RLooo的博客:http://blog.sina.com.cn/s/blog_59879e3a0100o5w1.html
使用object-group 能大大简化配置工作量,很实用。
防火墙上的配置:
object-group service gjlyd tcp
description used for hai nai guo ji lv you dao
server
port-object eq 445
port-object eq ftp
port-object eq 3389
port-object eq www
port-object eq 8080
port-object eq 1433
object-group network gjlydser
network-object host 10.9.2.66
network-object host 10.9.2.67
network-object host 10.9.2.68
access-list inside permit tcp host 10.2.57.67 object-group
gjlydser object-group gjlyd
access-list inside permit tcp host 10.2.57.151 object-group
gjlydser object-group gjlyd
输出:(看着很爽)
access-list inside line 494 permit tcp host 10.2.57.67
object-group gjlydser object-group gjlyd
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host
10.9.2.68 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151
object-group gjlydser object-group gjlyd
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host
10.9.2.68 eq 1433 (hitcnt=0)