2010年(9)
分类:
2010-03-09 22:28:03
|
网络系统集成项目 (综合项目) 项目名称: 综合项目 项目需求: 网络标准:一个办公室,8个教室,一个机房,一个财务办公室 ISP分配地址:218.247.142.160/27 北京西城中心与石景山中心网络互联,允许互联通讯。 建立DHCP服务。 办公室24小时皆可上网,教室只有在午休时间可以允许任何互联网通信。 机房内设有WEB服务器3台,BBS服务器3台,FTP服务器8台,OA系统一台(采用B/S架构),CRM系统一台(采用B/S架构),财务系统一台(B/S结构)。要求除财物系统之外的所有服务器可以通过外网访问,不允许通过外网远程登录3389,允许办公室内一台网络管理员主机进行远程管理。 教室内除任课老师外都不得访问机房内除8台FTP服务器外的其他服务器。 办公室人员,在上班期间不得使用QQ、MSN。 安全防护各区域,拒绝以下的端口访问,保证其安全。TCP135/136/137/138/139/445/11023/1024/1025/2475/3127/6129/593/2745/3127/6129 UDP135/137/138/445 公司的CEO\CTO\CIO\CFO\COO在网内保证安全的情况下可以进行任何通讯。 建立公司财务办公室,公司机房内的财务系统只允许财务人员访问。 项目审核标准: 完成通信标准 项目说明与实施方案: 完全阻止qq思路: qq的服务器端口:TCP and UDP:8000/8001 qq的客户端端口:TCP and UDP:4000/4001 腾讯公司服务器地址:61.144.238.145 / 61.144.238.146 / 202.104.129.251 / 202.104.129.252 / 202.104.129.253 / 202.104.129.254 / 218.18.95.236 完全阻止MSN思路: 1. 相关端口:TCP:1503、1863、6891、1863、569 UDP:569 2.相关地址范围:64.4.13.0<前三位匹配即可>、207.46.104.20<完全匹配>、207.46.96.0 <前三位匹配即可> 使用设备: 2610:二台,设备上有一个快速以太网口,一个串口 2950:一台,24口 交换机配置: interface f0/1 switchport mode trunk interfcae f0/2 switchport mode access switchport access vlan 100 spanning-tree portfast interface f0/3 switchport mode access switchport access vlan 110 spanning-tree portfast interface f0/4 switchport mode access switchport access vlan 120 spanning-tree portfast interface f0/5 switchport mode access switchport access vlan 130 spanning-tree portfast interface f0/6 switchport mode access switchport access vlan 140 spanning-tree portfast interface f0/7 switchport mode access switchport access vlan 150 spanning-tree portfast interface f0/8 switchport mode access switchport access vlan 160 spanning-tree portfast interface f0/9 switchport mode access switchport access vlan 170 spanning-tree portfast interface f0/10 switchport mode access switchport access vlan 180 spanning-tree portfast interface f0/11 switchport mode access switchport access vlan 190 spanning-tree portfast interface f0/12 switchport mode access switchport access vlan 200 spanning-tree portfast interface f0/24 switchport mode access switchport access vlan 1001 spanning-tree portfast 路由器配置: line vty 0 15 password vfast enable secret vfast2009 hostname xicheng001 interface fastethernet 0/0 no shutdown NAT配置 ip nat pool vfast-pool 218.247.142.163 218.247.142.170 netmask 255.255.255.224 access-list 1 permit 192.168.0.0 0.0.255.255 ip nat inside source list 1 pool-vfast pool overload ip nat inside source static tcp 192.168.12.100 80 218.247.142.171 80 ip nat inside source static tcp 192.168.12.101 80 218.247.142.172 80 ip nat inside source static tcp 192.168.12.102 80 218.247.142.173 80 ip nat inside source static tcp 192.168.12.103 80 218.247.142.174 80 ip nat inside source static tcp 192.168.12.104 80 218.247.142.175 80 ip nat inside source static tcp 192.168.12.105 80 218.247.142.176 80 ip nat inside source static tcp 192.168.12.106 21 218.247.142.177 21 ip nat inside source static tcp 192.168.12.107 21 218.247.142.178 21 ip nat inside source static tcp 192.168.12.108 21 218.247.142.179 21 ip nat inside source static tcp 192.168.12.109 21 218.247.142.180 21 ip nat inside source static tcp 192.168.12.110 21 218.247.142.181 21 ip nat inside source static tcp 192.168.12.111 21 218.247.142.182 21 ip nat inside source static