ACL扩展IP访问控制列表配置

一、实验目标

  • 理解扩展IP访问控制列表的原理及功能;
  • 掌握编号的扩展IP访问控制列表的配置方法;

二、实验背景

分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。

三、技术原理

访问列表中定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;

扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;

扩展IP访问列表的配置包括以下两步:

  • 定义扩展IP访问列表
  • 将扩展IP访问列表应用于特定接口上

四、实验步骤

实验步骤

ACL扩展IP访问控制列表配置_第1张图片

1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;

2、配置PC机、服务器及路由器接口IP地址;

3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;

4、在R2上配置编号的IP扩展访问控制列表;

5、将扩展IP访问列表应用到接口上;

6、验证主机之间的互通性;

R1:

复制代码

Router>en
Router#conf t
Router(config)#hostname R1
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0              //配置端口IP地址
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 192.168.2.1 255.255.255.0               //配置端口IP地址
R1(config-if)#no shut

R1(config-if)#
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2             //配置default route,指向R2的左边接口ip
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route                                       //查看路由表

C    192.168.1.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 192.168.2.2
R1#
R1#show run

R2:
Router>en
Router#conf t
Router(config)#hostname R2
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.2.2 255.255.255.0             //配置端口IP地址
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#int s2/0
R2(config-if)#ip add 192.168.3.1 255.255.255.0                //配置端口IP地址
R2(config-if)#no shut
R2(config-if)#clock rate 64000                               //配置时钟频率
R2(config-if)#
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1         //配置目标网段1.0的静态路由,到R1的
R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2         //配置目标网段4.0的静态路由,到R3的
R2(config)#end
R2#

S    192.168.1.0/24 [1/0] via 192.168.2.1
C    192.168.2.0/24 is directly connected, FastEthernet0/0
C    192.168.3.0/24 is directly connected, Serial2/0
S    192.168.4.0/24 [1/0] via 192.168.3.2
R2#
R2#conf t
R2(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list
R2(config)#access-list 100 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
R2(config)#access-list 100 per
R2(config)#access-list 100 permit ?
  eigrp  Cisco's EIGRP routing protocol
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol
R2(config)#access-list 100 permit tcp ?                        //web服务使用的是tcp协议
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
R2(config)#access-list 100 permit tcp host ?                               
  A.B.C.D  Source address
R2(config)#access-list 100 permit tcp host 192.168.1.2 ?           //源主机地址
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers
R2(config)#access-list 100 permit tcp host 192.168.1.2 host ?
  A.B.C.D  Destination address
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ?    //目标主机地址
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  established
  gt           Match only packets with a greater port number
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  range        Match only packets in the range of port numbers
  
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ?
  <0-65535>  Port number
  ftp        File Transfer Protocol (21)
  pop3       Post Office Protocol v3 (110)
  smtp       Simple Mail Transport Protocol (25)
  telnet     Telnet (23)
  www        World Wide Web (HTTP, 80)
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ?   //允许俩ip间www访问服务
  dscp         Match packets with given dscp value
  established  established
  precedence   Match packets with given precedence value
  
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www          
R2(config)#
R2(config)#access-list 100 deny ?
  eigrp  Cisco's EIGRP routing protocol
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol
R2(config)#access-list 100 deny icmp ?                     //禁止icmp协议,也就是ping使用的协议
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
R2(config)#access-list 100 deny icmp host ?
  A.B.C.D  Source address
R2(config)#access-list 100 deny icmp host 192.168.1.2 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ?
  <0-256>               type-num
  echo                  echo
  echo-reply            echo-reply
  host-unreachable      host-unreachable
  net-unreachable       net-unreachable
  port-unreachable      port-unreachable
  protocol-unreachable  protocol-unreachable
  ttl-exceeded          ttl-exceeded
  unreachable           unreachable
  
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ?
  
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo  //禁止俩IP间的icmp就实ping服务
R2(config)#
R2(config)#int s2/0
R2(config-if)#ip ?
R2(config-if)#ip ac
R2(config-if)#ip access-group ?
  <1-199>  IP access list (standard or extended)
  WORD     Access-list name
R2(config-if)#ip access-group 100 ?
  in   inbound packets
  out  outbound packets
R2(config-if)#ip access-group 100 out ?
  
R2(config-if)#ip access-group 100 out      //将控制列表应用于s2/0端口 192.168.1.2到192.168.4.1的出口
R2(config-if)#end
R2#
R2#show run
R2#show running-config 
R2#
R3:

 

Router>en
Router#conf t
Router(config)#hostname R3
R3(config)#int fa0/0
R3(config-if)#ip add 192.168.4.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#int s2/0
R3(config-if)#ip add 192.168.3.2 255.255.255.0
R3(config-if)#no shut
R3(config-if)#
R3(config-if)#
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1   //配置默认路由到R2的右侧接口的路由
R3(config)#end
R3#
R3#show ip route

C    192.168.3.0/24 is directly connected, Serial2/0
C    192.168.4.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.3.1

R3#show run

PC1:

复制代码

Packet Tracer PC Command Line 1.0
PC>ipconfig

IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1

PC1>ping 192.168.4.2         //添加ACL前ping的通

Pinging 192.168.4.2 with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 192.168.4.2: bytes=32 time=18ms TTL=125     
Reply from 192.168.4.2: bytes=32 time=12ms TTL=125



PC1>ping 192.168.4.2        //添加ACL后ping不通

复制代码

PC1-WEB测试:

但是  ACL前后都可以访问web服务

ACL扩展IP访问控制列表配置_第2张图片https://www.cnblogs.com/mchina/archive/2012/07/22/2603786.html

你可能感兴趣的:(网络)