防火墙ACL

 防火墙ACL

 

 

 

靠近源地址的设置扩展ACL

靠近目的地址的设置标准ACL

 

标准ACL配置步骤：

1，创建ACL

命令access-list access-list-number {permit|deny} source [mask]

2，将ACL绑定到指定接口

命令为在接口模式下 ip access-group access-list-number {in|out}

 

扩展ACL的配置步骤：

1，命令：

Router（config）#access-list access-list-number {permit|deny} 

 

protocol source source-wildcard [operator port] destination 

 

destination-wildcard [operator port ] [established] [log]

 

2，然后接口模式下启用扩展ACL即可

命令：ip access-group access-list-number {in|out}

 

 

查看接口ACL配置

 

sh ip int e0

 

查看ACL测试语句

 

sh access-lists

 

 

 

 

 

 

 

实验1:

 

 

PC1--------------R1-------------------R2---------------PC2

202.2------202.1-203.1---------203.2--201.1---------201.2

 

 

 

 

 

对于R1:

 

 

en

conf t

hostname R1

 

int s1/0

ip addr 61.1.1.1 255.255.255.0

no shut

int f0/0

ip addr 202.0.0.1 255.255.255.0

no shut

exi

 

router rip

version 2

net 61.1.1.0

net 202.0.0.0

end

 

 

对于R2：

 

 

en

conf t

hostname R2

 

int s1/0

ip addr 61.1.1.2 255.255.255.0

no shut

int f0/0

ip addr 201.0.0.1 255.255.255.0

no shut

exi

 

router rip

version 2

net 61.1.1.0

net 201.0.0.0

end

 

 

 

 

扩展访问控制列表对于R1：

 

en

conf t

access-list 101 permit tcp host 201.0.0.2 host 202.0.0.2 eq 53

access-list 101 permit udp host 201.0.02 host 202.0.0.2 eq 53

access-list 101 permit tcp host 201.0.02 host 202.0.0.2 eq 80

 

int s1/0

ip access-group 101 in

 

命名访问控制列表对于R1：

 

 

en

conf t

ip access-list extended lan2wan 

permit tcp host 202.0.0.2 eq 53  80  21 25 host 201.0.0.2

permit udp host 202.0.0.2 eq 53 host 201.0.0.2

end

 

sh ip access-lists

 

conf t

int s1/0

ip access-group lan2wan out

end

 

sh ip int s1/0