带Established选项的扩展访问列表

一、）配置示例：

拓扑:

R2-(S2/0)-----------------(S2/0)-R1(S2/1)---------------(S2/1)-R3

带有Established的扩展访问列表答应内部用户访问外部网络,而拒绝外部网络访问内部网络,而没带Established的标准访问列表和扩展访问列表没有这个特性.

这个示例首先用OSPF来使全网互联.

R1:

r1#sh run

*Mar 1 00:25:17.275: %SYS-5-CONFIG_I: Configured from console by console

Building configuration...

Current configuration : 1410 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service passWord-encryption

!

hostname r1

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

ip address 12.1.1.1 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 12.1.1.2 102 broadcast

no frame-relay inverse-arp

!

interface Serial2/1

ip address 13.1.1.1 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 13.1.1.3 113 broadcast

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

R2:

r2#sh run

Building configuration...

*Mar 1 00:27:29.871: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1298 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r2

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

ip address 12.1.1.2 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 12.1.1.1 201 broadcast

no frame-relay inverse-arp

!

interface Serial2/1

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

r3

r3#sh run

Building configuration...

Current configuration : 1298 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

logging queue-limit 100

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

mpls ldp logging neighbor-changes

!

!

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/1

ip address 13.1.1.3 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart_delay 0

frame-relay map ip 13.1.1.1 311 broadcast

no frame-relay inverse-arp

!

interface Serial2/2

no ip address

shutdown

serial restart_delay 0

!

interface Serial2/3

no ip address

shutdown

serial restart_delay 0

!

router ospf 10

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip http server

no ip http secure-server

ip classless

!

!

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

no login

!

!

end

QQread.com

推出Windows2003教程

win2003安装介绍

win2003网络优化

win2003使用技巧

win2003系统故障

服务器配置

专家答疑

更多的请看：http://www.qqread.com/windows/2003/index.Html

二、）监视和测试配置:

我们让R2作为内部网络,R3作为内部网络,以下配置使R2发起访问R3没问题,从R3访问R2则被拒绝.注重这个配置方案是针对基于TCP的应用,任何TCP通讯都是双向的,从R2发起的访问外部网络之后,外部网络的流量得以通过,这个时候TCP报文,ACK或RST位被设置为1

R1(configure)Access-list 101 permit tcp any any established log-input

R1(configure)access-list 101 permit ospf any any

R1(configure)access-list 101 deny ip any any log-input

R1(configure)int s2/1

R1(configure-if)ip access-group 101 in

以上log-input是为了显示监视数据报文被过滤的情况,接下来用debug ip packet detailed来监视报文经过R1的情况,应该路由器还有OSPF报文产生,因此我们对DEBUG信息做了限制.

r1(config)#access-list 102 permit tcp any any

我们这样做 让R2发起telnet访问R3

r1#telnet 3.3.3.3

Trying 3.3.3.3 ... Open

r3>

*Mar 1 00:55:53.003: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.003: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 44, sending

*Mar 1 00:55:53.007: TCP src=11001, dst=23, seq=2398697781, ack=0, win=4128 SYN

*Mar 1 00:55:53.179: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 3.3.3.3(23) (Serial2/1 ) -> 13.1.1.1(11001), 1 packet

*Mar 1 00:55:53.183: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.183: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 44, rcvd 3

*Mar 1 00:55:53.187: TCP src=23, dst=11001, seq=949632690, ack=2398697782, win=4128 ACK SYN

*Mar 1 00:55:53.187: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.191: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.191: TCP src=11001, dst=23, seq=2398697782, ack=949632691, win=4128 ACK

*Mar 1 00:55:53.199: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.203: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 49, sending

*Mar 1 00:55:53.203: TCP src=11001, dst=23, seq=2398697782, ack=949632691, win=4128 ACK PSH

*Mar 1 00:55:53.207: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.211: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.215: TCP src=11001, dst=23, seq=2398697791, ack=949632691, win=4128 ACK

*Mar 1 00:55:53.455: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.455: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 52, rcvd 3

