Packet Tracer 5.2实验(十三) 扩展IP访问控制列表配置
一、实验目标
- 理解扩展IP访问控制列表的原理及功能;
- 掌握编号的扩展IP访问控制列表的配置方法;
二、实验背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
三、技术原理
访问列表中定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
扩展IP访问列表的配置包括以下两步:
- 定义扩展IP访问列表
- 将扩展IP访问列表应用于特定接口上
四、实验步骤
实验步骤
1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2、配置PC机、服务器及路由器接口IP地址;
3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R2上配置编号的IP扩展访问控制列表;
5、将扩展IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#int fa0/0 R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置端口IP地址 R1(config-if)#no shut %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#int fa0/1 R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置端口IP地址 R1(config-if)#no shut R1(config-if)# %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default route R1(config)#end R1# %SYS-5-CONFIG_I: Configured from console by console R1#show ip route //查看路由表 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 192.168.2.2 to network 0.0.0.0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 C 192.168.2.0/24 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 192.168.2.2 R1#R1#show runBuilding configuration... Current configuration : 510 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!...!interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto!interface Vlan1 no ip address shutdown!ip classlessip route 0.0.0.0 0.0.0.0 192.168.2.2 !...!line con 0line vty 0 4 login!!!end R1#
R2:
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#int fa0/0 R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址 R2(config-if)#no shut %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config-if)#exit R2(config)#int s2/0 R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址 R2(config-if)#no shut %LINK-5-CHANGED: Interface Serial2/0, changed state to down R2(config-if)#clock rate 64000 //配置时钟频率 R2(config-if)# %LINK-5-CHANGED: Interface Serial2/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up R2(config-if)#exit R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 //配置目标网段1.0的静态路由 R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2 //配置目标网段4.0的静态路由 R2(config)#end R2# %SYS-5-CONFIG_I: Configured from console by console R2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set S 192.168.1.0/24 [1/0] via 192.168.2.1 C 192.168.2.0/24 is directly connected, FastEthernet0/0 C 192.168.3.0/24 is directly connected, Serial2/0 S 192.168.4.0/24 [1/0] via 192.168.3.2 R2#R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#acR2(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access listR2(config)#access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry commentR2(config)#access-list 100 perR2(config)#access-list 100 permit ? eigrp Cisco‘s EIGRP routing protocol gre Cisco‘s GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 permit tcp ? //web服务使用的是tcp协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-list 100 permit tcp host ? A.B.C.D Source addressR2(config)#access-list 100 permit tcp host 192.168.1.2 ? //源主机地址 A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbersR2(config)#access-list 100 permit tcp host 192.168.1.2 host ? A.B.C.D Destination addressR2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ? //目标主机地址 dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers <cr>R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ? <0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wide Web (HTTP, 80)R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? //www服务 dscp Match packets with given dscp value established established precedence Match packets with given precedence value <cr>R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www R2(config)#R2(config)#access-list 100 deny ? eigrp Cisco‘s EIGRP routing protocol gre Cisco‘s GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 deny icmp ? //禁止icmp协议,也就是ping使用的协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-list 100 deny icmp host ? A.B.C.D Source addressR2(config)#access-list 100 deny icmp host 192.168.1.2 ? A.B.C.D Destination address any Any destination host host A single destination hostR2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ? <0-256> type-num echo echo echo-reply echo-reply host-unreachable host-unreachable net-unreachable net-unreachable port-unreachable port-unreachable protocol-unreachable protocol-unreachable ttl-exceeded ttl-exceeded unreachable unreachable <cr>R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ? <cr>R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo R2(config)#R2(config)#int s2/0R2(config-if)#? bandwidth Set bandwidth informational parameter cdp CDP interface subcommands clock Configure serial interface clock crypto Encryption/Decryption commands custom-queue-list Assign a custom queue list to an interface delay Specify interface throughput delay description Interface specific description encapsulation Set encapsulation type for an interface exit Exit from interface configuration mode fair-queue Enable Fair Queuing on an Interface frame-relay Set frame relay parameters hold-queue Set hold queue depth ip Interface Internet Protocol config commands keepalive Enable keepalive mtu Set the interface Maximum Transmission Unit (MTU) no Negate a command or set its defaults ppp Point-to-Point Protocol priority-group Assign a priority group to an interface service-policy Configure QoS Service Policy shutdown Shutdown the selected interface tx-ring-limit Configure PA level transmit ring limit zone-member Apply zone nameR2(config-if)#ip ? access-group Specify access control for packets address Set the IP address of an interface hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts inspect Apply inspect name ips Create IPS rule mtu Set IP Maximum Transmission Unit nat NAT interface commands ospf OSPF interface commands split-horizon Perform split horizon summary-address Perform address summarization virtual-reassembly Virtual ReassemblyR2(config-if)#ip acR2(config-if)#ip access-group ? <1-199> IP access list (standard or extended) WORD Access-list nameR2(config-if)#ip access-group 100 ? in inbound packets out outbound packetsR2(config-if)#ip access-group 100 out ? <cr>R2(config-if)#ip access-group 100 out //将控制列表应用于s2/0端口R2(config-if)#R2(config-if)#R2(config-if)#endR2#%SYS-5-CONFIG_I: Configured from console by consoleR2#show runR2#show running-config Building configuration... Current configuration : 901 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R2!...!interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!interface Serial2/0 ip address 192.168.3.1 255.255.255.0 ip access-group 100 out clock rate 64000!interface Serial3/0 no ip address shutdown!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0 no ip address shutdown!ip classlessip route 192.168.1.0 255.255.255.0 192.168.2.1 ip route 192.168.4.0 255.255.255.0 192.168.3.2 !!access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq wwwaccess-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo!...!line con 0line vty 0 4 login!!!end R2#
R3:
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#int fa0/0 R3(config-if)#ip add 192.168.4.1 255.255.255.0 R3(config-if)#no shut %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R3(config-if)#exit R3(config)#int s2/0 R3(config-if)#ip add 192.168.3.2 255.255.255.0 R3(config-if)#no shut %LINK-5-CHANGED: Interface Serial2/0, changed state to up R3(config-if)# R3(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up R3(config-if)#exit R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1 R3(config)#end R3# %SYS-5-CONFIG_I: Configured from console by console R3#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 192.168.3.1 to network 0.0.0.0 C 192.168.3.0/24 is directly connected, Serial2/0 C 192.168.4.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 192.168.3.1 R3#R3#R3#show runBuilding configuration... Current configuration : 667 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R3!...!interface FastEthernet0/0 ip address 192.168.4.1 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!interface Serial2/0 ip address 192.168.3.2 255.255.255.0!interface Serial3/0 no ip address shutdown!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0 no ip address shutdown!ip classlessip route 0.0.0.0 0.0.0.0 192.168.3.1 !...!line con 0line vty 0 4 login!!!end R3#
PC1:
Packet Tracer PC Command Line 1.0 PC>ipconfig IP Address......................: 192.168.1.2 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 192.168.1.1 PC>ping 192.168.4.2 Pinging 192.168.4.2 with 32 bytes of data: Request timed out. Request timed out. Reply from 192.168.4.2: bytes=32 time=18ms TTL=125 //ACL前 Reply from 192.168.4.2: bytes=32 time=12ms TTL=125 Ping statistics for 192.168.4.2: Packets: Sent = 4, Received = 2, Lost = 2 (50% loss), Approximate round trip times in milli-seconds: Minimum = 12ms, Maximum = 18ms, Average = 15ms PC>ping 192.168.4.2 Pinging 192.168.4.2 with 32 bytes of data: Reply from 192.168.2.2: Destination host unreachable. //ACL后 Reply from 192.168.2.2: Destination host unreachable. Reply from 192.168.2.2: Destination host unreachable. Reply from 192.168.2.2: Destination host unreachable. Ping statistics for 192.168.4.2: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), PC>
PC1-WEB测试:
ACL前后都可以访问web服务
时间: 2024-10-14 09:16:57