Π§ΠΈΡΠ°ΡΡ ΠΎΠ½Π»Π°ΠΉΠ½ Β«ΠΠΎΠ»ΠΈΡΠΈΠΊΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΈ ΠΏΡΠΈ ΡΠ°Π±ΠΎΡΠ΅ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅ΡΒ». Π‘ΡΡΠ°Π½ΠΈΡΠ° 39
ΠΠ²ΡΠΎΡ Π‘Π΅ΡΠ³Π΅ΠΉ ΠΠ΅ΡΡΠ΅Π½ΠΊΠΎ
ΠΠΌΠ΅Π½Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ² ΠΈ ΡΡΠΎΠ²Π½ΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ. ΠΠ°ΠΆΠ΄ΡΠΉ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΠΈΠΌΠ΅ΡΡ ΠΈΠΌΡ ΠΈ ΡΡΠΎΠ²Π΅Π½Ρ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ. Π£ΡΠΎΠ²Π½ΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΡΡ Π΄ΠΎΡΡΡΠΏ ΠΌΠ΅ΠΆΠ΄Ρ ΡΠΈΡΡΠ΅ΠΌΠ°ΠΌΠΈ, ΡΠ°ΡΠΏΠΎΠ»ΠΎΠΆΠ΅Π½Π½ΡΠΌΠΈ Π·Π° ΡΠ°Π·Π»ΠΈΡΠ½ΡΠΌΠΈ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°ΠΌΠΈ. Π ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠ°Ρ ΡΡ Π΅ΠΌΠ° Π½Π°ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½ΠΈΡ ΠΈ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΡΡΠΎΠ²Π½Π΅ΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ (ΡΠΌ. ΡΠ°Π±Π». 4.5). Π’Π°Π±Π»ΠΈΡΠ° 4.5. ΠΠ°ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½ΠΈΠ΅ ΠΈ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΡΡΠΎΠ²Π½Π΅ΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΡΡΠΎΠ²Π½Π΅ΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΈ ΠΈΠΌΠ΅Π½ Π½Π° ΠΊΠ°ΠΆΠ΄ΠΎΠΌ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ΅:
...nameif ethernet0 AdminDmz security0
nameif ethernetl WebDMZ securityl0
nameif ethernet2 ServiceDMZ security20
nameif ethernet3 SecureData security60
nameif ethernet4 Management security80
nameif ethernet5 Internal security 100
nameif ethernet6 State security40
ΠΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ State ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ Π΄Π»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠ° failover. ΠΠΎΠΌΠ°Π½Π΄Ρ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ Π·Π΄Π΅ΡΡ Π½Π΅ ΠΏΠΎΠΊΠ°Π·Π°Π½Ρ. ΠΠ°ΡΠΎΠ»ΠΈ:
...enable password GHjiiuUIIH67JH encrypted
passwd Huhu&*8h9h encrypted
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ NAT. ΠΠ½ΡΡΡΠ΅Π½Π½ΠΈΠ΅ ΠΌΠ΅ΠΆΡΠ΅ΡΠ΅Π²ΡΠ΅ ΡΠΊΡΠ°Π½Ρ Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΡΡΠ°Π½ΡΠ»ΡΡΠΈΡ Π°Π΄ΡΠ΅ΡΠΎΠ², Π½ΠΎ ΡΠ°Π±Π»ΠΈΡΠ° ΡΡΠ°Π½ΡΠ»ΡΡΠΈΠΈ Π°Π΄ΡΠ΅ΡΠΎΠ² NAT Π²ΡΠ΅ ΠΆΠ΅ ΡΡΠ΅Π±ΡΠ΅ΡΡΡ Π΄Π»Ρ ΠΎΡΠ³Π°Π½ΠΈΠ·Π°ΡΠΈΠΈ Π΄ΠΎΡΡΡΠΏΠ° Π² ΠΏΠΎΠ΄ΡΠ΅ΡΠΈ Ρ ΡΠ°Π·Π½ΡΠΌΠΈ ΡΡΠΎΠ²Π½ΡΠΌΠΈ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ. ΠΠΎΠΌΠ°Π½Π΄Π° global Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ, ΡΠ°ΠΊ ΠΊΠ°ΠΊ ΡΠ΅Π°Π»ΡΠ½ΠΎΠΉ ΡΡΠ°Π½ΡΠ»ΡΡΠΈΠΈ Π½Π΅ ΠΏΡΠΎΠΈΡΡ ΠΎΠ΄ΠΈΡ. ΠΠ»Ρ ΡΠ°Π·ΡΠ΅ΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ° ΡΠ΅ΡΠ΅Π· ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ Ρ Π½ΠΈΠ·ΠΊΠΈΠΌ ΡΡΠΎΠ²Π½Π΅ΠΌ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΡΠΎ ΡΡΠΎΡΠΎΠ½Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ² Ρ Π±ΠΎΠ»Π΅Π΅ Π²ΡΡΠΎΠΊΠΈΠΌ ΡΡΠΎΠ²Π½Π΅ΠΌ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Π° nat. ΠΡΠ° ΠΊΠΎΠΌΠ°Π½Π΄Π° ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ Π½Π° ΡΠ΅Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°Ρ , ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ°ΠΌ ΠΊΠΎΡΠΎΡΡΡ ΡΡΠ΅Π±ΡΠ΅ΡΡΡ Π΄ΠΎΡΡΡΠΏ ΠΊ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ°ΠΌ, Π½Π°Ρ ΠΎΠ΄ΡΡΠΈΠΌΡΡ Π·Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°ΠΌΠΈ Ρ ΠΌΠ΅Π½ΡΡΠΈΠΌ ΡΡΠΎΠ²Π½Π΅ΠΌ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ:
...nat (internal) 0 172.16.16.0. 255.255.248.0
nat (internal) 0 172.16.32.0. 255.255.224.0
nat (Management) 0 172.16.6.0. 255.255.255.0
nat (SecureData) 0 172.16.5.0. 255.255.255.0
ΠΠ»Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Π΄ΠΎΡΡΡΠΏΠ° ΠΈΠ· ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ² Ρ Π±ΠΎΠ»Π΅Π΅ Π²ΡΡΠΎΠΊΠΈΠΌ ΡΡΠΎΠ²Π½Π΅ΠΌ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΠΊΠΎΠΌΠ°Π½Π΄Π° static:
...static (Management, AdminDMZ) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Management, WebDMZ) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Management, ServiceDMZ) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (Management, SecureData) 172.16.6.0 172.16.6.0 netmask 255.255.255.0
static (SecureData, WebDMZ) 172.16.5.0 172.16.5.0 netmask 255.255.255.0
static (Internal, Management) 172.16.16.0 172.16.16.0 netmask 255.255.248.0
static (Internal, ServiceDMZ) 172.16.16.0 172.16.16.0 netmask 255.255.248.0
ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°. ΠΠ»Ρ ΠΏΡΠΎΡ ΠΎΠΆΠ΄Π΅Π½ΠΈΡ ΡΡΠ°ΡΠΈΠΊΠ° Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°ΡΡ ΡΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°.
ΠΠ΅ΠΆΡΠ΅ΡΠ΅Π²ΡΠ΅ ΡΠΊΡΠ°Π½Ρ PIX ΠΎΡΠ»ΠΈΡΠ°ΡΡΡΡ ΠΎΡ Check Point ΡΠ΅ΠΌ, ΡΡΠΎ ΡΡΠ΅Π±ΡΡΡ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠ³ΠΎ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°. ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ ΡΠ°Π±Π». 4.6.
