Secure 第三天作业

实验需求：

1.参考以上拓扑所示，完成以下需求：

1） 配置各设备 IP 地址

2） 配置 ZBFW，Inside-1 和 nside-2 属于内部 Zone，Outside-1 属于外部 Zone

zone security inside

zone security outside

zone-pair security in-2-out source inside destination outside

zone-pair security out-2-in source outside destination inside

interface FastEthernet0/0

ip address 10.1.1.10 255.255.255.0

zone-member security inside

!

interface FastEthernet1/0

ip address 202.100.1.10 255.255.255.0

zone-member security outside

!

interface FastEthernet2/0

ip address 192.168.1.10 255.255.255.0

zone-member security inside

测试：

3） 监控 Outbound 的 TCP/UDP/ICM /DNS

class-map type inspect match-any in-out-any

match protocol tcp

match protocol udp

match protocol ftp

match protocol dns

policy-map type inspect outbound

class type inspect in-out-any

inspect

class class-default

drop

zone-pair security in-2-out source inside destination outside

service-policy type inspect outbound

测试：

4） 针对 Inbound 的 ICMP 流量为 9000bps burst 为 1MB

class-map type inspect match-all inbound

match protocol icmp

policy-map type inspect inbound

class type inspect inbound

inspect

police rate 9000 burst 1000

class class-default

drop

zone-pair security out-2-in source outside destination inside

service-policy type inspect inbound

测试：

5） 监控内部 Zone 的 Telnet/SSH 流

class-map type inspect match-any in-in

match protocol telnet

match protocol ssh

policy-map type inspect in-in

class type inspect in-in

inspect

class class-default

drop

zone-pair security in-in source inside destination inside

service-policy type inspect in-in

测试：

6） 监控 Inbound 到 self 的 Telnet 流

ip access-list extended in-self

permit tcp any host 202.100.1.10 eq telnet

permit tcp any host 10.1.1.10 eq telnet

class-map type inspect match-any telnet

match access-group name in-self

policy-map type inspect telnet

class type inspect telnet

inspect

class class-default

drop

zone-pair security in-self source inside destination self

service-policy type inspect telnet

测试：