【实验说明】
配置路由器出站流量检查,动态打开ACL条目
IOS:c7200-adventerprisek9-mz.124-24.T3.bin
【实验拓扑】
【实验配置向导】
- 将上面网络配置为 IP service 实验中的“Standard NAT with Overloading(PAT)”
- 创建检查规则命名为 INSPECT,允许TCP协议
- 创建检查规则命名为 INSPECT ,允许FTP流量通过路由器
- 配置规则允许ICMP 并检查路由器自身产生的TCP与ICMP流量
- 创建 INBOUND 访问控制列表,允许OSPF,并阻止其他流量
- 在路由器的串口的入方向应用访问控制列表 INBOUND
- 应用检查规则到路由器串口的出方向
【实验配置】
--------------------------------实验PAT配置---------------------------------------------------------
--------- ---------------------------------------CBAC 配置----------------------------------------------------------
|
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
no sh
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
no sh
!
interface serial1/0
en fram
no sh
!
interface Serial1/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
no sh
!
interface Serial1/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
no sh
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
!
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
!
ip nat inside source list INSIDE_NETWORK interface Loop0 overload
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
no sh
!
interface Serial1/0
encapsulation frame-relay
no sh
!
interface Serial1/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
no sh
!
interface Serial1/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
no sh
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
--------- ---------------------------------------CBAC 配置----------------------------------------------------------
【实验配置】
R4:
ip inspect name INSPECT ftp
ip inspect name INSPECT icmp router-traffic
ip inspect name INSPECT tcp router-traffic
!
ip access-list ext INBOUND
permit ospf any any
deny ip any any log
!
interface Serial 0/1
ip access-group INBOUND in
ip inspect INSPECT out
!
interface Serial 0/0.1
ip access-group INBOUND in
ip inspect INSPECT out
【实验验证】
R4#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
telnet alert is on audit-trail is off timeout 3600
router alert is on audit-trail is off timeout 30
R6#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>
R4#show ip inspect sessions
Established Sessions
Session 650FF88C (10.0.0.6:54327)=>(150.1.5.5:23) tcp SIS_OPEN
Session 650FFB04 (150.1.4.4:40087)=>(150.1.5.5:179) tcp SIS_OPEN
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms
R4#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/992183
