4第四课 配置访问控制列表

Content,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,北京八维网络工程学院,2005 Cisco Systems,Inc.All rights reserved.,SNPA v4.05-,1,第四课 配置访问控制列表,学习目标,在前面所掌握的,ACL,原理和配置基础上，这节课我们来拓展一下知识点，来学习关于时间的访问列表，扩展学生知识。,课程内容,1,、通过所掌握的协议和端口号来实施流量控制,2,、理解接口优先级别与访问列表配置规则,3,、配置基于时间的访问列表,4,、,ActiveX,过滤,5,、,URL,过滤,基于时间的访问列表,Define a time when certain resources can be accessed.,Apply defined time range to the ACL.,192.168.0.0,10.0.0.0,Web,Server,172.16.0.6,Internet,DMZ,Inside,.2,.1,.9,Enable Access,8,a.m,to 5 p.m.,1 Aug to 30 Aug,Temp,Worker,192.168.10.2,fw1(config)#,time-range temp-worker,fw1(config-time-range)#,firewall(config,)#,time-range,name,Time-Range,子命令,定义一个认证时间当资源可以访问时,:,定义一个绝对开始时间和日期,定义一个周期时间,fw1(config)#time-range,temp-worker,fw1(config-time-range)#absolute start 00:00 1 August 2004 end 00:00 30 August 2004,fw1(config-time-range)#periodic weekdays 8:00 to 17:00,firewall(config,)#,192.168.0.0,10.0.0.0,Web,Server,172.16.0.6,Internet,DMZ,Inside,.2,.1,.9,Temp,Worker,192.168.10.2,Enable Access,8,a.m,to 5 p.m.,1 Aug to 30 Aug,Time-based ACL,应用时间范围到一个列表上,fw1(config)#static(,dmz,outside,)192.168.0.6 172.16.0.6,fw1(config)#access-list aclin permit tcp host 192.168.10.2 host 192.168.0.6 eq www time-range,temp-worker,192.168.0.0,10.0.0.0,Web,Server,172.16.0.6,Internet,DMZ,Inside,.2,.1,.9,Temp,Worker,192.168.10.2,firewall(config,)#,Enable Access,8,a.m,to 5 p.m.,1 Aug to 30 Aug,Time-based ACL,例子,fw1(config)#static(,dmz,outside,)192.168.0.6 172.16.0.6,fw1(config)#access-list aclin permit tcp host 192.168.10.2 host 192.168.0.6 eq www time-range,temp-worker,fw1#show run time-range,time-range,temp-worker,absolute,start 00:00 1 August 2004,end 00:00 30 August 2004,periodic weekdays 8:00 to 17:00,fw1(config)#show clock,13:48:33.226 UTC Fri,Jul 30 2004,fw1(config)#show access-list,access-list cached ACL log flows:total 0,denied 0(deny-flow-max 4096),alert-interval 300,access-list,aclin,;1 elements,access-list,aclin,line 1 extended permit tcp any,any,eq,www time-range,temp-worker,(,hitcnt,=0)(,inactive,),192.168.0.0,10.0.0.0,Web,Server,172.16.0.6,Internet,DMZ,Inside,.2,.1,.9,Temp,Worker,192.168.10.2,Enable Access,8,a.m,to 5 p.m.,1 Aug to 30 Aug,ActiveX,过滤,fw1(config)#filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0,Specifies that the ActiveX blocking applies to web traffic on port 80 from any local host and to any foreign host,Engineering,10.0.11.0,10.0.12.0,10.0.14.0,Executive,Marketing,DMZ,Internet,Block,ActiveX,HTTP URL Filtering,URL-filtering Server,Request Access to ,Deny,Access,Web Server,Internet,X,firewall(config,)#,定义一个,URL,服务器,fw1(config)#url-server(dmz)vendor n2h2 host 172.16.0.3 protocol TCP,firewall(config,)#,url,-server(,if_name,)vendor n2h2 host,local_ip,port,number,timeout,seconds,protocol TCP|UDP connections,num_conns,Designates a server that runs an N2H2 URL-filtering application,URL-filtering Server,172.16.0.3,TCP,X,X,开启,HTTP URL,过滤,firewall(config,)#,fw1(config)#filter url http 0 0 0 0 allow,filter,url,port,-,port,|except,local_ip,local_mask,foreign_ip,foreign_mask,allow,cgi,-truncate,longurl,-truncate|,longurl,-deny proxy-block,URL-filtering Server,Filter HTTP:,All Hosts,URL-filtering,配置举例,Designate URL server,Enable filtering,fw1(config)#url-server(dmz)vendor websense host 172.16.0.3 timeout 10 protocol TCP version 4,fw1(config)#filter url http 0 0 0 0 allow,URL-filtering Server,Request Access to ,Deny,Access,web server,172.16.0.3,Internet,X,