要求:
outbound流量:
1。监控http/smtp/telnet/ICMP协议
2. 限制tcp三次握手必须在15秒内完成
3.进行半开连接限制(high:1000/low:800)
inbound 流量:
1,放行访问内部服务器的http流量
2.进行半开连接限制(high:100/low:80)
简单配置:
******************************************************************************配置参数列表,用于policy-map的inspect行为
parameter-map type inspect inbound
max-incomplete low 80
max-incomplete high 100
parameter-map type inspect outbound
max-incomplete low 800
max-incomplete high 1000
tcp synwait-time 15
****************************************************************************** 配置class-map,匹配特定流量
class-map type inspect match-any outbound
match protocol http
match protocol smtp
match protocol telnet
match protocol icmp
class-map type inspect match-all inbound
match protocol http
match access-group name inbound(注意:进行DPI深度包监控的时候,必须使用match protocol和访问列表结合的方式匹配流量,
并在protocol里做深入匹配,在ACL中直接比配tcp eq 23在这里等价,但官方配置做法推荐前者!)
****************************************************************************** 配置policy-map,实施策略
policy-map type inspect outbound
class type inspect outbound
inspect outbound
class class-default
policy-map type inspect inbound
class type inspect inbound
inspect inbound
class class-default
****************************************************************************** 定义两个zone
zone security inside
zone security outside
******************************************************************************配置zone-pair,并启用相应策略
zone-pair security in-out source inside destinationoutside
service-policy type inspect outbound
zone-pair security out-in source outside destinationinside
service-policy type inspect inbound
******************************************************************************配置ACL,用于匹配流量的源目的地址
ip access-list extended inbound
permit ip any host 10.1.1.1
ip access-list extended outbound
permit ip 10.1.1.0 0.0.0.255 any
******************************************************************************将借口划入zone
interface ethernet0/0
ip address 10.1.1.10 255.255.255.0
zone-member security inside
serial restart-delay 0
interface ethernet0/1
ip address 202.100.1.10 255.255.255.0
zone-member security outside
serial restart-delay 0