关于ACCESS-LIST的一个实验
来源:互联网 发布:文豆php培训怎么样 编辑:程序博客网 时间:2024/05/15 06:34
图:
The requirement is to create an access list on Router_D that will allow the host on the inside (Router_B) to ping and Telnet to Router_F or Router_E on the outside. However, Router_E on the outside must not be allowed to Telnet or ping to either device on the inside (Router_B and Router_D). Router_F is allowed to ping only the serial interface of Router_D.
You must decide whether to use a standard access list or an extended access list. If you decide to use a standard numbered access list, use access list number 7. If you decide to use a standard named access list, use "lab4" as the name. If you decide to use an extended numbered access list, use access list number 177. Also use the name "lab4" if you decide to use an extended named access list.
solution:
Challenge Lab Hint 1
Because the lab requirement is to let certain types of traffic from the outside network to the inside network, we can't rely on standard access lists. Standard access lists allow us to filter based only on the source IP address of the packet. Therefore, we need to use extended access lists. Create an extended numbered or extended named access list.
Challenge Lab Hint 2
If we apply the access list outbound on the Ethernet 0 port of Router_D, we will have the problem of devices on the outside being able to access Router_D via its serial 0 port. Therefore, it is best to apply the access list inbound on the serial 0 interface of Router_D. Apply the access list inbound on the serial 0 interface of Router_D.
Challenge Lab Solution (numbered access list)
Let's look at our requirements:
Router_B can ping and Telnet to the outside devices. The outside devices cannot ping and Telnet to the inside, with the exception of Router_F being able to ping only the serial interface of Router_D.
Breaking this down a little further:
1) We aren't worried about what packets Router_B will send to the outside, but we are worried about what packets devices on the outside will send to the inside. In order for Router_B to be able to ping the outside, Router_B has to be able to receive Internet Control Message Protocol (ICMP) echo replies from the outside. This scenario can be accomplished with the following access list command:
access-list 177 permit icmp any any echo-reply
This command will permit ICMP echo reply packets with any source and any destination, allowing the devices on the outside to respond to pings from the inside devices.
2) Next we need Router_F to be able to ping only the serial interface of Router_D. This can be accomplished with the following access list command:
access-list 177 permit icmp host 170.170.7.6 host 170.170.7.4
This command will permit all ICMP packets with a source address of 170.170.7.6 and a destination address of 170.170.7.4.
3) Finally, we need to allow devices on the outside to respond to the Telnet packets that devices on the inside might initiate. There are two ways to do this: One way is to permit based on TCP port number range, the other way is to use the established keyword.
For the first way, we need to know a little bit about Telnet. When we initiate a Telnet session from a router on the inside, the source TCP port will be something greater than 1023. The destination TCP port will be 23. When the device on the outside responds, the destination TCP port will be the port from which the inside router sourced the original TCP packets. Therefore, to meet our requirements for Telnet, the following access list could be used:
access-list 177 permit tcp any any gt 1023
This command will permit TCP packets from any source to any destination with a destination TCP port greater than 1023.
The second way to allow devices on the outside to respond to Telnet packets from the inside is to use the established keyword. The established keyword only works with extended access lists that specify TCP as the protocol. This keyword allows us to permit any packets to return to machines with already-established connections. The access list checks the state of the ACK or reset (RST) bit. If they are set, a match occurs. This can be accomplished with the following command:
access-list 177 permit tcp any any established
This command will permit TCP packets from any source to any destination as long as they are for already-established sessions.
The resulting access list looks like one of the following:
access-list 177 permit icmp any any echo-replyaccess-list 177 permit icmp host 170.170.7.6 host 170.170.7.4access-list 177 permit tcp any any gt 1023
or:
access-list 177 permit icmp any any echo-replyaccess-list 177 permit icmp host 170.170.7.6 host 170.170.7.4access-list 177 permit tcp any any established
Either numbered access list would then be applied inbound on the serial 0 interface of Router_D with the following command:
int s 0ip access-group 177 in
Challenge Lab Solution (named access list).
