分享
 
 
 

带Established选项的扩展访问列表

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

一、)配置示例:

拓扑:

R2-(S2/0)-----------------(S2/0)-R1(S2/1)---------------(S2/1)-R3

带有Established的扩展访问列表答应内部用户访问外部网络,而拒绝外部网络访问内部网络,而没带Established的标准访问列表和扩展访问列表没有这个特性.

这个示例首先用OSPF来使全网互联.

R1:

r1#sh run

*Mar 1 00:25:17.275: %SYS-5-CONFIG_I: Configured from console by console

Building configuration...

Current configuration : 1410 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service passWord-encryption

!

hostname r1

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

ip address 12.1.1.1 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 12.1.1.2 102 broadcast

no frame-relay inverse-arp

!

interface Serial2/1

ip address 13.1.1.1 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 13.1.1.3 113 broadcast

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

R2:

r2#sh run

Building configuration...

*Mar 1 00:27:29.871: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1298 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r2

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

ip address 12.1.1.2 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 12.1.1.1 201 broadcast

no frame-relay inverse-arp

!

interface Serial2/1

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

r3

r3#sh run

Building configuration...

Current configuration : 1298 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/1

ip address 13.1.1.3 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 13.1.1.1 311 broadcast

no frame-relay inverse-arp

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

QQread.com

推出Windows2003教程

win2003安装介绍

win2003网络优化

win2003使用技巧

win2003系统故障

服务器配置

专家答疑

更多的请看:http://www.qqread.com/windows/2003/index.Html

二、)监视和测试配置:

我们让R2作为内部网络,R3作为内部网络,以下配置使R2发起访问R3没问题,从R3访问R2则被拒绝.注重这个配置方案是针对基于TCP的应用,任何TCP通讯都是双向的,从R2发起的访问外部网络之后,外部网络的流量得以通过,这个时候TCP报文,ACK或RST位被设置为1

R1(configure)Access-list 101 permit tcp any any established log-input

R1(configure)access-list 101 permit ospf any any

R1(configure)access-list 101 deny ip any any log-input

R1(configure)int s2/1

R1(configure-if)ip access-group 101 in

以上log-input是为了显示监视数据报文被过滤的情况,接下来用debug ip packet detailed来监视报文经过R1的情况,应该路由器还有OSPF报文产生,因此我们对DEBUG信息做了限制.

r1(config)#access-list 102 permit tcp any any

我们这样做 让R2发起telnet访问R3

r1#telnet 3.3.3.3

Trying 3.3.3.3 ... Open

r3>

*Mar 1 00:55:53.003: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.003: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 44, sending

*Mar 1 00:55:53.007: TCP src=11001, dst=23, seq=2398697781, ack=0, win=4128 SYN

*Mar 1 00:55:53.179: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 3.3.3.3(23) (Serial2/1 ) -> 13.1.1.1(11001), 1 packet

*Mar 1 00:55:53.183: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.183: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 44, rcvd 3

*Mar 1 00:55:53.187: TCP src=23, dst=11001, seq=949632690, ack=2398697782, win=4128 ACK SYN

*Mar 1 00:55:53.187: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.191: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.191: TCP src=11001, dst=23, seq=2398697782, ack=949632691, win=4128 ACK

*Mar 1 00:55:53.199: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.203: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 49, sending

*Mar 1 00:55:53.203: TCP src=11001, dst=23, seq=2398697782, ack=949632691, win=4128 ACK PSH

*Mar 1 00:55:53.207: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.211: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.215: TCP src=11001, dst=23, seq=2398697791, ack=949632691, win=4128 ACK

*Mar 1 00:55:53.455: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.455: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 52, rcvd 3

*Mar 1 00:55:53.459: TCP src=23, dst=11001, seq=949632691, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.459: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.463: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 45, rcvd 3

*Mar 1 00:55:53.467: TCP src=23, dst=11001, seq=949632703, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.467: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.471: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 43, rcvd 3

*Mar 1 00:55:53.471: TCP src=23, dst=11001, seq=949632708, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.475: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.479: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 46, rcvd 3

*Mar 1 00:55:53.479: TCP src=23, dst=11001, seq=949632711, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.483: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.487: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 43, sending

*Mar 1 00:55:53.487: TCP src=11001, dst=23, seq=2398697791, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.491: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.495: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 43, sending

*Mar 1 00:55:53.495: TCP src=11001, dst=23, seq=2398697794, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.499: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.503: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 49, sending

*Mar 1 00:55:53.503: TCP src=11001, dst=23, seq=2398697797, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.659: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.663: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 43, rcvd 3

*Mar 1 00:55:53.663: TCP src=23, dst=11001, seq=949632717, ack=2398697797, win=4113 ACK PSH

*Mar 1 00:55:53.867: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.867: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.871: TCP src=11001, dst=23, seq=2398697806, ack=949632720, win=4099 ACK

*Mar 1 00:55:53.963: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.967: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 40, rcvd 3

*Mar 1 00:55:53.967: TCP src=23, dst=11001, seq=949632720, ack=2398697806, win=4104 ACK

注重R3返回R2的数据报文得以通过,接下来我们测试从R3发起访问R2的情况

r3#telnet 2.2.2.2

Trying 2.2.2.2 ...

% Destination unreachable; gateway or host down

r1#

*Mar 1 01:02:22.779: %SEC-6-IPACCESSLOGP: list 101 denied tcp 13.1.1.3(11002) (Serial2/1 ) -> 2.2.2.2(23), 1 packet

*Mar 1 01:02:22.783: IP: s=13.1.1.3 (Serial2/1), d=2.2.2.2, len 44, access denied

*Mar 1 01:02:22.783: IP: tableid=0, s=13.1.1.1 (local), d=13.1.1.3 (Serial2/1), routed via RIB

*Mar 1 01:02:22.787: IP: s=13.1.1.1 (local), d=13.1.1.3 (Serial2/1), len 56, sending

*Mar 1 01:02:24.139: IP: s=12.1.1.2 (Serial2/0), d=224.0.0.5, len 80, rcvd 0

*Mar 1 01:02:24.315: IP: s=13.1.1.1 (local), d=224.0.0.5 (Serial2/1), len 80, sending broad/multicast

*Mar 1 01:02:25.139: IP: s=12.1.1.1 (local), d=224.0.0.5 (Serial2/0), len 80, sending broad/multicast

注重,TCP协议的第一次发送是SYN字段,这是用来同步预备建立一个新连接的两端主机,而ACK位由接收者置位从而向发送者表明数据已经成功接收.RST(reset)位说明什么时候重新启动连接.带Eetablished的扩展访问列表只答应ACK或RST位置1的TCP报文通过.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有