Π’Π°Π±Π»ΠΈΡΠ° 4.6. Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°
ΠΡΠΎΠ΄ΠΎΠ»ΠΆΠ΅Π½ΠΈΠ΅ ΡΠ°Π±Π». 4.6
ΠΡΠΎΠ΄ΠΎΠ»ΠΆΠ΅Π½ΠΈΠ΅ ΡΠ°Π±Π». 4.6
ΠΠΊΠΎΠ½ΡΠ°Π½ΠΈΠ΅ ΡΠ°Π±Π». 4.6
Turbo ACL. ΠΠ»Ρ ΡΡΠΊΠΎΡΠ΅Π½ΠΈΡ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ PIX ΠΏΠΎ ΠΊΠΎΠΌΠΏΠΈΠ»ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°. ΠΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΡΡΠ° Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠ΅ΠΉ ΠΊΠΎΠΌΠ°Π½Π΄ΠΎΠΉ:
access-list compiled
ΠΡΡΠΏΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΎΠ±ΡΠ΅ΠΊΡΠΎΠ². ΠΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ Π³ΡΡΠΏΠΏΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΎΠ±ΡΠ΅ΠΊΡΠΎΠ² PIX ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΠ»ΡΡΡΠΈΡΡ ΡΠΈΡΠ°Π±Π΅Π»ΡΠ½ΠΎΡΡΡ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°, ΡΡΠΊΠΎΡΠΈΡΡ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠΎΡ ΠΎΠΆΠΈΡ Π·Π°ΠΏΠΈΡΠ΅ΠΉ Π² ΡΠΏΠΈΡΠΊΠ°Ρ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°:...object-group network WebDMZServers
network-object 172.16.3.16 255.255.255.248
network-object 172.16.3.24 255.255.255.248
network-object 172.16.3.64 255.255.255.248
object-group network AdminDMZNet
network-object 70.70.70.16 255.255.255.252
network-object 172.16.1.8 255.255.255.248
object-group network AdminDMZAll
network-object 172.16.1.4 255.255.255.252
group-object AdminDMZNetobject-group network WindowsTS
group-object WebDMZServers
network-object 172.16.4.112 255.255.255.252
network-object 172.16.5.0 255.255.255.0
network-object 172.16.16.16 255.255.248.0object-group service FW1-In tcp
port-object eq 256
port-object eq 258
port-object eq 18191
port-object eq 18192
port-object eq 18211object-group service FW1-Out tcp
port-object eq 256
port-object eq 257
port-object eq 18210Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° AdminDMZ:
...access-list AdminDMZ-ACL permit udp object-group AdminDMZNet host 172.16.6.25 eq514
access-list AdminDMZ-ACL permit top 172.16.1.4 255.255.255.252 host 172.16.6.13 object-group FWl-Out
access-list AdminDMZ-ACL permit udp 172.16.1.4 255.255.255.252 host 172.16.6.13 eq 259
access-list AdminDMZ-ACL permit udp object-group AdminDMZAll host 172.16.6.33 eql62
access-list AdminDMZ-ACL permit udp object-group AdminDMZAll host 172.16.6.41 eql23
access-list AdminDMZ-ACL permit top 70.70.70.16 255.255.255.252 host 172.16.6.21 eq 49
access-list AdminDMZ-ACL deny ip any any
Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° WebDMZ:
...access-list WebDMZ-ACL permit top 172.16.3.64 255.255.255.248 host 172.16.5.30 eq 2002
access-list WebDMZ-ACL permit top 172.16.3.64 255.255.255.248172.16.5.32 255.255.255.252 eq 445
access-list WebDMZ-ACL permit udp object-group WebDMZServers 172.16.5.52 255.255.255.252 eq 53
access-list WebDMZ-ACL permit tcp object-group WebDMZServers 172.16.5.52 255.255.255.252 eq 53
access-list WebDMZ-ACL permit udp object-group WebDMZServers 172.16.5.48 255.255.255.252 eq 500
access-list WebDMZ-ACL permit ah object-group WebDMZServers 172.16.5.48 255.255.255.252
access-list WebDMZ-ACL permit udp object-group WebDMZServers host 172.16.6.33 eql62
access-list WebDMZ-ACL permit top 172.16.3.16 255.255.255.240 host 172.16.6.9 eq443
access-list WebDMZ-ACL permit icmp object-group WebDMZServers 172.16.5.0 255.255.255.0 source-quench
access-list WebDMZ-ACL deny ip any any
Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° ServiceDMZ:
...access-list ServiceDMZ-ACL permit tcp 172.16.4.108 255.255.255.252 host 172.16.17.46 eq 25
access-list ServiceDMZ-ACL permit udp 172.16.4.104 255.255.255.252 host 172.16.6.25 eq 514
access-list ServiceDMZ-ACL permit udp host 172.16.4.117 host 172.16.6.25 eq 514
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 host 172.16.17.54 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.17.54 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 172.16.17.32 255.255.255.248 eq 80
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.17.32 255.255.255.248 eq 80
access-list ServiceDMZ-ACL permit tcp 172.16.61.0 255.255.255.0 172.16.17.32 255.255.255.248 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.17.32 255.255.255.248 eq 443