Let's look at our requirements:
Router_B can ping and Telnet to the outside devices. The outside devices cannot ping and Telnet to the inside, with the exception of Router_F being able to ping only the serial interface of Router_D.
Breaking this down a little further:
1) We aren't worried about what packets Router_B will send to the outside, but we are worried about what packets devices on the outside will send to the inside. In order for Router_B to be able to ping the outside, Router_B has to be able to receive Internet Control Message Protocol (ICMP) echo replies from the outside. This scenario can be accomplished with the following access list command:
permit icmp any any echo-reply
This command will permit ICMP echo reply packets with any source and any destination, allowing the devices on the outside to respond to pings from the inside devices.
2) Next we need Router_F to be able to ping only the serial interface of Router_D. This can be accomplished with the following access list command:
permit icmp host 170.170.7.6 host 170.170.7.4
This command will permit all ICMP packets with a source address of 170.170.7.6 and a destination address of 170.170.7.4.
3) Finally, we need to allow devices on the outside to respond to the Telnet packets that devices on the inside might initiate. There are two ways to do this: One way is to permit based on TCP port number range, the other way is to use the established keyword.
For the first way, we need to know a little bit about Telnet. When we initiate a Telnet session from a router on the inside, the source TCP port will be something greater than 1023. The destination TCP port will be 23. When the device on the outside responds, the destination TCP port will be the port from which the inside router sourced the original TCP packets. Therefore, to meet our requirements for Telnet, the following access list could be used:
permit tcp any any gt 1023
This command will permit TCP packets from any source to any destination with a destination TCP port greater than 1023.
The second way to allow devices on the outside to respond to Telnet packets from the inside is to use the established keyword. The established keyword only works with extended access lists that specify TCP as the protocol. This keyword allows us to permit any packets to return to machines with already-established connections. The access list checks the state of the ACK or reset (RST) bit. If they are set, a match occurs. This can be accomplished with the following command:
permit tcp any any established
This command will permit TCP packets from any source to any destination as long as they are for already-established sessions.
The resulting access list looks like one of the following:
ip access-list extended lab4permit icmp any any echo-replypermit icmp host 170.170.7.6 host 170.170.7.4permit tcp any any gt 1023
or:
ip access-list extended lab4permit icmp any any echo-replypermit icmp host 170.170.7.6 host 170.170.7.4permit tcp any any established
Either named access list would then be applied inbound on the serial 0 interface of Router_D with the following command:
int s 0 ip access-group lab4 in
- 关于ACCESS-LIST的一个实验
- Cisco access-list实验
- 关于函数list的一些实验
- 关于list的一个例子
- 一个关于Weakly-Ordered CPU的实验
- 一个关于Memory Reordering的实验
- 一个关于信息熵的小实验:
- 一个关于list的有趣的问题
- 一个关于泛型list的警告
- 一个简单的算法关于list
- 关于List用法的一个小程序
- 关于ACCESS中TOP 功能的一个问题
- 关于MS SQL导出到Access的一个问题
- 关于C#与Access的一个例子[转]
- 关于sqlserver、access、mysql数据库性能的一个简单测试
- acl 的 access -list 命令
- 关于javascript程序内存占用的一个有趣的实验
- 关于COMMIT与ROLLBACK的一个简单实验
- shiyan
- shiyan
- 试验
- MSSQL列出库里面的所有表名和字段名
- 故事之缘起
- 关于ACCESS-LIST的一个实验
- Java Bean 与 EJB的区别
- Springframwork中集成Velocity的中文解决方案
- 一种支持内存共享的简捷工具
- 拖了好久,从今天正式开始
- 谁比谁流氓?
- 四种联系(join)的区别及用法
- Chap08: 网络通信
- Armadillo.V4.48-Beta1.CracKed by stephenteh & fly