*Mar 1 00:55:53.459: TCP src=23, dst=11001, seq=949632691, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.459: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.463: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 45, rcvd 3

*Mar 1 00:55:53.467: TCP src=23, dst=11001, seq=949632703, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.467: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.471: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 43, rcvd 3

*Mar 1 00:55:53.471: TCP src=23, dst=11001, seq=949632708, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.475: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.479: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 46, rcvd 3

*Mar 1 00:55:53.479: TCP src=23, dst=11001, seq=949632711, ack=2398697791, win=4119 ACK PSH

*Mar 1 00:55:53.483: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.487: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 43, sending

*Mar 1 00:55:53.487: TCP src=11001, dst=23, seq=2398697791, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.491: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.495: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 43, sending

*Mar 1 00:55:53.495: TCP src=11001, dst=23, seq=2398697794, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.499: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.503: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 49, sending

*Mar 1 00:55:53.503: TCP src=11001, dst=23, seq=2398697797, ack=949632717, win=4102 ACK PSH

*Mar 1 00:55:53.659: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.663: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 43, rcvd 3

*Mar 1 00:55:53.663: TCP src=23, dst=11001, seq=949632717, ack=2398697797, win=4113 ACK PSH

*Mar 1 00:55:53.867: IP: tableid=0, s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), routed via RIB

*Mar 1 00:55:53.867: IP: s=13.1.1.1 (local), d=3.3.3.3 (Serial2/1), len 40, sending

*Mar 1 00:55:53.871: TCP src=11001, dst=23, seq=2398697806, ack=949632720, win=4099 ACK

*Mar 1 00:55:53.963: IP: tableid=0, s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), routed via RIB

*Mar 1 00:55:53.967: IP: s=3.3.3.3 (Serial2/1), d=13.1.1.1 (Serial2/1), len 40, rcvd 3

*Mar 1 00:55:53.967: TCP src=23, dst=11001, seq=949632720, ack=2398697806, win=4104 ACK

注重R3返回R2的数据报文得以通过,接下来我们测试从R3发起访问R2的情况

r3#telnet 2.2.2.2

Trying 2.2.2.2 ...

% Destination unreachable; gateway or host down

r1#

*Mar 1 01:02:22.779: %SEC-6-IPACCESSLOGP: list 101 denied tcp 13.1.1.3(11002) (Serial2/1 ) -> 2.2.2.2(23), 1 packet

*Mar 1 01:02:22.783: IP: s=13.1.1.3 (Serial2/1), d=2.2.2.2, len 44, access denied

*Mar 1 01:02:22.783: IP: tableid=0, s=13.1.1.1 (local), d=13.1.1.3 (Serial2/1), routed via RIB

*Mar 1 01:02:22.787: IP: s=13.1.1.1 (local), d=13.1.1.3 (Serial2/1), len 56, sending

*Mar 1 01:02:24.139: IP: s=12.1.1.2 (Serial2/0), d=224.0.0.5, len 80, rcvd 0

*Mar 1 01:02:24.315: IP: s=13.1.1.1 (local), d=224.0.0.5 (Serial2/1), len 80, sending broad/multicast

*Mar 1 01:02:25.139: IP: s=12.1.1.1 (local), d=224.0.0.5 (Serial2/0), len 80, sending broad/multicast

注重,TCP协议的第一次发送是SYN字段,这是用来同步预备建立一个新连接的两端主机,而ACK位由接收者置位从而向发送者表明数据已经成功接收.RST(reset)位说明什么时候重新启动连接.带Eetablished的扩展访问列表只答应ACK或RST位置1的TCP报文通过.

• ·ipv6 nat-pt using v4map
• ·ipv6 over 6pe
• ·IPv6 over an IPv4 Tunne
• ·ipv6 over dynamic l2tpv
• ·ipv6 6to4
• ·以太网10GbE和它的X模块
• ·“寂寞”思科
• ·思科产品速查手册（2006年10月版)
• ·思科IP视频会议系统技术及应用分析
• ·Cisco IOS：了解以太网MAC地址