对内网地址192.168.1.0/25访问外网不作限制

对于内网地址192.168.1.128/25只允许收发邮件，不允许访问外网

#

sysnameRouterA

#

firewallenable/使能防火墙功能/

firewalldefaultdeny/配置防火墙缺省操作为deny/

#

radiusschemesystem

#

domainsystem

#

aclnumber2000/定义用于NAT转换的ACL/

rule0permitsource192.168.1.00.0.0.255

rule1deny

#

aclnumber3001/定义用于包过滤的ACL/

rule0permitipsource192.168.1.00.0.0.127

/内网地址192.168.1.0/25访问外网不作限制/

rule1permittcpsource192.168.1.1280.0.0.127destination-porteqpop3

rule2permittcpsource192.168.1.1280.0.0.127destination-porteqsmtp

/内网地址192.168.1.128/25只能收发邮件/

#

interfaceEthernet1/0/0

ipaddress192.168.1.1255.255.255.0

firewallpacket-filter3001inbound/对inbound流量使用包过滤/

#

interfaceSerial2/0/0

link-protocolppp

ipaddress202.101.1.2255.255.255.252

natoutbound2000

#

interfaceNULL0

#

iproute-static0.0.0.00.0.0.0202.101.1.1preference60

#

user-interfacecon0

user-interfacevty04

#

return

通过查看dispfirewall-statisticsall、dispacl3001确认防火墙确实生效

dispfirewall-statisticsall

Firewallisenable,defaultfilteringmethodis'deny'.

Interface:Ethernet1/0/0

In-boundPolicy:acl3001

Fragmentsmatchednormally

From2006-05-315:05:50to2006-05-316:32:49

198packets,24129bytes,4%permitted,

0packets,0bytes,0%denied,

0packets,0bytes,0%permitteddefault,

5919packets,1021492bytes,96%denieddefault,

Totally198packets,24129bytes,4%permitted,

Totally5919packets,1021492bytes,96%denied.

dispacl3001

AdvancedACL3001,3rules

Acl'sstepis1

rule0permitipsource192.168.1.00.0.0.127(194timesmatched)

rule1permittcpsource192.168.1.1280.0.0.127destination-porteqpop3(9timesmatched)

rule2permittcpsource192.168.1.1280.0.0.127destination-porteqsmtp(0timesmatched)

【提示】

1、系统缺省情况下为禁止防火墙（firewalldisable），需要使用命令“firewallenable”来使能防火墙功能

2、防火墙缺省过滤方式为允许通过（permit），可以通过“firewalldefaultdeny”修改为禁止通过

3、在内网使用包过滤，并同时使用DHCPserver分配地址时，需要在acl3001中添加一条“rule0permitipsource0.0.0.00”否则会出现DHCPServer无法分配地址的问题。