list 158 permit icmp any any       
access-list 158 permit udp any any         
access-list 158 permit tcp any any         


access-list 158 deny

ip any any log-input 

access-list 159 permit icmp any any       
access-list 159 permit ip any any           


access-list 159 perm

it tcp any any eq smtp 



access-list 159 perm

it tcp any any eq www 

access-list 159 permit tcp any a

ny eq telnet 

access-list 159 permit tcp any a

ny eq ftp 



access-list 159 perm

it tcp any any eq ftp-data 



access-list 159 perm

it tcp any any eq domain 

access-list 159 permit udp any a

ny eq domain 



access-list 159 perm

it tcp any any eq 554 



access-list 159 perm

it tcp any any eq 7070 

access-list 159 deny ip any any 

log-input 

access-list 169 permit icmp any any       


access-list 169 perm

it tcp any any eq smtp 

access-list 169 permit tcp any a

ny eq www 



access-list 169 perm

it tcp any any eq ftp 



access-list 169 perm

it tcp any any eq domain 

access-list 169 permit udp any a

ny eq domain 



access-list 169 deny

ip any any log-input 

access-list 181 permit tcp any a

ny eq www 

access-list 181 permit tcp any e

q www any 



access-list 182 perm

it tcp any any eq ftp-data 



access-list 182 perm

it tcp any eq ftp-data any 

snmp-server community public RO 1           
snmp-server community private RW 1         
snmp-server trap-source Ethernet0           
snmp-server contact Keith Sinclair         
snmp-server host 192.168.1.1 public       
dialer-list 1 protocol ip permit             
dialer-list 2 protocol ip list 101         
banner motd #                                                   
********************************

************************************* 

* *                                                                       
* Firewall Router. RESTRICTED ACCESS * 
* *                                                                       
* No Unauthorised Access. *                       
* *                                                                       
* No Hackers, Phreaks, Crackers 

or so called security * 

* experts allowed! *                                     
* *                                                                       
* Contact(s): http://www.net130.com *   
* *                                                                       
********************

****************************

********************* 

#                                                                           
!                                                                           
line con 0                                                         
login local                                                       
line vty 0 4                                                     
access-class 1 in                                           
access-class 2 out                                         
exec-timeout 15 0                                           
login local                                                       
!                                                                           
end                                                                       


show version                                                     


Cisco Internetwork O

perating System Software 

IOS (tm) 1600 Softwa

re (C1600-OY-L), Version 11.

2(17)P, RELEASE SOFTWARE (fc1)



Copyright (c) 1986-1

999 by cisco Systems, Inc. 

Compiled Tue 12-Jan-99 14:25 by pwade   
Image text-base: 0x0

801FC84, data-base: 0x020050

00 



ROM: System Bootstrap, Version 1

(fc 

1.1(10)AA, EARLY DEPLOYMENT RELEASE SOFTWARE 

1)                                                                         
ROM: 1600 Software (

RELEASE 

C1600-BOOT-R), Version 11.1(

10)AA, EARLY DEPLOYMENT 

SOFTWARE (fc1)                                                 


fw-rtr uptime is 4 w

eeks, 5 hours, 47 minutes 

System restarted by reload                         
System image file is "flash:c160

0-oy-l_112-17_P.bin", booted via flash



cisco 1603 (68360) p

rocessor (revision C) with 3

584K/512K bytes of memory. 

Processor board ID 07064947, wit

h hardware revision 00000000 

Bridging software.                                         
X.25 software, Versi

on 2.0, NET2, BFE and GOSIP 

compliant. 

Basic Rate ISDN software, Version 1.0. 
1 Ethernet/IEEE 802.3 interface(s)         
1 ISDN Basic Rate interface(s)                 
System/IO memory with parity disabled   
2048K bytes of DRAM 

onboard 2048K bytes of DRAM 

on SIMM 

System running from FLASH                           
8K bytes of non-volatile configu

ration memory. 

4096K bytes of proce

ssor board PCMCIA flash (Rea

d ONLY) 



Configuration register is 0x2102     


更多内容请看PCdog.com--Cisco路由器配置手册  OSPF路由协议  防火墙配置专题
上一篇:Cisco常见路由器密码和版本恢复方法
下一篇:Cisco路由器防火墙配置模板