ZheltovAnton
Зарегистрирован: 20.03.2006
Сообщения: 2
|
 Добавлено: Пн Мар 20 2006 11:20 Заголовок сообщения: Cisco PIX 515E - ограничение скорости |
 |
|
Вопрос возможно слегка не по теме, но тем не менее.
Задача: ограничить на cisco pix скорости интернет траффика по группам. Нужно 3 группы, сейчас пытаюсь сделать хотя бы одну, один раз policy заработало, сейчас никак... Кто шарит в пиксах подскажите плиз.
Конфиг
PIX Version 7.0(4)
hostname pix-2
domain-name my.ru
enable password JarKsrZ75vFAdnpz encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address XXX.135.136.205 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address YYY.18.48.22 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 0
ip address YYY.18.9.1 255.255.255.0
ftp mode passive
clock timezone msk 3
access-list acl_outside extended permit tcp any host XXX.135.136.202 eq www
access-list acl_outside extended permit tcp any host XXX.135.136.204
access-list acl_outside extended permit icmp any host XXX.135.136.204
access-list acl_outside extended permit esp any interface outside
access-list NatInsidetoDmz extended permit ip YYY.18.48.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list NatInsidetoDmz extended permit ip YYY.18.48.0 255.255.255.0 YYY.18.9.0 255.255.255.0
access-list NatInsidetoDmz extended permit ip YYY.18.9.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list NatInsidetoDmz extended permit ip YYY.16.0.0 255.248.0.0 YYY.16.0.0 255.248.0.0
access-list vpn extended permit ip YYY.18.48.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list vpn extended permit icmp YYY.18.48.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list splitACL extended permit ip YYY.18.48.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list splitACL extended permit icmp YYY.18.48.0 255.255.255.0 YYY.18.48.0 255.255.255.0
access-list splitACL extended permit ip YYY.16.0.0 255.248.0.0 YYY.16.0.0 255.248.0.0
access-list acl_dmz extended permit tcp any any
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit udp any any
access-list split2 standard permit YYY.18.48.0 255.255.255.0
access-list split3 extended permit ip YYY.16.0.0 255.248.0.0 YYY.16.0.0 255.248.0.0
access-list 1 extended deny ip any any
access-list inside_mpc_in extended deny ip any host 217.106.225.41
access-list inside_mpc_in extended permit icmp any any
access-list inside_mpc_in extended permit udp any any eq syslog
access-list inside_mpc_in extended permit ip host YYY.18.48.183 any
access-list inside_mpc_in extended permit tcp host YYY.18.48.165 any
access-list inside_mpc_in extended permit tcp host YYY.18.48.142 any
pager lines 24
logging enable
logging timestamp
logging standby
logging list ip level notifications
logging list ip level informational class ip
logging console debugging
logging monitor errors
logging buffered warnings
logging trap informational
logging facility 16
logging host inside YYY.18.48.183
logging permit-hostdown
logging class ip trap informational
logging rate-limit 50 10 level 6
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool test YYY.18.48.181-YYY.18.48.182
ERROR: Command requires failover license
ERROR: Command requires failover license
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit host YYY.18.48.181 inside
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any unreachable inside
icmp permit any echo-reply dmz
icmp permit any echo dmz
icmp permit any unreachable dmz
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NatInsidetoDmz
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) XXX.135.136.202 YYY.18.9.202 netmask 255.255.255.255
static (dmz,outside) XXX.135.136.204 YYY.18.9.204 netmask 255.255.255.255
static (inside,dmz) YYY.18.48.0 YYY.18.48.0 netmask 255.255.255.0
access-group acl_outside in interface outside
access-group inside_mpc_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 XXX.135.136.201 1
route inside YYY.22.0.0 255.255.0.0 YYY.18.48.22 1
route inside YYY.21.0.0 255.255.0.0 YYY.18.48.22 1
route inside YYY.20.0.0 255.255.0.0 YYY.18.48.22 1
route inside YYY.19.49.0 255.255.255.0 YYY.18.48.22 1
route inside YYY.23.0.0 255.255.0.0 YYY.18.48.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnoutside internal
group-policy vpnoutside attributes
dns-server value YYY.18.48.23
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split3
default-domain value uafi-t.ru
username XXXXXXX password XXXXXXXXXXXXXX encrypted privilege 15
username XXXX password XXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXX password XXXXXXXXXXXXXXXXXXX encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http YYY.16.0.0 255.248.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set UAFI-T esp-3des esp-md5-hmac
crypto dynamic-map clientvpn 10 set transform-set UAFI-T
crypto map map1 10 ipsec-isakmp dynamic clientvpn
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal 20
tunnel-group vpnoutside type ipsec-ra
tunnel-group vpnoutside general-attributes
address-pool test
default-group-policy vpnoutside
tunnel-group vpnoutside ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh YYY.18.48.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
!
class-map inspection_default2
match access-list inside_mpc_in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect icmp
class inspection_default2
police 56000 10500 conform-action drop
!
service-policy global_policy global
ntp server YYY.18.48.167
smtp-server YYY.18.48.1
pix-2# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns maximum-length 512, packet 9335, drop 0, reset-drop 0
Inspect: ftp, packet 3497, drop 0, reset-drop 0
Inspect: icmp, packet 155, drop 0, reset-drop 0
Class-map: inspection_default2
police Interface outside:
cir 56000 bps, bc 10500 bytes
conformed 15768 packets, 946174 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 136 bps, exceed 0 bps
police Interface inside:
cir 56000 bps, bc 10500 bytes
conformed 192399 packets, 35277941 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 8008 bps, exceed 0 bps
police Interface dmz:
cir 56000 bps, bc 10500 bytes
conformed 0 packets, 0 bytes; actions: drop
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps |
|
FAQ 
Поиск 
Пользователи 
Группы
Регистрация
Профиль 
Войти и проверить личные сообщения 
Вход 
