实验一:ACL+NAT综合实验
File Server
Router
Switch
PC 1
PC 2
实验需求:
根据以上拓扑图完成以下要求:(具体IP情况如下表)
1.要求在Router 上作NAT并且做一条默认路由指向File Server的IP,要求在Router 上能查看到NAT映射的效果,并且能实现PC 1通过NAT ping 通File Server;
2.在File Server上使用IIS搭建一个普通WEB服务器并且将PC1、PC2和File Server开启Telnet服务,要求三台主机能互相Telnet;
3.在Router上作访问列表阻止PC1用Telnet到File Server,但是允许访问File Server的HTTP,但允许PC1 Telnet到Router ;
4.在Router上作访问列表阻止File Server Telnet 内网的任何一台PC机;
IP地址对应表:
设备名称 File Server Router Router PC 1 PC 2 设备接口 网卡 FastEthernet 0/0 FastEthernet 0/1 网卡 网卡 接口IP 123.123.123.254/24 123.123.123.1/24 192.168.1.254/24 192.168.1.1/24 192.168.1.2/24 备注 设备配置清单:
IP地址配置清单: RSR20-01>en 14 Password: RSR20-01#
RSR20-01#conf t
Enter configuration commands, one per line. End with CNTL/Z. RSR20-01(config)#
RSR20-01(config)#interface fastEthernet 0/0
RSR20-01(config-if)#ip add 123.123.123.1 255.255.255.0 RSR20-01(config-if)#no shutdown RSR20-01(config-if)#exit
RSR20-01(config)#interface fastEthernet 0/1
RSR20-01(config-if)#ip add 192.168.1.254 255.255.255.0 RSR20-01(config-if)#no shutdown RSR20-01(config-if)#end RSR20-01#
NAT清单: RSR20-01#conf t
Enter configuration commands, one per line. End with CNTL/Z. RSR20-01(config)#int fastEthernet 0/1 RSR20-01(config-if)#ip nat inside RSR20-01(config-if)#exit
RSR20-01(config)#int fastEthernet 0/0 RSR20-01(config-if)#ip nat outside RSR20-01(config-if)#exit
RSR20-01(config)#access-list 1 permit 192.168.1.0 0.0.0.255 RSR20-01(config)#ip nat inside source ?
list Specify access list describing local addresses static Specify static local->global mapping RSR20-01(config)#ip nat inside source list ?
<1-199> Access list number for local addresses
<1300-2699> Access list number for local addresses RSR20-01(config)#ip nat inside source list 1 ? interface Specify interface for global address pool Name pool of global addresses RSR20-01(config)#ip nat inside source list 1 interface ? Async Async interface Dialer Dialer interface FastEthernet Fast IEEE 802.3 Loopback Loopback interface Multilink Multilink-group interface Null Null interface Tunnel Tunnel interface Virtual-ppp Virtual PPP interface
RSR20-01(config)#ip nat inside source list 1 interface fastEthernet 0/0 ? overload Overload an address translation
RSR20-01(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload RSR20-01(config)#exit RSR20-01#
第三点需求ACL配置清单: RSR20-01#conf t
RSR20-01(config)#access-list 100 deny tcp host ? A.B.C.D Source address
RSR20-01(config)#access-list 100 permit tcp host 192.168.1.1 ? A.B.C.D Destination address any Any destination host
eq Match the given port number gt Match the greater port number
host A single destination host lt Match the lower port number
neq Match those neq the given port number range Match those in the range of port numbers
RSR20-01(config)#$st 192.168.1.1 host 123.123.123.254 ? dscp Match packets with given dscp value eq Match the given port number fragment Check non-initial fragments gt Match the greater port number lt Match the lower port number match-all Match Packets with all TCP Flag
neq Match those neq the given port number precedence Match packets with given precedence value range Match those in the range of port numbers time-range Match packets with given timerange set tos Match packets with given TOS value
RSR20-01(config)#$ 192.168.1.1 host 123.123.123.254 eq ? <0-65535> Port number
bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9)
domain Domain Name Service (DNS, 53) echo Echo (7) exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70)
hostname NIC hostname server (101) ident Ident Protocol (113)
irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517) telnet Telnet (23) time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
RSR20-01(config)#$2.168.1.1 host 123.123.123.254 eq 23
RSR20-01(config)#access-list 100 permit tcp host 192.168.1.1 ? A.B.C.D Destination address any Any destination host
eq Match the given port number gt Match the greater port number host A single destination host
lt Match the lower port number
neq Match those neq the given port number
range Match those in the range of port numbers
RSR20-01(config)#$host 192.168.1.1 host 123.123.123.254 ?
dscp Match packets with given dscp value eq Match the given port number fragment Check non-initial fragments gt Match the greater port number lt Match the lower port number match-all Match Packets with all TCP Flag
neq Match those neq the given port number precedence Match packets with given precedence value range Match those in the range of port numbers time-range Match packets with given timerange set tos Match packets with given TOS value
RSR20-01(config)#$ 192.168.1.1 host 123.123.123.254 eq 80 RSR20-01(config)#access-list 100 permit tcp host 192.168.1.1 host ? A.B.C.D Destination address
RSR20-01(config)#$host 192.168.1.1 host 192.168.1.254 eq 23 RSR20-01(config)#int fastEthernet 0/1 RSR20-01(config-if)#ip access-group ?
<1-199> IP standard or extended acl
<1300-2699> IP standard or extended acl (expanded) WORD Acl name
RSR20-01(config-if)#ip access-group 100 ? in Filter the packet to out Filter the packet from
RSR20-01(config-if)#ip access-group 100 in RSR20-01(config-if)#end RSR20-01#
第四点需求ACL配置清单:
RSR20-01#
RSR20-01#conf t
Enter configuration commands, one per line. End with CNTL/Z. RSR20-01(config)#access-list 101 deny tcp host 123.123.123.254 ? A.B.C.D Destination address any Any destination host eq Match the given port number gt Match the greater port number host A single destination host
lt Match the lower port number
neq Match those neq the given port number
range Match those in the range of port numbers
RSR20-01(config)#access-list 101 deny tcp host 123.123.123.254 192.168.1.0 ? A.B.C.D Destination wildcard bits
RSR20-01(config)#$st 123.123.123.254 192.168.1.0 0.0.0.255 ? dscp Match packets with given dscp value eq Match the given port number
fragment Check non-initial fragments gt Match the greater port number lt Match the lower port number match-all Match Packets with all TCP Flag
neq Match those neq the given port number precedence Match packets with given precedence value range Match those in the range of port numbers time-range Match packets with given timerange set tos Match packets with given TOS value
RSR20-01(config)#$.123.254 192.168.1.0 0.0.0.255 eq 23 RSR20-01(config)#access-list 101 permit ip any any RSR20-01(config)#int fastEthernet 0/0 RSR20-01(config-if)#ip access-group 101 in RSR20-01(config-if)#end RSR20-01#