对内网地址192.168.1.0/25访问外网不作限制
对于内网地址192.168.1.128/25只允许收发邮件,不允许访问外网
#
sysnameRouterA
#
firewallenable/使能防火墙功能/
firewalldefaultdeny/配置防火墙缺省操作为deny/
#
radiusschemesystem
#
domainsystem
#
aclnumber2000/定义用于NAT转换的ACL/
rule0permitsource192.168.1.00.0.0.255
rule1deny
#
aclnumber3001/定义用于包过滤的ACL/
rule0permitipsource192.168.1.00.0.0.127
/内网地址192.168.1.0/25访问外网不作限制/
rule1permittcpsource192.168.1.1280.0.0.127destination-porteqpop3
rule2permittcpsource192.168.1.1280.0.0.127destination-porteqsmtp
/内网地址192.168.1.128/25只能收发邮件/
#
interfaceEthernet1/0/0
ipaddress192.168.1.1255.255.255.0
firewallpacket-filter3001inbound/对inbound流量使用包过滤/
#
interfaceSerial2/0/0
link-protocolppp
ipaddress202.101.1.2255.255.255.252
natoutbound2000
#
interfaceNULL0
#
iproute-static0.0.0.00.0.0.0202.101.1.1preference60
#
user-interfacecon0
user-interfacevty04
#
return
通过查看dispfirewall-statisticsall、dispacl3001确认防火墙确实生效
dispfirewall-statisticsall
Firewallisenable,defaultfilteringmethodis'deny'.
Interface:Ethernet1/0/0
In-boundPolicy:acl3001
Fragmentsmatchednormally
From2006-05-315:05:50to2006-05-316:32:49
198packets,24129bytes,4%permitted,
0packets,0bytes,0%denied,
0packets,0bytes,0%permitteddefault,
5919packets,1021492bytes,96%denieddefault,
Totally198packets,24129bytes,4%permitted,
Totally5919packets,1021492bytes,96%denied.
dispacl3001
AdvancedACL3001,3rules
Acl'sstepis1
rule0permitipsource192.168.1.00.0.0.127(194timesmatched)
rule1permittcpsource192.168.1.1280.0.0.127destination-porteqpop3(9timesmatched)
rule2permittcpsource192.168.1.1280.0.0.127destination-porteqsmtp(0timesmatched)
【提示】
1、系统缺省情况下为禁止防火墙(firewalldisable),需要使用命令“firewallenable”来使能防火墙功能
2、防火墙缺省过滤方式为允许通过(permit),可以通过“firewalldefaultdeny”修改为禁止通过
3、在内网使用包过滤,并同时使用DHCPserver分配地址时,需要在acl3001中添加一条“rule0permitipsource0.0.0.00”否则会出现DHCPServer无法分配地址的问题。
【AR系列路由器包过滤控制访问列表的配置方法】相关文章: