ACL访问策略
?
?
R01是inside,lo0 為PC Client:11.11.11.1/24
R03是outside,lo0為internet server:22.22.22.1/24
R07是DMZ,lo0為DMZ區的server:33.33.33.1/24
R02模擬防火墻:
e0/0口為inside:1.1.1.1/30
e0/1為outside:2.2.2.1/30
s2/0為DMZ:3.3.3.1/30
實驗目的:
1、R01可以telnet 訪問DMZ區域的22.22.22.1;
2、R03不能telnet訪問R07;
3、R07不能主動訪問R01、R03;
4、R07開啟ICMP。
R2-FW#??? show run
Building configuration...
Current configuration : 2012 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-FW
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!????????
!
!
ip cef
no ip domain lookup
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!????????
!
!
!
!
interface Ethernet0/0
?ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
?ip address 3.3.3.1 255.255.255.248
!
interface Ethernet0/2
?no ip address
?shutdown
!
interface Ethernet0/3
?no ip address
?shutdown
!
interface Ethernet1/0
?no ip address
?shutdown
!
interface Ethernet1/1
?no ip address
?shutdown
!
interface Ethernet1/2
?no ip address
?shutdown
!
interface Ethernet1/3
?no ip address
?shutdown
!
interface Serial2/0
?ip address 2.2.2.1 255.255.255.0
?ip access-group test out
?serial restart-delay 0
!
interface Serial2/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial2/2
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial2/3
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/0
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/2
?no ip address
?shutdown
?serial restart-delay 0
!????????
interface Serial3/3
?no ip address
?shutdown
?serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 11.11.11.0 255.255.255.0 1.1.1.2
ip route 22.22.22.0 255.255.255.0 2.2.2.2
ip route 33.33.33.0 255.255.255.0 3.3.3.2
!
**************************************************************************
ip access-list extended test
?permit tcp host 1.1.1.2 host 22.22.22.1 eq telnet?
permit icmp any host 22.22.22.1
//這里的1.1.1.2為R01的接口地址,實際操作中,可以更換為Client的IP地址,或者為對端提供的轉換的公網地址。
**************************************************************************
!
!
!
!
!
!
!????????
control-plane
!
!
line con 0
?exec-timeout 0 0
?password 222
?logging synchronous
?login
line aux 0
line vty 0
?password 111
?login
line vty 1 4
?login
!
exception data-corruption buffer truncate
end
R2-FW#
?
轉載于:https://blog.51cto.com/51you/665536
與50位技術專家面對面20年技術見證,附贈技術全景圖總結
- 上一篇: linux常用的makefile模版编写
- 下一篇: CISCO专用协议CDP