Tweet
Mục đích
Cấu hình router sử dụng ACL tạo ra các ACL entries để trả về traffic một cách tự động.
Mô hình
Hướng dẫn
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình access-list INBOUND và OUTBOUND trên router R4
ip access-list extended INBOUND
evaluate MIRROR
permit ospf any any
deny ip any any log
!
ip access-list extended OUTBOUND
permit tcp any any eq telnet reflect MIRROR
permit tcp any any eq www reflect MIRROR
permit icmp any any echo reflect MIRROR
Apply access-list OUTBOUND (hướng out) và INBOUND (hướng in) trên interface Fa0/0 của R4.
interface FastEthernet0/0
ip access-group INBOUND in
ip access-group OUTBOUND out
Bước 3: Kiểm tra
R1#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>
R4#show ip access MIRROR
Reflexive IP access list MIRROR
permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches)
(time left 295)
R1#ping 150.1.5.5 size 1500 repeat 10
Type escape sequence to abort.
Sending 10, 1500-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.!!!
R4#show ip acce MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299)
permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches)
(time left 252)
R4#telnet 150.1.5.5
Trying 150.1.5.5 ...
%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 150.1.5.5(23) ->
155.1.45.4(21042), 1 packet
% Connection timed out; remote host not responding
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
%SEC-6-IPACCESSLOGP: list INBOUND denied icmp host 150.1.5.5-> host
155.1.45.4(21042), 1 packet
Chú ý:
Ban dầu khi chưa có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) thì dù ta có dùng extended ping (dùng source là 150.1.4.4) để ping 150.1.5.5 cũng không được.
Sau khi đã có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) thì mới ping được.
R4#ping
Protocol [ip]:
Target IP address: 150.1.5.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 150.1.4.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#sh ip acce
R4#sh ip access-lists MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 150.1.4.4 (49 matches) (time left 280)
Cấu hình router sử dụng ACL tạo ra các ACL entries để trả về traffic một cách tự động.
Mô hình
Hướng dẫn- Nhiệm vụ là cho phép các host bên trong có thể truy cập các nguồn tài nguyên bên ngoài thông qua TELNET và HTTP. Thêm vào đó, PING cũng được chó phép.
- Cấu hình router R4 sử dụng ‘Standard NAT with Overloading (PAT)’.
- Tạo access-list OUTBOUND và cho phép các kết nối TCP hướng ra đến các port 80 và 23. Các kết nối này sẽ được ‘phản xạ’ (hướng trả về) trong access-list MIRROR.
- Ngoài ra, cho phép ICMP echo hướng ra và ‘phản xạ’ nó trong access-list MIRROR.
- Tạo access-list INBOUND. Ước lượng (Evaluate) access-list MIRROR và cho phép thêm OSPF traffic. Từ chối và log tất cả các traffic khác.
- Apply access-list OUTBOUND (hướng out) và INBOUND (hướng in) trên interface Fa0/0 của R4.
- Chú ý rằng, các traffic của router (bắt nguồn từ router) thì mặc định không bị kiểm tra bởi reflexive access-list.
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình access-list INBOUND và OUTBOUND trên router R4
ip access-list extended INBOUND
evaluate MIRROR
permit ospf any any
deny ip any any log
!
ip access-list extended OUTBOUND
permit tcp any any eq telnet reflect MIRROR
permit tcp any any eq www reflect MIRROR
permit icmp any any echo reflect MIRROR
Apply access-list OUTBOUND (hướng out) và INBOUND (hướng in) trên interface Fa0/0 của R4.
interface FastEthernet0/0
ip access-group INBOUND in
ip access-group OUTBOUND out
Bước 3: Kiểm tra
R1#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>
R4#show ip access MIRROR
Reflexive IP access list MIRROR
permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches)
(time left 295)
R1#ping 150.1.5.5 size 1500 repeat 10
Type escape sequence to abort.
Sending 10, 1500-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.!!!
R4#show ip acce MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299)
permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches)
(time left 252)
R4#telnet 150.1.5.5
Trying 150.1.5.5 ...
%SEC-6-IPACCESSLOGP: list INBOUND denied tcp 150.1.5.5(23) ->
155.1.45.4(21042), 1 packet
% Connection timed out; remote host not responding
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
%SEC-6-IPACCESSLOGP: list INBOUND denied icmp host 150.1.5.5-> host
155.1.45.4(21042), 1 packet
Chú ý:
Ban dầu khi chưa có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) thì dù ta có dùng extended ping (dùng source là 150.1.4.4) để ping 150.1.5.5 cũng không được.
Sau khi đã có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) thì mới ping được.
R4#ping
Protocol [ip]:
Target IP address: 150.1.5.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 150.1.4.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#sh ip acce
R4#sh ip access-lists MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 150.1.4.4 (49 matches) (time left 280)