Currently, my company uses all static IP addresses. There is an ASA5505 firewall in the company, in this firewall, some users must be restricted from using certain applications, such as QQ farms. To implement these functions, we need to bind ARP to the ASA 5505 firewall, and then use the access control lists to restrict these IP addresses and MAC addresses. The specific configuration is very simple. Let's take a look at how to configure ARP binding on the ASA 5500 firewall?
| Ciscoasa # conf tciscoasa (config) # name 192.168.0.78 liuty-s // give me this IP address a name ciscoasa (config) # object-group network inside // create an image group ciscoasa (config-network) # network-object host 192.168.0.78 // Add my IP address to the image group ciscoasa (config-network) # exitciscoasa (config) # access-list inside line 1 per ip object-group inside any // access Control list, allowing the ip address in inside of oubject-group to access any address ciscoasa (config) # access-group inside in interface inside // apply the access control list inside to the entry direction of the inside. ciscoasa (config) # arp inside 192.168.0.78 0023.14e7.bd10 // bind the IP address to the MAC address |
Just a few simple commands, We can bind the IP address of the following PC to the MAC address. Let's test it. The above IP address and MAC address are the IP address and MAC address of my laptop wireless network card, for example ). 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "src =" http://www.bkjia.com/uploads/allimg/131227/09235061X-0.jpg "Height =" 224 "? 510? /> Let's ping 192.168.0.199 the firewall's intranet interface address to see if communication works. 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image004 "border =" 0 "alt =" clip_image004 "src =" http://www.bkjia.com/uploads/allimg/131227/09235030c-1.jpg "Height =" 232 "? 513? /> We can see that our wireless network card can communicate with the Internal interface of our firewall normally. Then I will replace the IP address on the wireless network card with the IP address on the wired network card and try again. In this way, the MAC address of the wired network card cannot match the MAC address set on the firewall ). 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image006 "border =" 0 "alt =" clip_image006 "src =" http://www.bkjia.com/uploads/allimg/131227/0923503020-2.jpg "Height =" 211 "? 519? /> Now let's see if we can communicate normally, for example,) 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image008 "border =" 0 "alt =" clip_image008 "src =" http://www.bkjia.com/uploads/allimg/131227/0923505R6-3.jpg "Height =" 137 "? 523? /> We can see from this that he cannot communicate with our firewall, and then he can pass the firewall normally after the IP address and MAC address are matched. However, one thing we can easily ignore is that we only bind the IP address we need to use with the MAC address, while others are useless, then, a user can access the Internet using an IP address that is not bound with an IP address or a MAC address. Next, let's try. I will change my IP address to 192.168.0.2. This IP address is not used in my current network and is not bound to the MAC address on the firewall. 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image010 "border =" 0 "alt =" clip_image010 "src =" http://www.bkjia.com/uploads/allimg/131227/0923502492-4.jpg "Height =" 125 "? 524? /> At this time, ping the Intranet interface address of the firewall to see if communication works? 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image012 "border =" 0 "alt =" clip_image012 "src =" http://www.bkjia.com/uploads/allimg/131227/09235010T-5.jpg "Height =" 226 "? 524? /> Check whether the communication is normal? Therefore, when configuring this, you must note that you can configure a MAC address for an IP address that is not enabled, or when writing an access control list, only the IP addresses that are enabled are allowed to go out of the firewall, and the IP addresses that are not enabled are rejected.
This article is from the "Web Hosting blog", please be sure to keep this source http://ltyluck.blog.51cto.com/170459/348509
