扩展IP访问控制列表配置.docx
《扩展IP访问控制列表配置.docx》由会员分享,可在线阅读,更多相关《扩展IP访问控制列表配置.docx(16页珍藏版)》请在冰豆网上搜索。
扩展IP访问控制列表配置
PacketTracer5.2实验(十三)扩展IP访问控制列表配置
一、实验目标
∙理解扩展IP访问控制列表的原理及功能;
∙掌握编号的扩展IP访问控制列表的配置方法;
二、实验背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
三、技术原理
访问列表中定义的典型规则主要有以下:
源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
扩展IP访问列表的配置包括以下两步:
∙定义扩展IP访问列表
∙将扩展IP访问列表应用于特定接口上
四、实验步骤
实验步骤
1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2、配置PC机、服务器及路由器接口IP地址;
3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R2上配置编号的IP扩展访问控制列表;
5、将扩展IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR1
R1(config)#intfa0/0
R1(config-if)#ipadd192.168.1.1255.255.255.0//配置端口IP地址
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R1(config-if)#exit
R1(config)#intfa0/1
R1(config-if)#ipadd192.168.2.1255.255.255.0//配置端口IP地址
R1(config-if)#noshut
R1(config-if)#
%LINK-5-CHANGED:
InterfaceFastEthernet0/1,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/1,changedstatetoup
R1(config-if)#exit
R1(config)#iproute0.0.0.00.0.0.0192.168.2.2//配置defaultroute
R1(config)#end
R1#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R1#showiproute//查看路由表
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortis192.168.2.2tonetwork0.0.0.0
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0
C192.168.2.0/24isdirectlyconnected,FastEthernet0/1
S*0.0.0.0/0[1/0]via192.168.2.2
R1#
R1#showrun
Buildingconfiguration...
Currentconfiguration:
510bytes
!
version12.4
noservicetimestampslogdatetimemsec
noservicetimestampsdebugdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
...
!
interfaceFastEthernet0/0
ipaddress192.168.1.1255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet0/1
ipaddress192.168.2.1255.255.255.0
duplexauto
speedauto
!
interfaceVlan1
noipaddress
shutdown
!
ipclassless
iproute0.0.0.00.0.0.0192.168.2.2
!
...
!
linecon0
linevty04
login
!
!
!
end
R1#
R2:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR2
R2(config)#intfa0/0
R2(config-if)#ipadd192.168.2.2255.255.255.0//配置端口IP地址
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R2(config-if)#exit
R2(config)#ints2/0
R2(config-if)#ipadd192.168.3.1255.255.255.0//配置端口IP地址
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetodown
R2(config-if)#clockrate64000//配置时钟频率
R2(config-if)#
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceSerial2/0,changedstatetoup
R2(config-if)#exit
R2(config)#iproute192.168.1.0255.255.255.0192.168.2.1//配置目标网段1.0的静态路由
R2(config)#iproute192.168.4.0255.255.255.0192.168.3.2//配置目标网段4.0的静态路由
R2(config)#end
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#showiproute
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortisnotset
S192.168.1.0/24[1/0]via192.168.2.1
C192.168.2.0/24isdirectlyconnected,FastEthernet0/0
C192.168.3.0/24isdirectlyconnected,Serial2/0
S192.168.4.0/24[1/0]via192.168.3.2
R2#
R2#conft
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
R2(config)#ac
R2(config)#access-list?
<1-99> IPstandardaccesslist
<100-199> IPextendedaccesslist
R2(config)#access-list100?
deny Specifypacketstoreject
permit Specifypacketstoforward
remark Accesslistentrycomment
R2(config)#access-list100per
R2(config)#access-list100permit?
eigrp Cisco'sEIGRProutingprotocol
gre Cisco'sGREtunneling
icmp InternetControlMessageProtocol
ip AnyInternetProtocol
ospf OSPFroutingprotocol
tcp TransmissionControlProtocol
udp UserDatagramProtocol
R2(config)#access-list100permittcp?
