一个用Cat6504作为安全域划分的案例，路由模式

network

一个用Cat6504作为安全域划分的案例，路由模式


目前的用户只分为两个安全域，目前只是用了两个端口，分别模拟两种业务，利用Cat6504防火墙的IOS FEATURE配置，用ospf把两个区域的路由导通，然后配置策略控制两个区域的访问控制策略。

sh run
Building configuration...

Current configuration : 3685 bytes
!
upgrade fpd auto
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service counters max age 10
!
hostname Gate_Office_Family
!
boot system sup-bootdisk:s3223-adventerprisek9_wan-mz.122-18.SXF9.bin
no logging console
enable secret 5 $1$Jlb0$7rZW3RwcZV6xQm0KmmtSC.
!
no aaa new-model
ip subnet-zero
ip inspect one-minute high 3000
ip inspect one-minute low 2000
ip inspect name HHGW_VPN_Gate cuseeme
ip inspect name HHGW_VPN_Gate fragment maximum 256 timeout 1
ip inspect name HHGW_VPN_Gate ftp
ip inspect name HHGW_VPN_Gate netshow
ip inspect name HHGW_VPN_Gate rcmd
ip inspect name HHGW_VPN_Gate realaudio
ip inspect name HHGW_VPN_Gate rtsp
ip inspect name HHGW_VPN_Gate sqlnet
ip inspect name HHGW_VPN_Gate streamworks
ip inspect name HHGW_VPN_Gate tcp
ip inspect name HHGW_VPN_Gate tftp
ip inspect name HHGW_VPN_Gate udp
ip inspect name HHGW_VPN_Gate vdolive
ip inspect name HHGW_VPN_Gate h323
ip inspect name HHGW_VPN_Gate http
!
!
!
ipv6 mfib hardware-switching replication-mode ingress
mls ip inspect JSQ-to-BanGong
--More--         mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
!
!
!
!
!
!
!
!
redundancy
mode sso
main-cpu
  auto-sync running-config
spanning-tree mode pvst
spanning-tree extend system-id
system flowcontrol bus auto
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
!
!
interface GigabitEthernet1/1
description Gateway_outside
ip address 10.60.188.13 255.255.255.252
ip access-group JSQ-to-BanGong in
ip inspect HHGW_VPN_Gate in
ip inspect HHGW_VPN_Gate out
ip flow ingress
ip ospf network point-to-point
ip ospf dead-interval minimal hello-multiplier 3
!
interface GigabitEthernet1/2
description Gateway_inside
ip address 10.60.254.17 255.255.255.252
ip inspect HHGW_VPN_Gate in
ip inspect HHGW_VPN_Gate out
--More--          ip flow ingress
ip ospf network point-to-point
ip ospf dead-interval minimal hello-multiplier 3
!
interface GigabitEthernet1/3
no ip address
shutdown
!
interface GigabitEthernet1/4
no ip address
shutdown
!
interface GigabitEthernet1/5
no ip address
shutdown
!
interface GigabitEthernet1/6
no ip address
shutdown
!
interface GigabitEthernet1/7
no ip address
shutdown
!
interface GigabitEthernet1/8
no ip address
shutdown
!
interface GigabitEthernet1/9
ip address 10.60.2.221 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router ospf 100
router-id 10.60.254.18
log-adjacency-changes
network 10.60.188.12 0.0.0.3 area 60
network 10.60.254.16 0.0.0.3 area 60
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.60.2.254
!
--More--         no ip http server
!
ip access-list extended JSQ-to-BanGong
permit ospf any any
permit icmp any any
permit ip host 10.60.181.6 any
permit ip host 10.60.181.4 any
permit ip host 10.60.181.5 any
permit ip host 10.60.181.8 any
permit ip host 10.60.181.7 any
permit ip host 10.60.181.9 any
permit ip any 10.60.1.0 0.0.0.255
permit tcp any 192.168.109.0 0.0.0.255 eq www
permit tcp any host 192.168.1.31 eq www
permit tcp any host 10.128.128.8 eq www
permit ip 10.60.182.0 0.0.0.255 host 10.188.64.41
permit ip 10.60.182.0 0.0.0.255 host 10.188.66.8
permit ip 10.60.182.0 0.0.0.255 host 10.188.66.9
permit ip host 10.60.183.96 any
permit ip host 10.60.183.97 any
permit ip host 10.60.183.126 any
!
!
!
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
password 7 020E0C5C1F1E15
login
!
no cns aaa enable
end