Context-Based Access Control (CBAC) 基于上下文的访问控制 实

【 实验 说明】 配置路由器出站流量检查,动态打开ACL条目 IOS:c7200-adventerprisek9-mz.124-24.T3.bin 【 实验 拓扑】 650) this.width=650;" border="0" alt="" src="http://cdn.verydemo.com/upload/2013_05_27/13695895224540.jpg" /> 【 实验 配置向

实验说明】

配置路由器出站流量检查,动态打开ACL条目


IOS:c7200-adventerprisek9-mz.124-24.T3.bin


实验拓扑】

实验配置向导】

  • 将上面网络配置为 IP service 实验中的“Standard NAT with Overloading(PAT)”
  • 创建检查规则命名为 INSPECT,允许TCP协议
  • 创建检查规则命名为 INSPECT ,允许FTP流量通过路由器
  • 配置规则允许ICMP 并检查路由器自身产生的TCP与ICMP流量
  • 创建 INBOUND 访问控制列表,允许OSPF,并阻止其他流量
  • 在路由器的串口的入方向应用访问控制列表 INBOUND
  • 应用检查规则到路由器串口的出方向


实验配置】

--------------------------------实验PAT配置---------------------------------------------------------

R1:

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 10.0.0.4


R6:

interface FastEthernet0/0

ip address 10.0.0.6 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 10.0.0.4



R4:

interface Loopback0

ip address 150.1.4.4 255.255.255.0

ip ospf network point-to-point

no sh

!

interface FastEthernet0/0

ip address 10.0.0.4 255.255.255.0

ip nat inside

no sh

!

interface serial1/0

en fram

no sh

!

interface Serial1/0.1 point-to-point

ip address 155.1.0.4 255.255.255.0

frame-relay interface-dlci 405

ip nat outside

no sh

!

interface Serial1/1

ip address 155.1.45.4 255.255.255.0

clock rate 2000000

ip nat outside

no sh

!

router ospf 1

router-id 150.1.4.4

network 150.1.4.4 0.0.0.0 area 0

network 155.1.0.4 0.0.0.0 area 0

network 155.1.45.4 0.0.0.0 area 0

!

router bgp 1

bgp router-id 150.1.4.4

neighbor 150.1.5.5 remote-as 2

neighbor 150.1.5.5 ebgp-multihop 255

neighbor 150.1.5.5 update-source Loopback0

!

ip access-list standard INSIDE_NETWORK

permit 10.0.0.0 0.0.0.255

!

ip nat inside source list INSIDE_NETWORK interface Loop0 overload


R5:

interface Loopback0

ip address 150.1.5.5 255.255.255.0

ip ospf network point-to-point

no sh

!

interface Serial1/0

encapsulation frame-relay

no sh

!

interface Serial1/0.1 point-to-point

ip address 155.1.0.5 255.255.255.0

frame-relay interface-dlci 504

no sh

!

interface Serial1/1

ip address 155.1.45.5 255.255.255.0

clock rate 2000000

no sh

!

router ospf 1

router-id 150.1.5.5

network 150.1.5.5 0.0.0.0 area 0

network 155.1.0.5 0.0.0.0 area 0

network 155.1.45.5 0.0.0.0 area 0

!

router bgp 2

bgp router-id 150.1.5.5

neighbor 150.1.4.4 remote-as 1

neighbor 150.1.4.4 ebgp-multihop 255

neighbor 150.1.4.4 update-source Loopback0

neighbor 150.1.4.4 default-originate


------------------------------------------------CBAC 配置----------------------------------------------------------

实验配置】

R4:

ip inspect name INSPECT ftp

ip inspect name INSPECT icmp router-traffic

ip inspect name INSPECT tcp router-traffic

!

ip access-list ext INBOUND

permit ospf any any

deny ip any any log

!

interface Serial 0/1

ip access-group INBOUND in

ip inspect INSPECT out

!

interface Serial 0/0.1

ip access-group INBOUND in

ip inspect INSPECT out


实验验证】

R4#show ip inspect config

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name INSPECT

http alert is on audit-trail is off timeout 3600

ftp alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

telnet alert is on audit-trail is off timeout 3600

router alert is on audit-trail is off timeout 30

R6#telnet 150.1.5.5

Trying 150.1.5.5 ... Open

R5>

R4#show ip inspect sessions

Established Sessions

Session 650FF88C (10.0.0.6:54327)=>(150.1.5.5:23) tcp SIS_OPEN

Session 650FFB04 (150.1.4.4:40087)=>(150.1.5.5:179) tcp SIS_OPEN

R4#ping 150.1.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms

R4#telnet 150.1.5.5

Trying 150.1.5.5 ... Open

郑重声明:本文版权包含图片归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们(delete@yzlfxy.com)修改或删除,多谢。

郑重声明:本文版权归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们修改或删除,多谢。

留言与评论(共有 0 条评论)
昵称:
匿名发表
   
验证码: