实验过程：
第一步  R1、R2、R3的预配置
R1(config)#int e1/0
R1(config-if)#ip add 172.16.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#exit

R2(config)#int e1/0
R2(config-if)#ip add 172.16.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e2/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#exit

R3(config)#int e2/0
R3(config-if)#ip add 10.0.0.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.0
R3(config-if)#exit

第二步  配置R1、R2使用Eigrp 100
R1(config)#router eigrp 100
R1(config-router)#no auto
R1(config-router)#net 1.1.1.1
R1(config-router)#net 172.16.0.0
R1(config-router)#exit

R2(config)#router eigrp 100
R2(config-router)#no auto
R2(config-router)#net 2.2.2.2
R2(config-router)#net 172.16.0.0
R2(config-router)#passive-interface loopback 0
R2(config-router)#exit

第三步  配置R2（相当于FW），加一条去R3（相当于ISP）的上互联网的路由
R2(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.3
//  加一条默认路由，目的地为R3（ISP的Router）
R2(config)#router eigrp 100
R2(config-router)#redistribute static
//  重分布静态路由
R2(config-router)#exit

第四步  配置R3（相当于ISP）一条去企业网络的路由（R2相当于FW，R1相当于企业内部Router）
R3(config)#ip route 172.16.0.0 255.255.255.0 10.0.0.2
//  加一条R3（相当于ISP）去企业网的路由
R3(config)#ip route 2.2.2.0 255.255.255.0 10.0.0.2
//  加一条R3（相当于ISP）去企业DMZ（即R2的loopback0）的路由
R3(config)#end

第五步  在R3上Ping企业DMZ（R2的loopback0）测试连通性
R3#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/34/68 ms
R3#

第六步  配置FW（R2）支持SDM
R2(config)#int e1/1
R2(config-if)#ip add 192.168.1.200 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#ip http server
R2(config)#ip http authentication enable
R2(config)#lin vty 0 4
R2(config-line)#transport input ssh telnet
R2(config-line)#end

第七步  使用SDM连接防火墙（R2相当于FW）

第八步  SDM→配置→防火墙和ACL→高级防火墙→启动选定的任务

第九步  在出现的高级防火墙配置向导界面点击下一步

第十步  在防火墙接口配置中选择E1/0为外部非受信（连接ISP），选择E1/1为inside（企业内网），选择loopback0为DMZ之后点击下一步

第十一步  在出现的防火墙DMZ服务配置中点击添加

第十二步  在DMZ服务配置中输入开始IP地址与结束IP地址，在Service选在TCP和Http服务

第十三步  确认配置出现在DMZ服务配置中，点击下一步

第十四步  使之URL过滤服务器

第十五步  确认自行设置的安全策略，点击下一步

第十六步  在防火墙域名服务器配置中指定DNS服务器地址

第十七步  确认配置无误，点击结束

第十八步  查看SDM配置的命令
R2#show run
Building configuration...

Current configuration : 9524 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 221.11.1.67
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

parameter-map type urlfilter SDM_URLFILTER_MAP
 server vendor n2h2 192.168.1.1 timeout 5
!
!
!        
!
!
archive
 log config
  hidekeys
!
!
!
!
!
class-map type inspect smtp match-any sdm-app-smtp
 match  data-length gt 5000000
class-map type inspect http match-any sdm-app-nonascii
 match  req-resp header regex sdm-regex-nonascii
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_EIGRP
 match access-group name SDM_EIGRP
class-map type inspect match-any SDM_EIGRP_TRAFFIC
 match class-map SDM_EIGRP
class-map type inspect match-all SDM_EIGRP_PT
 match class-map SDM_EIGRP_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect match-all sdm-protocol-p2p
 match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  request port-misuse tunneling
 match  req-resp protocol-violation
class-map type inspect match-any sdm-dmz-protocols
 match protocol http
class-map type inspect match-all sdm-dmz-traffic
 match access-group name dmz-traffic
 match class-map sdm-dmz-protocols
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method post
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-protocol-smtp
 match protocol smtp
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-app-nonascii
  log    
  reset
 class class-default
policy-map type inspect smtp sdm-action-smtp
 class type inspect smtp sdm-app-smtp
  reset
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
  reset
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
  reset
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
  urlfilter SDM_URLFILTER_MAP
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-smtp
  inspect
  service-policy smtp sdm-action-smtp
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-p2p
  drop log
 class type inspect sdm-protocol-im
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_EIGRP_PT
  pass
 class class-default
policy-map type inspect sdm-permit-dmzservice
 class type inspect sdm-dmz-traffic
  inspect
 class class-default
!
zone security dmz-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
interface Loopback0
 description $FW_DMZ$
 ip address 2.2.2.2 255.255.255.0
 zone-member security dmz-zone
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 description $FW_OUTSIDE$
 ip address 172.16.0.2 255.255.255.0
 zone-member security out-zone
 duplex half
!
interface Ethernet1/1
 description $FW_INSIDE$
 ip address 192.168.1.200 255.255.255.0
 zone-member security in-zone
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!        
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
interface Ethernet2/0
 ip address 10.0.0.2 255.255.255.0
 duplex half
!
interface Ethernet2/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet2/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet2/3
 no ip address
 shutdown
 duplex half
!
router eigrp 100
 redistribute static
 passive-interface Loopback0
 network 2.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip http server
no ip http secure-server
!
!
!
ip access-list extended SDM_EIGRP
 remark SDM_ACL Category=1
 permit eigrp any any
ip access-list extended dmz-traffic
 remark SDM_ACL Category=1
 permit ip any host 2.2.2.100
 permit ip any host 2.2.2.101
 permit ip any host 2.2.2.102
 permit ip any host 2.2.2.103
 permit ip any host 2.2.2.104
 permit ip any host 2.2.2.105
 permit ip any host 2.2.2.106
 permit ip any host 2.2.2.107
 permit ip any host 2.2.2.108
 permit ip any host 2.2.2.109
 permit ip any host 2.2.2.110
!
logging alarm informational
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 2.2.2.0 0.0.0.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
!
!
!
control-plane
!        
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
 transport input telnet ssh
!
!
end

R2#

第十九步  返回防火墙和ACL主界面