关于ACCESS-LIST的一个实验

图：

The requirement is to create an access list on Router_D that will allow the host on the inside (Router_B) to ping and Telnet to Router_F or Router_E on the outside. However, Router_E on the outside must not be allowed to Telnet or ping to either device on the inside (Router_B and Router_D). Router_F is allowed to ping only the serial interface of Router_D.

You must decide whether to use a standard access list or an extended access list. If you decide to use a standard numbered access list, use access list number 7. If you decide to use a standard named access list, use "lab4" as the name. If you decide to use an extended numbered access list, use access list number 177. Also use the name "lab4" if you decide to use an extended named access list.

solution:

Challenge Lab Hint 1

Because the lab requirement is to let certain types of traffic from the outside network to the inside network, we can't rely on standard access lists. Standard access lists allow us to filter based only on the source IP address of the packet. Therefore, we need to use extended access lists. Create an extended numbered or extended named access list.

Challenge Lab Hint 2

If we apply the access list outbound on the Ethernet 0 port of Router_D, we will have the problem of devices on the outside being able to access Router_D via its serial 0 port. Therefore, it is best to apply the access list inbound on the serial 0 interface of Router_D. Apply the access list inbound on the serial 0 interface of Router_D.

 

Challenge Lab Solution (numbered access list)

Let's look at our requirements:

Router_B can ping and Telnet to the outside devices. The outside devices cannot ping and Telnet to the inside, with the exception of Router_F being able to ping only the serial interface of Router_D.

Breaking this down a little further:

1) We aren't worried about what packets Router_B will send to the outside, but we are worried about what packets devices on the outside will send to the inside. In order for Router_B to be able to ping the outside, Router_B has to be able to receive Internet Control Message Protocol (ICMP) echo replies from the outside. This scenario can be accomplished with the following access list command:

access-list 177 permit icmp any any echo-reply

This command will permit ICMP echo reply packets with any source and any destination, allowing the devices on the outside to respond to pings from the inside devices.

2) Next we need Router_F to be able to ping only the serial interface of Router_D. This can be accomplished with the following access list command:

access-list 177 permit icmp host 170.170.7.6 host 170.170.7.4

This command will permit all ICMP packets with a source address of 170.170.7.6 and a destination address of 170.170.7.4.

3) Finally, we need to allow devices on the outside to respond to the Telnet packets that devices on the inside might initiate. There are two ways to do this: One way is to permit based on TCP port number range, the other way is to use the established keyword.

For the first way, we need to know a little bit about Telnet. When we initiate a Telnet session from a router on the inside, the source TCP port will be something greater than 1023. The destination TCP port will be 23. When the device on the outside responds, the destination TCP port will be the port from which the inside router sourced the original TCP packets. Therefore, to meet our requirements for Telnet, the following access list could be used:

access-list 177 permit tcp any any gt 1023

This command will permit TCP packets from any source to any destination with a destination TCP port greater than 1023.

The second way to allow devices on the outside to respond to Telnet packets from the inside is to use the established keyword. The established keyword only works with extended access lists that specify TCP as the protocol. This keyword allows us to permit any packets to return to machines with already-established connections. The access list checks the state of the ACK or reset (RST) bit. If they are set, a match occurs. This can be accomplished with the following command:

access-list 177 permit tcp any any established

This command will permit TCP packets from any source to any destination as long as they are for already-established sessions.

The resulting access list looks like one of the following:

access-list 177 permit icmp any any echo-replyaccess-list 177 permit icmp host 170.170.7.6 host 170.170.7.4access-list 177 permit tcp any any gt 1023

or:

access-list 177 permit icmp any any echo-replyaccess-list 177 permit icmp host 170.170.7.6 host 170.170.7.4access-list 177 permit tcp any any established

Either numbered access list would then be applied inbound on the serial 0 interface of Router_D with the following command:

int s 0ip access-group 177 in

 

 

Challenge Lab Solution (named access list).

Let's look at our requirements:

Router_B can ping and Telnet to the outside devices. The outside devices cannot ping and Telnet to the inside, with the exception of Router_F being able to ping only the serial interface of Router_D.

Breaking this down a little further:

1) We aren't worried about what packets Router_B will send to the outside, but we are worried about what packets devices on the outside will send to the inside. In order for Router_B to be able to ping the outside, Router_B has to be able to receive Internet Control Message Protocol (ICMP) echo replies from the outside. This scenario can be accomplished with the following access list command:

permit icmp any any echo-reply

This command will permit ICMP echo reply packets with any source and any destination, allowing the devices on the outside to respond to pings from the inside devices.

2) Next we need Router_F to be able to ping only the serial interface of Router_D. This can be accomplished with the following access list command:

permit icmp host 170.170.7.6 host 170.170.7.4

This command will permit all ICMP packets with a source address of 170.170.7.6 and a destination address of 170.170.7.4.

3) Finally, we need to allow devices on the outside to respond to the Telnet packets that devices on the inside might initiate. There are two ways to do this: One way is to permit based on TCP port number range, the other way is to use the established keyword.

For the first way, we need to know a little bit about Telnet. When we initiate a Telnet session from a router on the inside, the source TCP port will be something greater than 1023. The destination TCP port will be 23. When the device on the outside responds, the destination TCP port will be the port from which the inside router sourced the original TCP packets. Therefore, to meet our requirements for Telnet, the following access list could be used:

permit tcp any any gt 1023

This command will permit TCP packets from any source to any destination with a destination TCP port greater than 1023.

The second way to allow devices on the outside to respond to Telnet packets from the inside is to use the established keyword. The established keyword only works with extended access lists that specify TCP as the protocol. This keyword allows us to permit any packets to return to machines with already-established connections. The access list checks the state of the ACK or reset (RST) bit. If they are set, a match occurs. This can be accomplished with the following command:

permit tcp any any established

This command will permit TCP packets from any source to any destination as long as they are for already-established sessions.

The resulting access list looks like one of the following:

ip access-list extended lab4permit icmp any any echo-replypermit icmp host 170.170.7.6 host 170.170.7.4permit tcp any any gt 1023

or:

ip access-list extended lab4permit icmp any any echo-replypermit icmp host 170.170.7.6 host 170.170.7.4permit tcp any any established

Either named access list would then be applied inbound on the serial 0 interface of Router_D with the following command:

int s 0 ip access-group lab4 in