Day 4 Security ( ACL ), Standard Access Lists, Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT, Dynamic NAT, PAT (Overloading)

Day 4

• Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs

• Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)

• LAB Configuration

Access Control lists

- Standard 1-99 ,1300-1999

- Extended 100-199 , 2000-2699

Standard access list (1-99)Config#access-list _______ ______ ______ ______

Ex Config#access-list 1 deny 192.168.12.100 0.0.0.0

Config#access-list 1 permit any

Config#interface S0

Config#ip access-group 1 in

Access Control Lists

(access number) (permit,deny) (SA) (wildcard)

Standard access list (1-99)#show ip interface S0 เพื่��อตรวจสอบว�า access-list ถู�ก set ไว�

หร�อไม่�Ex Block telnet

Config#access-list 2 deny 192.168.1.2 0.0.0.0

Config#access-list 2 permit any

Config#line vty 0 4

(config-line)#access-class 2 in


Extended access list (100-199)config#access-list __________ _________ ___________ ____ ______

_____ ________ __________ _________

ExConfig#access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.10.10.2 0.0.0.0 eq 23

Config#access-list 101 permit ip any any

config#interface S0

config-if#ip access-group 101 in

(access number) (permit,deny) (protocol tcp,udp,icmp) SA wildcard

DA wildcard Eq,Neq,lt,gt Port number


Name access list

Config#ip access-list _______

Ex Standdard

config#ip access-list standard Internet

config# permit 192.168.40.25 0.0.0.0

config#permit 192.168.40.26 0.0.0.0

config#interface e0

config-if#ip access-group internet in

StandardExtended

Name

Ex Extendedconfig#ip access-list extended BlockVirus2config#deny tcp any any eq 135Config#deny tcp any any eq 4899Config#permit ip any anyconfig#interface S0config-if#ip access-group BlockVirus2 in


Well-Known PortECHO Server ---> TCP/7DISCARD Server ---> TCP/9DAYTIME Server ---> TCP/13CHARGET Server ---> TCP/19FTP Server ---> TCP/21SSH Server ---> TCP/22Telnet Server ---> TCP/23SMTP Server ---> TCP/25DNS Server ---> TCP/53 and UDP/53DHCP Server ---> UDP/68 Web Server ---> TCP/80 (HTTP)Secure Web Server ---> TCP/443 (HTTPS)POP3 Server ---> TCP/110IMAP Server ---> TCP/143SNMP Server ---> UDP/161LDAP Server ---> TCP/389Web Proxy Server ---> TCP/3128 or TCP/8080

The Well Known Ports are those from 0 through 1023. http://www.iana.org/assignments/port-numbers

http://www.iana.org/assignments/port-numbers






NAT- Static- dynamic- OverloadingStatic Config#ip nat inside source static 192.168.1.2 10.10.10.3

Config#interface e0Config-if#ip nat inside #debug ip nat เพื่��อตรวจสอบดู�ว�าม่�การทำ�า nat static หร�อไม่�

Network AddressTranslation

Config#interface S0Config-if#ip nat outside

ต�วอย่�าง• routerB#debug ip nat

• 00:28:33: NAT: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1276]• 00:28:33: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1276]• 00:28:34: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1277]• 00:28:34: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1277]• 00:28:35: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1279]• 00:28:35: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1279]• 00:28:36: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1281]• 00:28:36: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1281]• 00:28:42: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1283]• 00:28:42: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1283]

DynamicConfig#ip nat pool name pool start ip end ip netmask netmask

Ex

Config#ip nat pool ISP 10.10.10.4 10.10.10.8 netmask 255.255.255.0

Config#access-list 1 permit 192.168.1.0 0.0.0.255

Config#ip nat inside source list 1 pool ISP

Config#interface e0 Config#interface S0

Config-if#ip nat inside Config-if#ip nat outside


Overloading

Config#access-list 1 permit 192.168.1.0 0.0.0.255

Config#ip nat inside source list 1 interface S0 overload

หร�อ สาม่ารถูทำ�า overloading แบบ dynamic

Config#ip nat inside source list 1 pool name pool overload

Config#interface e0 Config#interface S0

Config-if#ip nat inside Config-if#ip nat outside


ต�วอย่�าง• routerB#debug ip nat

• 00:41:39: NAT: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1789]• 00:41:39: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1789]• 00:41:40: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1790]• 00:41:40: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1790]• 00:41:41: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1792]• 00:41:41: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1792]• 00:41:42: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1794]• 00:41:42: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1794]• 00:41:43: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1795]• 00:41:43: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1795]• 00:41:44: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1797]• 00:41:44: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1797]

ต�วอย่�างrouterB#debug ip nat

• 00:52:12: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2332]• 00:52:12: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2332]• 00:52:13: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2333]• 00:52:13: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2333]• 00:52:14: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2337]• 00:52:14: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2337]• 00:52:15: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2339]• 00:52:15: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2339]• 00:52:16: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2340]• 00:52:16: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2340]• 00:52:17: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2342]• 00:52:17: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2342]

Ex Static NAT• ip nat inside source list 7 interface Serial0 overload• ip nat inside source static tcp 192.168.42.30 5900 203.149.9.218 5900 extendable• ip nat inside source static udp 192.168.42.30 5900 203.149.9.218 5900 extendable• ip nat inside source static udp 192.168.42.30 5800 203.149.9.218 5800 extendable• ip nat inside source static tcp 192.168.42.30 5800 203.149.9.218 5800 extendable• ip nat inside source static tcp 192.168.42.2 6500 203.149.9.219 6500 extendable• ip nat inside source static tcp 192.168.42.2 80 203.149.9.219 80 extendable• ip nat inside source static tcp 192.168.42.5 143 203.149.9.218 143 extendable• ip nat inside source static tcp 192.168.42.5 21 203.149.9.218 21 extendable• ip nat inside source static tcp 192.168.42.5 20 203.149.9.218 20 extendable• ip nat inside source static tcp 192.168.42.5 22 203.149.9.218 22 extendable• ip nat inside source static udp 192.168.42.5 53 203.149.9.218 53 extendable• ip nat inside source static tcp 192.168.42.5 53 203.149.9.218 53 extendable• ip nat inside source static tcp 192.168.42.5 110 203.149.9.218 110 extendable• ip nat inside source static tcp 192.168.42.5 25 203.149.9.218 25 extendable• ip nat inside source static udp 192.168.42.5 22 203.149.9.218 22 extendable• ip nat inside source static tcp 192.168.42.5 80 203.149.9.218 80 extendable

Documents

Day 4 Security ( ACL ), Standard Access Lists, Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT, Dynamic NAT, PAT (Overloading)