请教3560上的ACL配置
网络结构是这样的,外网进来,接到硬件防火墙上,(防火墙上未做任何配置)然后从放火墙上接到3560上.3560的第一个以太网口作为路由口,和防火墙相连.在这个口的OUT方向配置了ACL.
可是把列表放上去以后网络不通,请各位看看有没有什么不妥的地方.配置如下:
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq www
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 1863
access-list 100 permit tcp any any range 6891 6901
access-list 100 permit tcp any any range 8001 8004
access-list 100 permit tcp any any eq 10041
access-list 100 permit tcp any any eq 10037
access-list 100 permit tcp any any range 7001 7002
access-list 100 permit tcp any any range 7708 7709
access-list 100 permit tcp any any eq 9907
access-list 100 permit tcp any any eq 8601
access-list 100 permit tcp any any eq 8008
access-list 100 permit tcp any any eq 9008
access-list 100 permit tcp any any eq 9108
access-list 100 permit tcp any any eq 9000
access-list 100 permit tcp any any eq 39000
access-list 100 permit tcp any any eq 22223
access-list 100 permit udp any any range 1701 1704
access-list 100 permit tcp any any range 2048 2053
access-list 100 permit udp any any range 2048 2053
access-list 100 permit tcp any any eq 19876
access-list 100 permit tcp any any eq 188
access-list 100 permit tcp any any eq 8222
access-list 100 permit tcp any any eq 89
access-list 100 permit tcp any any range 4435 4439
access-list 100 permit tcp any any eq 9525
access-list 100 permit tcp any any eq 9510
access-list 100 permit tcp any any eq 8085
access-list 100 deny ip any any 首先保证没有ACL的时候能通
然后扩展ACL推荐放在源端口(接内网)的IN方向
不过你这样也应该没问题 没有ACL的时候绝对能通,ACL放上去之后就不通了.
我是放在OUT的方向上的.IN的话就连telnet到3560上都不行了. 知道了
不能telnet是因为没开tcp 23端口
另外没开DNS,tcp和udp 53端口 谢谢,我试试.
能不能留个QQ交个朋友?
页:
[1]
