!S1 端口安全
conf tinterface FastEthernet 0/6switchport mode accessspanning-tree portfastspanning-tree bpduguard enableshutdownswitchport port-securityswitchport port-security mac-address stickyno shutdowninterface range f0/2 – 5 , f0/7 – 24 , g0/1 - 2shutdownend
!----------------------------------
!配置 AAA 本地认证
!----------------------------------
!R1
conf tusername Admin01 privilege 15 secret Admin01pa55aaa new-modelaaa authentication login default local enableend
!-------------------------
!配置 SSH
!-------------------------
!R1
conf tip domain-name ccnasecurity.comcrypto key generate rsa1024ip ssh version 2line vty 0 4transport input sshend
!----------------------------
!防御登录攻击
!----------------------------
!R1
conf tlogin block-for 60 attempts 2 within 30login on-failure logend
!---------------------------------
!配置站点间 IPsec VPN
!---------------------------------
!R1
conf taccess-list 101 permit ip 172.20.1.0 0.0.0.255 172.30.3.0 0.0.0.255crypto isakmp policy 10encryption aes 256authentication pre-sharehash shagroup 5lifetime 3600exitcrypto isakmp key ciscovpnpa55 address 10.20.20.1crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmaccrypto map CMAP 10 ipsec-isakmpset peer 10.20.20.1set pfs group5set transform-set VPN-SETmatch address 101exitinterface S0/0/0crypto map CMAPend
!R3
conf taccess-list 101 permit ip 172.30.3.0 0.0.0.255 172.20.1.0 0.0.0.255crypto isakmp policy 10encryption aes 256authentication pre-sharehash shagroup 5lifetime 3600exitcrypto isakmp key ciscovpnpa55 address 10.10.10.1crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmaccrypto map CMAP 10 ipsec-isakmpset peer 10.10.10.1set transform-set VPN-SETmatch address 101exitinterface S0/0/1crypto map CMAPend
!-----------------------------------
!配置防火墙和 IPS 设置
!-----------------------------------
【Packet Tracer - 综合技能练习（配置各种 IOS 功能】!R3
conf t!Firewall configszone security IN-ZONEzone security OUT-ZONEaccess-list 110 permit ip 172.30.3.0 0.0.0.255 anyaccess-list 110 deny ip any anyclass-map type inspect match-all INTERNAL-CLASS-MAPmatch access-group 110exitpolicy-map type inspect IN-2-OUT-PMAPclass type inspect INTERNAL-CLASS-MAPinspectzone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONEservice-policy type inspect IN-2-OUT-PMAPexitinterface g0/1zone-member security IN-ZONEexitinterface s0/0/1zone-member security OUT-ZONEend
!配置IPS
mkdir ipsdirconf tip ips config location flash:ipsdirip ips name IPS-RULEip ips signature-categorycategory allretired trueexitcategory ios_ips basicretired falseexitinterface s0/0/1ip ips IPS-RULE in
!--------------------------------------------------
!配置 ASA 基本安全性和防火墙设置
!--------------------------------------------------
!CCNAS-ASA
enableconf tinterface vlan 1nameif insidesecurity-level 100ip address 192.168.10.1 255.255.255.0interface vlan 2nameif outsidesecurity-level 0no ip address dhcpip address 209.165.200.234 255.255.255.248exithostname CCNAS-ASAdomain-name ccnasecurity.comenable password ciscoenapa55username admin password adminpa55aaa authentication ssh console LOCALssh 192.168.10.0 255.255.255.0 insidessh 172.30.3.3 255.255.255.255 outsidessh timeout 10dhcpd address 192.168.10.5-192.168.10.30 insidedhcpd enable insideroute outside 0.0.0.0 0.0.0.0 209.165.200.233object network inside-netsubnet 192.168.10.0 255.255.255.0nat (inside,outside) dynamic interfaceexitconf tclass-map inspection_defaultmatch default-inspection-trafficexitpolicy-map global_policyclass inspection_defaultinspect icmpexitservice-policy global_policy global