R01是inside,lo0 为PC Client:11.11.11.1/24

R03是outside,lo0为internet server:22.22.22.1/24

R07是DMZ,lo0为DMZ区的server:33.33.33.1/24

R02模拟防火墙:

e0/0口为inside:1.1.1.1/30

e0/1为outside:2.2.2.1/30

s2/0为DMZ:3.3.3.1/30

实验目的:

1、R01可以telnet 访问DMZ区域的22.22.22.1;

2、R03不能telnet访问R07;

3、R07不能主动访问R01、R03;

4、R07开启ICMP。

R2-FW#    show run

Building configuration...

Current configuration : 2012 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2-FW

!

boot-start-marker

boot-end-marker

!

security passwords min-length 1

!

no aaa new-model

clock timezone CST 8

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip source-route

!

!        

!

!

ip cef

no ip domain lookup

no ipv6 traffic interface-statistics

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

!

!        

!

!

!

!

interface Ethernet0/0

 ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/1

 ip address 3.3.3.1 255.255.255.248

!

interface Ethernet0/2

 no ip address

 shutdown

!

interface Ethernet0/3

 no ip address

 shutdown

!

interface Ethernet1/0

 no ip address

 shutdown

!

interface Ethernet1/1

 no ip address

 shutdown

!

interface Ethernet1/2

 no ip address

 shutdown

!

interface Ethernet1/3

 no ip address

 shutdown

!

interface Serial2/0

 ip address 2.2.2.1 255.255.255.0

 ip access-group test out

 serial restart-delay 0

!

interface Serial2/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial2/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial2/3

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial3/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial3/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial3/2

 no ip address

 shutdown

 serial restart-delay 0

!        

interface Serial3/3

 no ip address

 shutdown

 serial restart-delay 0

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip route 11.11.11.0 255.255.255.0 1.1.1.2

ip route 22.22.22.0 255.255.255.0 2.2.2.2

ip route 33.33.33.0 255.255.255.0 3.3.3.2

!

**************************************************************************

ip access-list extended test

 permit tcp host 1.1.1.2 host 22.22.22.1 eq telnet 

permit icmp any host 22.22.22.1

//这里的1.1.1.2为R01的接口地址,实际操作中,可以更换为Client的IP地址,或者为对端提供的转换的公网地址。

**************************************************************************

!

!

!

!

!

!

!        

control-plane

!

!

line con 0

 exec-timeout 0 0

 password 222

 logging synchronous

 login

line aux 0

line vty 0

 password 111

 login

line vty 1 4

 login

!

exception data-corruption buffer truncate

end

R2-FW#