基于IOS防火墙的状态化包过滤

基于IOS的防火墙的配置实验如下： 1. 实验拓扑：

2. 实验配置：

先实现的R1到R3的连通性，以及R1可以Telnet到R3上。

R1 hostname R1 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 no ip route-cache duplex auto speed auto ! ip default-gateway 10.1.1.2 R2 hostname R2 ! interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/1 ip address 20.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 20.1.1.3 ! access-list 1 permit 10.1.1.0 0.0.0.255 R3 hostname R3 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 20.1.1.3 255.255.255.0 duplex auto speed auto 测试连通性和Telnet： R1#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/104/120 ms R1#3.3.3.3

Trying 3.3.3.3 ... Open R3>

在F0/1接口将Internet的回包deny： access-list 100 deny ip any any interface FastEthernet0/1

ip address 20.1.1.2 255.255.255.0 ip access-group 100 in

再次测试： R1#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: .....

Success rate is 0 percent (0/5) R1#3.3.3.3

Trying 3.3.3.3 ...

% Connection timed out; remote host not responding 可以看到都是失败的，接下来完成状态化包过滤： ip inspect name cisco icmp ip inspect name cisco tcp R2(config)#int f0/0

R2(config-if)#ip inspect cisco in

再次测试： R1#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56//76 ms R1#3.3.3.3

Trying 3.3.3.3 ... Open R3>

发现OK了，这里的下面两条命令：

ip inspect name cisco icmp //检测ICMP，也就是实现能够ping通

ip inspect name cisco tcp //检测TCP，因为Telnet是在TCP23端口，故可以实现Telnet