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.6.45 eq 22
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 host 172.16.6.13 eq 18190
access-list ServiceDMZ-ACL permit tcp 172.16.62.0 255.255.255.248 172.16.6.0 255.255.255.0 eq 3389
access-list ServiceDMZ-ACL permit tcp host 172.16.4.117 host 172.16.6.17 eq 389
access-list ServiceDMZ-ACL permit udp host 172.16.4.117 host 172.16.6.21 range 1645 1646
access-list ServiceDMZ-ACL permit tcp host 172.16.4.117 host 172.16.6.29 eq 5054
access-list ServiceDMZ-ACL permit udp 172.16.4.0 255.255.255.0 host 172.16.6.33 eq 162
access-list ServiceDMZ-ACL permit udp 172.16.4.0 255.255.255.0 host 172.16.6.41 eq 123
access-list ServiceDMZ-ACL deny ip any any
Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° SecureData:
...access-list SecureData-ACL permit udp 172.16.5.48 255.255.255.252 object-group WebDMZServers eq 500
access-list Secure Data-ACL permit ah 172.16.5.48 255.255.255.252 object-group WebDMZServers
access-list Secure Data-ACL permit udp 172.16.5.48 255.255.255.252 host 172.16.6.41 eq 123
access-list SecureData-ACL permit udp 172.16.5.52 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list SecureData-ACL permit tcp 172.16.5.52 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list SecureData-ACL permit udp 172.16.5.0 255.255.255.0 host 172.16.6.33 eq 162
access-list WebDMZ-ACL permit icmp 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 source-quench
access-list SecureData-ACL deny ip any any
Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Management:
...access-list Management-ACL permit udp host 172.16.6.33 172.16.0.0 255.255.0.0 eq 161
access-list Management-ACL permit udp host 172.16.6.33 70.70.70.16 255.255.255.252 eq 161
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 172.16.1.8 255.255.255.248 eq 22
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 172.16.4.96 255.255.255.224 eq 22
access-list Management-ACL permit tcp 172.16.6.0 255.255.255.0 object-group WindowsTS eq 3389
access-list Management-ACL permit tcp host 172.16.6.13 172.16.1.4 255.255.255.252 object-group FWl-In
access-list Management-ACL permit udp host 172.16.6.13 172.16.1.4 255.255.255.252 eq 259
access-list Management-ACL deny ip any any
Π‘ΠΏΠΈΡΠΊΠΈ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π΄Π»Ρ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Internal:
...access-list Internal-ACL permit tcp 172.16.32.0 255.255.224.0 172.16.4.104 255.255.255.252 eq 8080
access-list Internal-ACL permit tcp host 172.16.17.46 172.16.4.108 255.255.255.252 eq 25
access-list Internal-ACL permit udp 172.16.17.20 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list Internal-ACL permit tcp 172.16.17.20 255.255.255.252 172.16.4.112 255.255.255.252 eq 53
access-list Internal-ACL permit tcp 172.16.35.0 255.255.255.248 host 172.16.5.30 eq 2002
access-list Internal-ACL permit tcp 172.16.36.0 255.255.255.248 172.16.5.32 255.255.255.252 eq 445
access-list Internal-ACL permit udp 172.16.16.16 255.255.248.0 host 172.16.6.33 eq 162
access-list Internal-ACL permit udp 172.16.17.16 255.255.255.252 host 172.16.6.41 eq 123
access-list Internal-ACL deny ip any any
ΠΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΡΠΏΠΈΡΠΊΠΎΠ² ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π΄ΠΎΡΡΡΠΏΠ°:
...access-group AdminDMZ-ACL in interface AdminDMZ
access-group WebDMZ-ACL in interface WebDMZ
access-group ServiceDMZ-ACL in interface ServiceDMZ
access-group SecureData-ACL in interface SecureData
access-group Management-ACL in interface Management
access-group Internal-ACL in interface Internal
ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° TACACS+. TACACS+ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π½ΡΡΠ°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠ΅ΠΉ ΠΈ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠ΅ΠΉ Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΌΠ΅ΠΆΡΠ΅ΡΠ΅Π²ΡΠΌ ΡΠΊΡΠ°Π½Π°ΠΌ. ΠΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌ IP-Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ° TACACS+ ΠΈ ΠΏΠ°ΡΠΎΠ»Ρ Π΄Π»Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ:
...aaa-server TACACS+ (Management) host 172.16.6.21 F$!19Ty timeout 5