color vpd ima dac fig net shadow out pro

一、實驗拓撲:
技術分享圖片
二、實驗要求:
1、ACL抓取Telnet、ICMP流量並放行,在全局下應用:
2、做完以後,R1去telnetR2、R3看是否可行?
3、ACL抓取Telnet流量並拒絕;在接口Outside應用;
4、查看接口ACL和全局ACL哪個優先,R1是否還可以Telnet R2?
三、命令部署:
1、Global調用ACL命令:
ASA(config)# access-list glo extended permit icmp any any
ASA(config)# access-list glo extended permit tcp any any eq telnet
ASA(config)# access-group glo global

2、接口下調用ACL命令:
ASA(config)# access-list jiekou extended deny tcp any any eq 23
ASA(config)# access-group jiekou in interface outside

四、驗證:
1、部署完global命令後:
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: bb
Password:
R2>
2、接口下調用ACL命令:
R1#telnet 10.1.1.2
Trying 10.1.1.2 ...
% Connection timed out; remote host not responding
結論:接口ACL優先級高於Global

7-思科防火墻:ASA配置:Global ACL(CLI)