您的位置:360文档中心› 基于Cisco的动态ACL、自反ACL配置

基于Cisco的动态ACL、自反ACL配置

基于Cisco的动态ACL、自反ACL配置
基于Cisco的动态ACL、自反ACL配置

动态ACL---lock and key

主机C1关联到物理机的回环网卡。其他网卡禁用,避免ping外网时IP地址或网关相互冲突!

步骤:

1.设置连通性:在R2上配置缺省路由,检查全网连通性,C1能ping通R1、R2;

2.在R1上配置动态ACL:

username xu secret xupa55

access-list 101 permit tcp any host 192.168.1.1 eq telnet

access-list 101 dynamic testlist timeout 15 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 line vty 0 4

login local

autocommand access-enable host timeout 5

3.验证配置结果

C1在telnet到R1之前,C1不能ping通R1、R2;

在C1在telnet到R1,通过验证后,telnet连接断开,ACL自动添加一条新的规则。

此时,再次尝试C1应该能ping通R1、R2;(证明通过验证后能访问内网了。)反复对比R1#show access-lists 101这条命令的执行结果,查看变化。

R1#show access-lists 101

Extended IP access list 101

10 permit tcp any host 192.168.1.1 eq telnet (93 matches)

20 Dynamic testlist permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.1.200 0.0.0.255 10.0.0.0 0.0.0.255

自反ACL

主机C1关联到物理机的回环网卡。其他网卡禁用,避免ping外网时IP地址或网关相互冲突!

步骤:

1.设置连通性:在R2上配置缺省路由,检查全网连通性,C1能ping通R1、R2;

2.在R2上配置web服务:

username xua privilege 15 secret xuapa55

ip http server

ip http authentication local

3.在R1上配置自反ACL:

interface FastEthernet0/1

ip address 10.0.0.2 255.255.255.0

ip access-group external_ACL in

ip access-group internal_ACL out

!

ip access-list extended external_ACL

evaluate web-only-reflect-ACL

deny ip any any

ip access-list extended internal_ACL

permit tcp any any eq www reflect web-only-reflect-ACL

deny ip any any

4.验证结果(内部主机ping不通外部web服务器,但是可以用浏览器发起访问;外部ping不通内部,不允许外部发起的访问)

R1#sh access-lists internal_ACL

Extended IP access list internal_ACL

10 permit tcp any any eq www reflect web-only-reflect-ACL

20 deny ip any any (3 matches)

R1#sh access-lists external_ACL

Extended IP access list external_ACL

10 evaluate web-only-reflect-ACL

20 deny ip any any

R1#sh access-lists internal_ACL

Extended IP access list internal_ACL

10 permit tcp any any eq www reflect web-only-reflect-ACL

20 deny ip any any (6 matches)

R1#sh access-lists external_ACL

Extended IP access list external_ACL

10 evaluate web-only-reflect-ACL

20 deny ip any any

R1#sh access-lists external_ACL

Extended IP access list external_ACL

10 evaluate web-only-reflect-ACL

20 deny ip any any (12 matches)

R1#sh access-lists internal_ACL

Extended IP access list internal_ACL

10 permit tcp any any eq www reflect web-only-reflect-ACL (41 matches)

20 deny ip any any (6 matches)

R1#sh access-lists external_ACL

Extended IP access list external_ACL

10 evaluate web-only-reflect-ACL

20 deny ip any any (12 matches)

相关主题
相关文档
最新文档