Question:
I have got a
cisco Cisco 3560V2 router connected to internet. I want to apply CBAC. I need to give the
incoming access to an ip xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port
1030. I don't need other access from outside.
I have the
following interfaces:
FA0/0 -
Connected to Inside (incoming an ip to
xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030 and outgoing all tcp
and udp packets, the incoming traffic goes to WAN Device)
FA0/1 - connected
to outside ISP 1 (incoming an ip to
xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030), this traffice comes
from this isp link
Fa0/2 -
Connected to Outside Isp 1 (Backup link) (incoming an ip to xxx.xxx.xxx.xx2 port 1020 and
xxx.xxx.xxx.xx3 port 1030), this traffic comes from this isp link in the
failure of main link
Fa0/3 -
Connected to Outside ISP 3 - no incoming only outgoing traffic of all tcp and
udp
Fa0/4 -
Connected to Outside ISP 4 - no incoming only outgoing traffic of all tcp and
udp
How can I
fullfill this requirement.
Answer:
Have you
thought of ZBFW instead of CBAC?
Anyway below is
a basic cbac setup applied to your wan interfaces
Note:
if ##you have
any routing protocol between this router
you will need
to allow this
through.(eg like rip - permit udp any
any eq 520)
this also
applys to ICMP from the outside.
ip inspect name
CBAC TCP
ip inspect name
CBAC UDP
ip inspect name
CBAC ICMP
ip access-list
extended IncomingWan
permit tcp any
host x.x.x.2 eq 1020
permit udp any
host x.x.x.2 eq 1020
permit tcp any
host x.x.x.3 eq 1030
permit udp any
host x.x.x.3 eq 1030
int x/x
(outside wan)
ip access-group
IncomingWan in
ip inspect Cisco 3560X Price CBAC
out
没有评论:
发表评论