...
| Блок кода |
|---|
esr(config)# object-group network LOCAL_NET
esr(config-object-group-network)# ip address-range 10.1.2.2-10.1.2.254
esr(config-object-group-network)# exit
esr(config)# object-group network PUBLIC_POOL
esr(config-object-group-network)# ip address-range 100.0.0.100-100.0.0.249
esr(config-object-group-network)# exit |
To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to 'LOCAL_NET' address range in order to limit the access to public network. Rules are applied with the
enable command.
...
NTP server IP address – 192.168.52.41.
scroll-pagebreak
Solution:
| Примечание |
|---|
| title | First, do the following: |
|---|
|
- specify security zone for gi1/0/1 interface;
- configure the IP address for the gi1/0/1 interface to provide IP connectivity to the NTP server.
Example: | Блок кода |
|---|
security zone untrust
exit
object-group service NTP
port-range 123
exit
interface gigabitethernet 1/0/1
security-zone untrust
ip address 192.168.52.8/24
exit
security zone-pair untrust self
rule 10
action permit
match protocol udp
match destination-port NTP
enable
exit
exit |
|
...
