【实验说明】
配置路由器预防IP地址欺骗
【实验拓扑】
IOS:c2691-advsecurityk9-mz.124-11.T2.bin
【实验配置步骤】
- 在网关的outside过滤RFC1918、RFC3300 网络
- 在网关的入方向过滤RFC2627网络
- 也就是说,在内部只能是出现我们的网络,在外部不能出现源地址为我们的网络
- 过滤icmp重定向信息,禁用 IP source routing
- 不要在内网口上阻止source address 0.0.0.0 ,因为 DHCP 经常使用它来发送请求
- 配置网络为 “Standard NAT Configuration”.
- 创建 extended access-list OUTSIDE_IN
o Filter out ICMP redirects and packets sourced from host 0.0.0.0
o Filter out RFC 1918 networks
o Filter out RFC 3330 networks
o As per RFC 2627 deny packets sourced from “our” network 150.1.4.0/24
- 创建 extended access-list INSIDE_IN
o Filter out ICMP redirects
o Permit UDP packets from 0.0.0.0/32 to 10.0.0.4 (R4’s address) port BOOTPs.
o Permit network 10.0.0.0/24 as per RFC2627
o Block and log everything else.
- 应用access-list INSIDE_IN 到网关的内网口的入方向
- 应用access-list OUTSIDE_IN到网关的外网口的入方向
【实验配置】
R4:
no ip source-route
!
ip access-list extended OUTSIDE_IN
!
remark == Redirects may be used for spoofing
deny icmp any any redirect
!
remark == RFC 1918
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
remark == RFC 3330
deny ip host 0.0.0.0 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
!
remark == RFC 2627
deny ip 150.1.4.0 0.0.0.255 any
!
permit ip any any
!
ip access-list extended INSIDE_IN
deny icmp any any redirect
permit ip 10.0.0.0 0.0.0.255 any
permit udp host 0.0.0.0 host 10.0.0.4 eq bootps
deny ip any any log
interface Fastethernet 0/0
ip access-group INSIDE_IN in
!
interface Serial 0/1
ip access-group OUTSIDE_IN in
!
interface Serial 0/0.1
ip access-group OUTSIDE_IN in
【
Configuring Static NAT配置
】
|
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
!
interface Serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
ip nat inside source static 10.0.0.1 150.1.4.1
ip nat inside source static 10.0.0.6 150.1.4.6
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial0/0
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
【实验验证】
R4#sho ip access-lists
Standard IP access list INSIDE_NETWORK
10 permit 10.0.0.0, wildcard bits 0.0.0.255
Extended IP access list INSIDE_IN
10 deny icmp any any redirect
20 permit ip 10.0.0.0 0.0.0.255 any
30 permit udp host 0.0.0.0 host 10.0.0.4 eq bootps
40 deny ip any any log
Extended IP access list OUTSIDE_IN
10 deny icmp any any redirect
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 172.16.0.0 0.15.255.255 any
40 deny ip 192.168.0.0 0.0.255.255 any
50 deny ip host 0.0.0.0 any
60 deny ip 224.0.0.0 31.255.255.255 any
70 deny ip 127.0.0.0 0.255.255.255 any
80 deny ip 169.254.0.0 0.0.255.255 any
90 deny ip 192.0.2.0 0.0.0.255 any
100 deny ip 150.1.4.0 0.0.0.255 any
110 permit ip any any (26 matches)
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/991678
