思科CiscoPT路由器ACL配置实现单向访问

问题背景

路由器及连接PC配置如下：

接口	接口IP	连接设备	设备IP
Fa0/0	192.168.0.2/24	PC0	192.168.0.1/24
Fa0/1	192.168.1.2/24	PC1	192.168.1.1/24
Fa1/0	192.168.2.2/24	PC2	192.168.2.1/24

此时PC1与PC2、PC3为连通状态：

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127
Reply from 192.168.1.1: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

问题：配置路由器ACL使PC0不能访问PC1，但可以访问PC2，同时PC1仍可正常访问PC0。

即实现PC1对PC0的单向访问。

---

ACL配置

由于Access-list的执行是按照条目顺序逐步检查的，所以要严格设置ACL条目顺序。

ACL条目：

1. 允许转发从PC0到PC1的icmp报文反馈
2. 拒绝转发从PC0到PC1的一切报文
3. 允许转发任何报文

按照一般的配置规则，允许类的语句应放在靠后的位置以防止ACL放过应该过滤的流量；
但这里却放在第一条，是因为我们对PC0到PC1的流量阻断是绝对的，而要保证PC1仍能正常访问PC0，则需要先把PC0的反馈报文设置成“白名单”，允许它通过。

显而易见，这样的ACL应设置在路由器与PC0的接口上，并且是进入方向上的。

那么具体实现的配置命令就可以写出来了：

Router>en
Router#conf t
Router(config)#acc 101 per icmp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
Router(config)#acc 101 den ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config)#acc 101 per ip any any
Router(config)#int f0/0
Router(config-if)#ip acc 101 in
Router(config-if)#exit

此时测试PC间的连通性：

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.0.2: Destination host unreachable.
Reply from 192.168.0.2: Destination host unreachable.
Reply from 192.168.0.2: Destination host unreachable.
Reply from 192.168.0.2: Destination host unreachable.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127
Reply from 192.168.2.1: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

可以看到PC0已经不能访问PC1，但仍能正常访问PC2；

C:\>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=127
Reply from 192.168.0.1: bytes=32 time<1ms TTL=127
Reply from 192.168.0.1: bytes=32 time<1ms TTL=127
Reply from 192.168.0.1: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

同时PC1仍能正常访问PC0，即实现了PC1到PC0的单向访问。

---

后记

1. 其实可以用反射ACL实现，逻辑性更强，但尝试许久reflect语句均报错，可能是PT版本不支持。自反ACL的用法参见：Cisco 自反ACL真机配置实例
2. 因为涉及到对目的地址的限制，本文章ACL必须用扩展型语句，各种ACL的配置语法详见：标准ACL、扩展ACL和命名ACL的配置详解
3. 思路来源：思科设备实现单向ping通—GNS3、PT