|
对于以前提到的被动FTP访问问题,也可以采用才方法安全解决
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 155 permit tcp any any eq ftp
Router1(config)#access-list 155 deny ip any any
Router1(config)#ip inspect name TEST ftp
Router1(config)#interface Serial0/0
Router1(config-subif)#ip access-group 155 in
Router1(config-subif)#ip inspect TEST in
Router1(config-subif)#exit
Router1(config)#end
Router1#
Router1#show ip access-list 155
Extended IP access list 155
permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)
permit tcp any any eq ftp (151 matches)
deny ip any any (3829 matches)
Router1#
同时也提供了对不同的会话的定时器配置
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect tcp idle-time 1800
Router1(config)#ip inspect udp idle-time 20
Router1(config)#ip inspect tcp finwait-time 1
Router1(config)#ip inspect tcp synwait-time 15
Router1(config)#end
Router1#
通过show ip inspect config命令来显示当前CBAC的配置
上一篇:Cisco IOS Cookbook 中文精简版第二十四章移动IP
下一篇:Cisco PIX防火墙配置命令大全
|
精品推荐