请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 550|回复: 1

【原创】用思科路由器的CBAC实现单向访问测试

[复制链接]
发表于 2020-3-30 21:05:18 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-3-30 21:09 编辑

一.测试拓扑

需求:
1.拒绝172.16.1.0/24网段访问172.16.3.0/24网段的所有访问
2.允许其他所有访问,包括172.16.3.0/24网段到172.16.1.0/24网段的访问

二.基本配置
1.PC1

hostname PC1
interface FastEthernet1/0
    ip address 172.16.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
line vty 0 4
    password cisco
    login
ip host www.yuntian.com 172.16.1.1
ip dns server
2.R1
hostname R1
interface FastEthernet0/0
    ip address 172.16.12.1 255.255.255.0
    no shutdown
interface FastEthernet1/0
    ip address 172.16.1.254 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.12.2
3.R2
hostname R2
interface FastEthernet0/0
    ip address 172.16.12.2 255.255.255.0
    no shutdown
interface FastEthernet1/0
    ip address 172.16.23.2 255.255.255.0
    no shutdown
ip route 172.16.1.0 255.255.255.0 172.16.12.1
ip route 172.16.3.0 255.255.255.0 172.16.23.3
4.R3
hostname R3
interface FastEthernet0/0
    ip address 172.16.3.254 255.255.255.0
    no shutdown
interface FastEthernet1/0
    ip address 172.16.23.3 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.23.2
5.PC2
hostname PC2
interface FastEthernet0/0
    ip address 172.16.3.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.3.254
line vty 0 4
    password cisco
    login
ip domain-lookup
ip name-server 172.16.1.1
四.实现需求
1.使用标准ACL,会导致172.16.3.0/24网段无法访问172.16.1.0/24网段
①R3配置ACL
access-list 13 deny   172.16.1.0 0.0.0.255
access-list 13 permit any
②在R3的F0/0接口应用ACL
interface FastEthernet0/0
     ip access-group 13 out
③172.16.1.0/24网段访问不了172.16.3.0/24网段
PC1#ping 172.16.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1#
④172.16.3.0/24网段也访问不了172.16.1.0/24网段
PC2#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#
2.使用扩展ACL,会导致172.16.3.0/24网段到172.16.1.0/24网段UDP无法访问
--如果是动态端口的应用,比如FTP也无法正常访问
①先清除R3的ACL配置
interface FastEthernet0/0
    no ip access-group 13 out
②R1配置扩展ACL
ip access-list extended Outside-control
    permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 established
    deny   ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
    permit ip any any
③在R1的F1/0接口应用ACL
interface FastEthernet1/0
   ip access-group Outside-control in
④172.16.1.0/24网段访问不了172.16.3.0/24网段
PC1#ping 172.16.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1#telnet 172.16.3.1
Trying 172.16.3.1 ...
% Destination unreachable; gateway or host down

PC1#
⑤172.16.3.0/24网段能TCP访问172.16.1.0/24网段
PC2#telnet 172.16.1.1
Trying 172.16.1.1 ... Open


User Access Verification

Password:
PC1>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:15   
*  2 vty 0                idle                 00:00:00 172.16.3.1

  Interface    User               Mode         Idle     Peer Address

PC1>exit
⑥172.16.3.0/24网段不能ping以及udp访问172.16.1.0/24网段
PC2#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#ping  www.yuntian.com
*Mar 30 19:56:35.203: %SYS-5-CONFIG_I: Configured from console by console
PC2#ping  www.yuntian.com

Translating "www.yuntian.com"...domain server (172.16.1.1)
% Unrecognized host or address, or protocol not running.

PC2#
3.R1使用CBAC可以满足要求
①先清除R1的扩展ACL配置
interface FastEthernet1/0
  no ip access-group Outside-control in
②R1配置CBAC
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC ftp
③R1上重新配置扩展ACL
no ip access-list extended Outside-control
ip access-list extended Outside-control
    deny   ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
    permit ip any any
④在R1的F1/0接口配置ACL和CBAC(最优,推荐,因为离源最近)
interface FastEthernet1/0
ip access-group Outside-control in
ip inspect CBAC out
⑤也可以在R1的F0/0接口配置ACL和CBAC (次优)
interface FastEthernet0/0
    ip access-group Outside-control out
    ip inspect CBAC in
⑥172.16.1.0/24网段访问不了172.16.3.0/24网段
PC1#ping 172.16.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1# telnet 172.16.3.1
Trying 172.16.3.1 ...
% Destination unreachable; gateway or host down

PC1#
⑦172.16.3.0/24网段能访问172.16.1.0/24网段
PC2#PING 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/88/96 ms
PC2#ping www.yuntian.com

Translating "www.yuntian.com"...domain server (172.16.1.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/87/92 ms
PC2#ping www.yuntian.com

Translating "www.yuntian.com"...domain server (172.16.1.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/87/92 ms
PC2#telnet 172.16.1.1
Trying 172.16.1.1 ... Open


User Access Verification

Password:
PC1>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:11   
*  2 vty 0                idle                 00:00:00 172.16.3.1

  Interface    User               Mode         Idle     Peer Address

PC1>
4.R3使用CBAC也可以满足要求(不推荐,离源较远)
①先清除R1的ACL和CBAC配置

interface FastEthernet1/0
    no ip access-group Outside-control in
    no ip inspect CBAC out
interface FastEthernet0/0
   no ip access-group Outside-control out
   no ip inspect CBAC in
②R3配置CBAC
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC ftp
③R3上配置扩展ACL
no ip access-list extended Outside-control
ip access-list extended Outside-control
    deny   ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
    permit ip any any
④在R3的F1/0接口配置ACL和CBAC
interface FastEthernet1/0
ip access-group Outside-control in
ip inspect CBAC out
⑤也可以在R3的F0/0接口配置ACL和CBAC
interface FastEthernet0/0
    ip access-group Outside-control out
    ip inspect CBAC in
⑥验证(省略)




本帖子中包含更多资源

您需要 思科 CCO 登录 才可以下载或查看,没有帐号?思科 CCO 注册   

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-4-10 15:58:29 | 显示全部楼层
文章写的好。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-5-29 09:38 , Processed in 0.087681 second(s), 31 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表