Upload
jerome-hoover
View
222
Download
3
Embed Size (px)
Citation preview
Day 4
• Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs
• Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)
• LAB Configuration
Access Control lists
- Standard 1-99 ,1300-1999
- Extended 100-199 , 2000-2699
Standard access list (1-99)Config#access-list _______ ______ ______ ______
Ex Config#access-list 1 deny 192.168.12.100 0.0.0.0
Config#access-list 1 permit any
Config#interface S0
Config#ip access-group 1 in
Access Control Lists
(access number) (permit,deny) (SA) (wildcard)
Standard access list (1-99)#show ip interface S0 เพื่��อตรวจสอบว�า access-list ถู�ก set ไว�
หร�อไม่�Ex Block telnet
Config#access-list 2 deny 192.168.1.2 0.0.0.0
Config#access-list 2 permit any
Config#line vty 0 4
(config-line)#access-class 2 in
Access Control Lists
Extended access list (100-199)config#access-list __________ _________ ___________ ____ ______
_____ ________ __________ _________
ExConfig#access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.10.10.2 0.0.0.0 eq 23
Config#access-list 101 permit ip any any
config#interface S0
config-if#ip access-group 101 in
(access number) (permit,deny) (protocol tcp,udp,icmp) SA wildcard
DA wildcard Eq,Neq,lt,gt Port number
Access Control Lists
Name access list
Config#ip access-list _______
Ex Standdard
config#ip access-list standard Internet
config# permit 192.168.40.25 0.0.0.0
config#permit 192.168.40.26 0.0.0.0
config#interface e0
config-if#ip access-group internet in
StandardExtended
Name
Ex Extendedconfig#ip access-list extended BlockVirus2config#deny tcp any any eq 135Config#deny tcp any any eq 4899Config#permit ip any anyconfig#interface S0config-if#ip access-group BlockVirus2 in
Access Control Lists
Well-Known PortECHO Server ---> TCP/7DISCARD Server ---> TCP/9DAYTIME Server ---> TCP/13CHARGET Server ---> TCP/19FTP Server ---> TCP/21SSH Server ---> TCP/22Telnet Server ---> TCP/23SMTP Server ---> TCP/25DNS Server ---> TCP/53 and UDP/53DHCP Server ---> UDP/68 Web Server ---> TCP/80 (HTTP)Secure Web Server ---> TCP/443 (HTTPS)POP3 Server ---> TCP/110IMAP Server ---> TCP/143SNMP Server ---> UDP/161LDAP Server ---> TCP/389Web Proxy Server ---> TCP/3128 or TCP/8080
The Well Known Ports are those from 0 through 1023. http://www.iana.org/assignments/port-numbers
NAT- Static- dynamic- OverloadingStatic Config#ip nat inside source static 192.168.1.2 10.10.10.3
Config#interface e0Config-if#ip nat inside #debug ip nat เพื่��อตรวจสอบดู�ว�าม่�การทำ�า nat static หร�อไม่�
Network AddressTranslation
Config#interface S0Config-if#ip nat outside
ต�วอย่�าง• routerB#debug ip nat
• 00:28:33: NAT: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1276]• 00:28:33: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1276]• 00:28:34: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1277]• 00:28:34: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1277]• 00:28:35: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1279]• 00:28:35: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1279]• 00:28:36: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1281]• 00:28:36: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1281]• 00:28:42: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1283]• 00:28:42: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1283]
DynamicConfig#ip nat pool name pool start ip end ip netmask netmask
Ex
Config#ip nat pool ISP 10.10.10.4 10.10.10.8 netmask 255.255.255.0
Config#access-list 1 permit 192.168.1.0 0.0.0.255
Config#ip nat inside source list 1 pool ISP
Config#interface e0 Config#interface S0
Config-if#ip nat inside Config-if#ip nat outside
Network AddressTranslation
Overloading
Config#access-list 1 permit 192.168.1.0 0.0.0.255
Config#ip nat inside source list 1 interface S0 overload
หร�อ สาม่ารถูทำ�า overloading แบบ dynamic
Config#ip nat inside source list 1 pool name pool overload
Config#interface e0 Config#interface S0
Config-if#ip nat inside Config-if#ip nat outside
Network AddressTranslation
ต�วอย่�าง• routerB#debug ip nat
• 00:41:39: NAT: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1789]• 00:41:39: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1789]• 00:41:40: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1790]• 00:41:40: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1790]• 00:41:41: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1792]• 00:41:41: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1792]• 00:41:42: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1794]• 00:41:42: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1794]• 00:41:43: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1795]• 00:41:43: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1795]• 00:41:44: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1797]• 00:41:44: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1797]
ต�วอย่�างrouterB#debug ip nat
• 00:52:12: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2332]• 00:52:12: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2332]• 00:52:13: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2333]• 00:52:13: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2333]• 00:52:14: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2337]• 00:52:14: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2337]• 00:52:15: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2339]• 00:52:15: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2339]• 00:52:16: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2340]• 00:52:16: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2340]• 00:52:17: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2342]• 00:52:17: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2342]
Ex Static NAT• ip nat inside source list 7 interface Serial0 overload• ip nat inside source static tcp 192.168.42.30 5900 203.149.9.218 5900 extendable• ip nat inside source static udp 192.168.42.30 5900 203.149.9.218 5900 extendable• ip nat inside source static udp 192.168.42.30 5800 203.149.9.218 5800 extendable• ip nat inside source static tcp 192.168.42.30 5800 203.149.9.218 5800 extendable• ip nat inside source static tcp 192.168.42.2 6500 203.149.9.219 6500 extendable• ip nat inside source static tcp 192.168.42.2 80 203.149.9.219 80 extendable• ip nat inside source static tcp 192.168.42.5 143 203.149.9.218 143 extendable• ip nat inside source static tcp 192.168.42.5 21 203.149.9.218 21 extendable• ip nat inside source static tcp 192.168.42.5 20 203.149.9.218 20 extendable• ip nat inside source static tcp 192.168.42.5 22 203.149.9.218 22 extendable• ip nat inside source static udp 192.168.42.5 53 203.149.9.218 53 extendable• ip nat inside source static tcp 192.168.42.5 53 203.149.9.218 53 extendable• ip nat inside source static tcp 192.168.42.5 110 203.149.9.218 110 extendable• ip nat inside source static tcp 192.168.42.5 25 203.149.9.218 25 extendable• ip nat inside source static udp 192.168.42.5 22 203.149.9.218 22 extendable• ip nat inside source static tcp 192.168.42.5 80 203.149.9.218 80 extendable