tcp 192.168.12.112 21 218.247.142.183 21 ip nat inside source static tcp 192.168.12.113 21 218.247.142.184 21 ip nat inside source static tcp 192.168.12.114 80 218.247.142.185 80 ip nat inside source static tcp 192.168.12.115 80 218.247.142.186 80 时间范围设置 ACL设置 time-range office periodic daily 9:30 to 12:00 periodic daily 13:30 to 18:00 ip access-list extended killer deny tcp any any range 135 139 deny tcp any any eq 445 deny tcp any any eq 11023 deny tcp any any range 1024 1025 deny tcp any any eq 2475 deny tcp any any eq 3127 deny tcp any any eq 6129 deny tcp any any eq 593 deny tcp any any eq 2745 deny tcp any any eq 3127 deny tcp any any eq 6129 deny udp any any eq 135 deny udp any any range 137 138 deny udp any any eq 445 permit ip any any ip access-list extended office 5个o哥的特权 permit ip host 192.168.10.8 any permit ip host 192.168.10.18 any permit ip host 192.168.10.118 any permit ip host 192.168.10.58 any permit ip host 192.168.10.88 any deny tcp any any range 8000 8001 time-range office deny tcp any any range 4000 4001 time-range office deny udp any any range 8000 8001 time-range office deny udp any any range 4000 4001 time-range office deny ip any host 61.144.238.145 time-range office deny ip any host 61.144.238.146 time-range office deny ip any host 202.104.129.251 time-range office deny ip any host 202.104.129.252 time-range office deny ip any host 202.104.129.253 time-range office deny ip any host 202.104.129.254 time-range office deny ip any hsot 218.18.95.236 time-range office deny tcp any any eq 1503 time-range office dney tcp any any eq 1863 time-range office deny tcp any any eq 6891 time-range office deny tcp any any eq 569 time-range office deny udp any any eq 569 time-range offcie deny ip any 64.4.13.0 0.0.0.255 time-range office deny ip any host 207.46.104.20 time-range office deny ip any 207.46.96.0 0.0.0.255 time-range office permit ip any any ip access-list extended class permit ip any 192.168.0.0 0.0.255.255 permit ip host 192.168.44.44 any deny tcp any any time-range office deny udp any any time-range office permit tcp any any permit udp any any permit ip any any ip access-list extended server permit tcp 192.168.11.0 0.0.0.255 host 192.168.12.78 eq 80 deny tcp any host 192.168.12.78 eq 80 permit tcp any host 192.168.12.81 eq 21 permit tcp any host 192.168.12.82 eq 21 permit tcp any host 192.168.12.83 eq 21 permit tcp any host 192.168.12.84 eq 21 permit tcp any host 192.168.12.85 eq 21 permit tcp any host 192.168.12.86 eq 21 permit tcp any host 192.168.12.87 eq 21 permit tcp any host 192.168.12.88 eq 21 permit tcp host 192.168.10.89 any eq 3389 permit tcp host 192.168.0.100 any eq 80 permit tcp host 192.168.0.100 any eq 21 permit tcp host 192.168.1.100 any eq 80 permit tcp host 192.168.1.100 any eq 21 permit tcp host 192.168.2.100 any eq 80 permit tcp host 192.168.2.100 any eq 21 permit tcp host 192.168.3.100 any eq 80 permit tcp host 192.168.3.100 any eq 21 permit tcp host 192.168.4.100 any eq 80 permit tcp host 192.168.4.100 any eq 21 permit tcp host 192.168.5.100 any eq 80 permit tcp host 192.168.5.100 any eq 21 permit tcp host 192.168.6.100 any eq 80 permit tcp host 192.168.6.100 any eq 21 permit tcp host 192.168.7.100 any eq 80 permit tcp host 192.168.7.100 any