//web服务使用的是tcp协议
A.B.C.D Sourceaddress
any Anysourcehost
host Asinglesourcehost
R2(config)#access-list100permittcphost?
A.B.C.D Sourceaddress
R2(config)#access-list100permittcphost192.168.1.2?
//源主机地址
A.B.C.D Destinationaddress
any Anydestinationhost
eq Matchonlypacketsonagivenportnumber
gt Matchonlypacketswithagreaterportnumber
host Asingledestinationhost
lt Matchonlypacketswithalowerportnumber
neq Matchonlypacketsnotonagivenportnumber
range Matchonlypacketsintherangeofportnumbers
R2(config)#access-list100permittcphost192.168.1.2host?
A.B.C.D Destinationaddress
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2?
//目标主机地址
dscp Matchpacketswithgivendscpvalue
eq Matchonlypacketsonagivenportnumber
established established
gt Matchonlypacketswithagreaterportnumber
lt Matchonlypacketswithalowerportnumber
neq Matchonlypacketsnotonagivenportnumber
precedence Matchpacketswithgivenprecedencevalue
range Matchonlypacketsintherangeofportnumbers
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eq?
<0-65535> Portnumber
ftp FileTransferProtocol(21)
pop3 PostOfficeProtocolv3(110)
smtp SimpleMailTransportProtocol(25)
telnet Telnet(23)
www WorldWideWeb(HTTP,80)
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eqwww?
//www服务
dscp Matchpacketswithgivendscpvalue
established established
precedence Matchpacketswithgivenprecedencevalue
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eqwww
R2(config)#
R2(config)#access-list100deny?
eigrp Cisco'sEIGRProutingprotocol
gre Cisco'sGREtunneling
icmp InternetControlMessageProtocol
ip AnyInternetProtocol
ospf OSPFroutingprotocol
tcp TransmissionControlProtocol
udp UserDatagramProtocol
R2(config)#access-list100denyicmp?
//禁止icmp协议,也就是ping使用的协议
A.B.C.D Sourceaddress
any Anysourcehost
host Asinglesourcehost
R2(config)#access-list100denyicmphost?
A.B.C.D Sourceaddress
R2(config)#access-list100denyicmphost192.168.1.2?
A.B.C.D Destinationaddress
any Anydestinationhost
host Asingledestinationhost
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2?
<0-256> type-num
echo echo
echo-reply echo-reply
host-unreachable host-unreachable
net-unreachable net-unreachable
port-unreachable port-unreachable
protocol-unreachable protocol-unreachable
ttl-exceeded ttl-exceeded
unreachable unreachable
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2echo?
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2echo
R2(config)#
R2(config)#ints2/0
R2(config-if)#?
bandwidth Setbandwidthinformationalparameter
cdp CDPinterfacesubcommands
clock Configureserialinterfaceclock
crypto Encryption/Decryptioncommands
custom-queue-list Assignacustomqueuelisttoaninterface
delay Specifyinterfacethroughputdelay
description Interfacespecificdescription
encapsulation Setencapsulationtypeforaninterface
exit Exitfrominterfaceconfigurationmode
fair-queue EnableFairQueuingonanInterface
frame-relay Setframerelayparameters
hold-queue Setholdqueuedepth
ip InterfaceInternetProtocolconfigcommands
keepalive Enablekeepalive
mtu SettheinterfaceMaximumTransmissionUnit(MTU)
no Negateacommandorsetitsdefaults
ppp Point-to-PointProtocol
priority-group Assignaprioritygrouptoaninterface
service-policy ConfigureQoSServicePolicy
shutdown Shutdowntheselectedinterface
tx-ring-limit ConfigurePAleveltransmitringlimit
zone-member Applyzonename
R2(config-if)#ip?
access-group Specifyaccesscontrolforpackets
address SettheIPaddressofaninterface
hello-interval ConfiguresIP-EIGRPhellointerval
helper-address SpecifyadestinationaddressforUDPbroadcasts
inspect Applyinspectname
ips CreateIPSrule
mtu SetIPMaximumTransmissionUnit
nat NATinterfacecommands
o
升级会员 