access-list 160 deny ospf any any // запрет OSPF
access-list 160 permit ip any any // разрешить трафик IP
access-list 161 deny eigrp any any // запрет EIGRP
access-list 161 permit ip any any // разрешить трафик IP
access-list 105 permit gre host 172.16.4.1 host 172.16.40.1
access-list 101 permit gre host 172.16.1.1 host 172.16.10.1
access-list 111 deny tcp any any eq ftp // запрет на доступ к службе FTP
access-list 111 permit tcp 10.0.1.0 0.0.0.255 host 10.0.35.2 eq smtp// разрешение к е-mail службе
access-list 111 deny udp any any eq domain // запрещаем доступ к DNS
access-list 111 permit tcp 10.0.1.0 0.0.0.255 host 10.0.33.2 eq www// разрешаем доступ к HTTP
access-list 111 permit ip any any // разрешить трафик IP
access-list 112 deny tcp any any eq ftp// запрет на доступ к службе FTP
access-list 112 permit tcp 10.0.2.0 0.0.0.255 host 10.0.35.2 eq smtp// разрешение к е-mail службе
access-list 112 permit udp 10.0.2.0 0.0.0.255 host 10.0.33.2 eq domain // разрешаем доступ к DNS
access-list 112 deny tcp any any eq www// запрещаем доступ к HTTP
access-list 112 permit ip any any
access-list 113 deny tcp any any eq ftp
access-list 113 deny tcp any any eq smtp
access-list 113 deny udp any any eq domain
access-list 113 deny tcp any any eq www
access-list 113 permit ip any any
access-list 114 deny tcp any any eq ftp
access-list 114 permit tcp 10.0.4.0 0.0.0.255 host 10.0.35.2 eq smtp
access-list 114 permit udp 10.0.4.0 0.0.0.255 host 10.0.33.2 eq domain
access-list 114 deny tcp any any eq www
access-list 114 permit ip any any
access-list 115 deny tcp any any eq ftp
access-list 115 deny tcp any any eq smtp
access-list 115 deny udp any any eq domain
access-list 115 permit tcp 10.0.1.0 0.0.0.255 host 10.0.33.2 eq www
access-list 115 permit ip any any
ПРИЛОЖЕНИЕ Б
НАСТРОЙКИ МАРШРУТИЗАТОРА ПЕРВОГО ФИЛИАЛА
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 172.16.1.1
crypto isakmp key 0 address 172.16.21.1
!
crypto ipsec transform-set 101 esp-aes esp-sha-hmac
crypto ipsec transform-set 102 esp-aes esp-sha-hmac
!
crypto map tun_2 100 ipsec-isakmp
set peer 172.16.21.1
set pfs group2
set transform-set 102
match address 102
!
crypto map tun_1 100 ipsec-isakmp
set peer 172.16.1.1
set pfs group2
set transform-set 101
match address 101
!
interface Tunnel1
ip address 10.70.1.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 172.16.1.1
!
interface Tunnel2
ip address 10.70.2.2 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 172.16.21.1
!
interface FastEthernet0/0
ip address 10.0.72.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.11.1 255.255.255.0
ip access-group 121 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.0.12.1 255.255.255.0
ip access-group 122 in
!
interface FastEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip access-group 160 in
ip access-group 161 out
duplex auto
speed auto
crypto map tun_1
!
interface Ethernet1/0
ip address 172.16.12.1 255.255.255.0
ip access-group 160 in
ip access-group 161 out
duplex auto
speed auto
crypto map tun_2
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/2
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/3
no ip address
duplex auto
speed auto
shutdown
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip classless
ip route 172.16.1.0 255.255.255.0 172.16.10.2
ip route 172.16.21.0 255.255.255.0 172.16.12.2
ip route 192.168.5.0 255.255.255.0 10.70.1.2
!
access-list 101 permit gre host 172.16.10.1 host 172.16.1.1
access-list 102 permit gre host 172.16.12.1 host 172.16.21.1
access-list 121 permit tcp 10.0.11.0 0.0.0.255 host 10.0.35.2 eq ftp
access-list 121 deny tcp any any eq smtp
access-list 121 deny udp any any eq domain
access-list 121 deny tcp any any eq www
access-list 121 permit ip any any
access-list 122 permit tcp 10.0.12.0 0.0.0.255 host 10.0.33.2 eq www
access-list 160 deny ospf any any
Уважаемый посетитель!
Чтобы распечатать файл, скачайте его (в формате Word).
Ссылка на скачивание - внизу страницы.