eq 21 deny tcp 192.168.0.0 0.0.0.255 any eq 80 deny tcp 192.168.1.0 0.0.0.255 any eq 21 deny tcp 192.168.2.0 0.0.0.255 any eq 80 deny tcp 192.168.3.0 0.0.0.255 any eq 80 deny tcp 192.168.4.0 0.0.0.255 any eq 80 deny tcp 192.168.5.0 0.0.0.255 any eq 80 deny tcp 192.168.6.0 0.0.0.255 any eq 80 deny tcp 192.168.7.0 0.0.0.255 any eq 80 permit tcp any any eq 80 permit tcp any any eq 21 deny ip any any 配置DHCP ip dhcp pool caiwu network 192.168.11.0 255.255.255.0 default-router 192.168.11.1 dns-server 202.160.196.115 202.106.196.152 ip dhcp pool office network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 202 160.196.115 202.106.196.152 ip dhcp pool class1 network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 202.160.196.115 202.106.196.152 ip dhcp pool class2 network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class3 network 192.168.4.0 255.255.255.0 default-router 192.168.4.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class4 network 192.168.5.0 255.255.255.0 default-router 192.168.5.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class5 network 192.168.6.0 255.255.255.0 default-router 192.168.6.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class6 network 192.168.7.0 255.255.255.0 default-router 192.168.7.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class7 network 192.168.8.0 255.255.255.0 default-router 192.168.8.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool class8 network 192.168.9.0 255.255.255.0 default-router 192.168.9.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool server network 192.168.12.0 255.255.255.0 default-router 192.168.12.1 dns-server 202.106.196.115 202.106.196.152 ip dhcp pool caiwu network 192.168.11.0 255.255.255.0 default-router 192.168.11.1 dns-server 202.106.196.115 202.106.196.152 interface fastethernet 0/0.100 encapsulation dot1q 100 ip address 192.168.10.1 255.255.255.0 ip access-group office in ip nat inside interface fastethernet 0/1.110 encapsulation dot1q 110 ip address 192.168.11.1 255.255.255.0 ip access-group class1 in ip nat inside interface fastethernet 0/2.120 encapsulation dot1q 120 ip address-group class2 in ip nat inside interface fastethernet 0/3.130 encapsulation dot1q 130 ip address 192.168.12.1 255.255.255.0 ip access-group class3 in ip nat inside interface fastethernet 0/4.140 encapsulation dot1q 140 ip address 192.168.13.1 255.255.255.0 ip access-group class4 in ip nat inside interface fastethernet 0/5.150 encapsulation dot1q 150 ip address 192.168.14.1 255.255.255.0 ip access-group class5 in ip nat inside interface fastethernet 0/6.160 encapsulation dot1q 160 ip address 192.168.15.1 255.255.255.0 ip access-group class6 in ip nat inside interface fastethernet 0/7.170 encapsulation dot1q 170 ip address 192.168.16.1 255.255.255.0 ip access-group class7 in ip nat inside interfcae fastethernet 0/8.180 encapsulation dot1q 180 ip address 192.168.17.1 255.255.255.0 ip access-group class8 in ip nat inside interface fastethernet 0/9.190 encapsulation dot1q 190 ip address 192.168.19.1 255.255.255.0 ip access-group server in ip nat inside interface fastethernet 0/24.800 encapsulation dot1q 800 ip address 218.247.142.162. 255.255.224 ip nat outside ip route 0.0.0.0 0.0.0.0 218.247.142.161 |
