【实验说明】
配置访问控制列表允许 FTP和WWW 会话到指定服务器,并且不能阻断必要的传输流量,如路由等
【实验拓扑】
【实验配置步骤】
- 配置路由器为 “Configuring Static NAT”
- 10.0.0.1 静态映射为 150.1.4.1 ,10.0.0.6 静态映射为 150.1.4.6
- 本实验10.0.0.1 与10.0.0.6 作为FTP、WWW服务器,实验允许访问FTP与WWW服务器的流量
- 使用中允许OSPF, BGP, Ping、Traceroutes 流量出入
- Ping 使用 ICMP消息类型为 “echo” 与 “echo-reply”
- Tracroute 默认使用UDP 33434 – 33464 端口,测试网络是否通使用ICMP 包为“Time-Exceeded” 与 “Port-Unreachable”
- BGP 使用TCP 179 ;OSPF 有IP协议号码 89
- FTP主动模式,服务器使用tcp21端口传输命令,TCP20端口传输数据。(服务器到客户端)
- 被动FTP客户端打开数据连接1024 –65535 (客户端到服务器)
- 在R4上创建扩展访问控制列表OUTSIDE允许上面提到的连接
- 在访问控制列表最后加入“deny ip any any log” 记录所有被拒绝的日志
- 在两个串口的入口方向应用访问控制列表
【实验配置】
----------------------------------------Static NAT 配置----------------------------------------------------------------
|
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
!
interface Serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
ip nat inside source static 10.0.0.1 150.1.4.1
ip nat inside source static 10.0.0.6 150.1.4.6
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial0/0
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
--------------------------------------------访问控制列表配置------------------------------------------------------
R4:
ip access-list extend FILTER
permit tcp any host 150.1.4.1 range 20 21
permit tcp any host 150.1.4.6 range 20 21
permit tcp any host 150.1.4.1 eq 80
permit tcp any host 150.1.4.6 eq 80
permit tcp host 150.1.4.4 host 150.1.5.5 eq 179
permit tcp host 150.1.5.5 host 150.1.4.4 eq 179
permit udp any any range 33434 33464
permit icmp any any echo
permit icmp any any echo-relay
permit tcp any host 150.1.4.1 range 1024 65535
permit tcp any host 150.1.4.6 range 1024 65535
permit ospf any any
permit icmp any any time-exceeded
permit icmp any any port-unreachable
deny ip any any log
interface s0/1
ip access-group FILTER in
interface s0/0.1
ip access-group FILTER in
【实验验证】
通过下面实验结果我们可以看到
R5#ping 150.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/42/112 ms
R5#traceroute 150.1.4.1
Type escape sequence to abort.
Tracing the route to 150.1.4.1
1 155.1.45.4 36 msec
155.1.0.4 20 msec *
R5#telnet 150.1.4.1 被阻止
Trying 150.1.4.1 ...
% Destination unreachable; gateway or host down
R1#copy running-config flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]
n
Verifying checksum... OK (0xC5CD)
910 bytes copied in 6.647 secs (137 bytes/sec)
R1(config)#ip http server
R1(config)#ftp-server enable
R1(config)#ftp-server topdir flash:
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#no ip ftp passive
R5#copy ftp://150.1.4.1/test.txt null:
Accessing ftp://150.1.4.1/test.txt...
Loading test.txt !
[OK - 910/4096 bytes]
910 bytes copied in 2.560 secs (355 bytes/sec)
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/992200
