Traffic Filtering with Access Lists

【实验说明】

配置访问控制列表允许 FTP和WWW 会话到指定服务器，并且不能阻断必要的传输流量，如路由等

【实验拓扑】

 

【实验配置步骤】

 

• 配置路由器为 “Configuring Static NAT”
• 10.0.0.1 静态映射为 150.1.4.1 ，10.0.0.6 静态映射为 150.1.4.6
• 本实验10.0.0.1 与10.0.0.6 作为FTP、WWW服务器，实验允许访问FTP与WWW服务器的流量
• 使用中允许OSPF, BGP, Ping、Traceroutes 流量出入
• Ping 使用 ICMP消息类型为 “echo” 与 “echo-reply”
• Tracroute 默认使用UDP 33434 – 33464 端口，测试网络是否通使用ICMP 包为“Time-Exceeded” 与 “Port-Unreachable”
• BGP 使用TCP 179 ；OSPF 有IP协议号码 89
• FTP主动模式，服务器使用tcp21端口传输命令，TCP20端口传输数据。（服务器到客户端）
• 被动FTP客户端打开数据连接1024 –65535 (客户端到服务器)
• 在R4上创建扩展访问控制列表OUTSIDE允许上面提到的连接
• 在访问控制列表最后加入“deny ip any any log” 记录所有被拒绝的日志
• 在两个串口的入口方向应用访问控制列表

 

【实验配置】

----------------------------------------Static NAT 配置----------------------------------------------------------------

 

R1: interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.0.0.4   R6: interface FastEthernet0/0 ip address 10.0.0.6 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.0.0.4 R4： interface Loopback0 ip address 150.1.4.4 255.255.255.0 ip ospf network point-to-point ! interface FastEthernet0/0 ip address 10.0.0.4 255.255.255.0 ip nat inside ! interface Serial0/0 en fram no sh ! interface Serial0/0.1 point-to-point ip address 155.1.0.4 255.255.255.0 frame-relay interface-dlci 405 ip nat outside ! interface Serial0/1 ip address 155.1.45.4 255.255.255.0 clock rate 2000000 ip nat outside ! router ospf 1 router-id 150.1.4.4 network 150.1.4.4 0.0.0.0 area 0 network 155.1.0.4 0.0.0.0 area 0 network 155.1.45.4 0.0.0.0 area 0 ! router bgp 1 bgp router-id 150.1.4.4 neighbor 150.1.5.5 remote-as 2 neighbor 150.1.5.5 ebgp-multihop 255 neighbor 150.1.5.5 update-source Loopback0   ip nat inside source static 10.0.0.1 150.1.4.1 ip nat inside source static 10.0.0.6 150.1.4.6

R5: interface Loopback0 ip address 150.1.5.5 255.255.255.0 ip ospf network point-to-point ! interface Serial0/0 encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 155.1.0.5 255.255.255.0 frame-relay interface-dlci 504 ! interface Serial0/1 ip address 155.1.45.5 255.255.255.0 clock rate 2000000 ! router ospf 1 router-id 150.1.5.5 network 150.1.5.5 0.0.0.0 area 0 network 155.1.0.5 0.0.0.0 area 0 network 155.1.45.5 0.0.0.0 area 0 ! router bgp 2 bgp router-id 150.1.5.5 neighbor 150.1.4.4 remote-as 1 neighbor 150.1.4.4 ebgp-multihop 255 neighbor 150.1.4.4 update-source Loopback0 neighbor 150.1.4.4 default-originate

--------------------------------------------访问控制列表配置------------------------------------------------------

R4:

ip access-list extend FILTER

permit tcp any host 150.1.4.1 range 20 21

permit tcp any host 150.1.4.6 range 20 21

permit tcp any host 150.1.4.1 eq 80

permit tcp any host 150.1.4.6 eq 80

permit tcp host 150.1.4.4 host 150.1.5.5 eq 179

permit tcp host 150.1.5.5 host 150.1.4.4 eq 179

permit udp any any range 33434 33464

permit icmp any any echo

permit icmp any any echo-relay

permit tcp any host 150.1.4.1 range 1024 65535

permit tcp any host 150.1.4.6 range 1024 65535

permit ospf any any

permit icmp any any time-exceeded

permit icmp any any port-unreachable

deny ip any any log

 

interface s0/1

ip access-group FILTER in

interface s0/0.1

ip access-group FILTER in

 

【实验验证】

 

通过下面实验结果我们可以看到

 

R5#ping 150.1.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/42/112 ms

R5#traceroute 150.1.4.1

Type escape sequence to abort.

Tracing the route to 150.1.4.1

1 155.1.45.4 36 msec

155.1.0.4 20 msec *

R5#telnet 150.1.4.1 被阻止

Trying 150.1.4.1 ...

% Destination unreachable; gateway or host down

R1#copy running-config flash:test.txt

Destination filename [test.txt]?

Erase flash: before copying? [confirm] n

Verifying checksum... OK (0xC5CD)

910 bytes copied in 6.647 secs (137 bytes/sec)

R1(config)#ip http server

R1(config)#ftp-server enable

R1(config)#ftp-server topdir flash:

R5#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R5(config)#no ip ftp passive

R5#copy ftp://150.1.4.1/test.txt null:

Accessing ftp://150.1.4.1/test.txt...

Loading test.txt !

[OK - 910/4096 bytes]

910 bytes copied in 2.560 secs (355 bytes/sec)

 

转载于:https://blog.51cto.com/haolun/992200