PacketTracer实验扩展IP访问控制列表配置

PacketTracer5.2实验（十三）扩展IP访问控制列表配置一、 实验目标理解扩展IP访问控制列表的原理及功能；掌握编号的扩展IP访问控制列表的配置方法：二、 实验背景分公司和总公司分别属于不同的网段，部门之间用路由器进行信息传递，为了安全起见，分公司领导要求部门主机只能访问总公司服务器的WWW服务，不能对其使用ICMP服务。三、 技术原理访问列表中左义的典型规则主要有以下：源地址、目标地址、上层协议、时间区域：扩展IP访问列表（编号为100-199,2000-2699）使用以上四种组合来进行转发或阻断分组；可以根据数据包的源IP、目的IP、源端口、目的端口、协议来左义规贝9,进行数据包的过滤：扩展IP访问列表的配宜包括以下两步：定义扩展IP访问列表将扩展IP访问列表应用于特左接口上四、 实验步骤实验步骤分公司内厢由器分公司出口路由署总公司内部路由器分公可主扒 总公司肥势击分公司内厢由器分公司出口路由署总公司内部路由器分公可主扒 总公司肥势击1、 分公司出口路由器与外部路由器之间通过V.35电缆串口连接，DCE端连接在R2上,配置英时钟频率64000；主机与路由器通过交叉线连接；2、 配巻PC机、服务器及路由器接口IP地址：3、 在各路由器上配置静态路由协议，让PC间能互相ping通，因为只有在互通的前提下才能涉及到访问控制列表；4、 在R2上配宜编号的IP扩展访问控制列表；5、 将扩展IP访问列表应用到接口上：6、 验证主机之间的互通性；R1:Router>enRouCer#conftEnterconfigurationcommandszoneperline・EndwithCNTL/2・Router(config)#hostnameR1R1(config) faO/ORl(config-if)#ipadd //配迓端口TP地址R1(config-if)#noshut%LINK-5-CHANGED:TnterfaceFastEthernetO/O,changedstatetoup%LINE?ROTO-5-UPDOWN:LineprotocolonInterfaceFastEthernerO/O,changedstatetoupR1(config-if)#exitR1(config)#intfaO/1Rl(config-if)#±padd //配迓端口TP地址R1(config-if)#noshutR1(config-if)#%LINK-5-CHANGED:TnterfaceFastEthernetO/l^changedstatetoup%LINE?ROTO-5-UPDOWN:LineprotocolonInterfaceFastEthernerO/1rchangedstatetoupR1(config-if)#exitR1(config)#iproute //配®defaultrouteR1(config)#endRl#%SYS-5-CONFIG_I:ConfiguredfromconsolebyconsoleRl#showiproute //查看路由表Codes:C-connected^S-static,I-IGRP,R-RIPZM-mobilezB-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltypelzN2-OSPFNSSAexternaltype2El-OSPFexternaltypelrE2-OSPFexternaltype2,E-EGPi-IS-IS,LI-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute,o-ODRP-periodicdownloadedstaticrouteGatewayoflastresortis192・168・2・2tonetwork0・0・0・0

FastEthernetO/OFastEchernetO/1C192・168・J.・0/24isdirectlyconnected,C192・168・2・FastEthernetO/OFastEchernetO/1Rl#Rl#showrunBuildingconfiguration・・・Currentconfiguration:510bytesiversion12・4noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryptionihostnameR1interfaceFastEthernet0/0ipaddressduplexautospeedautoiinterfaceFastEthernetO/1ipaddressduplexautospeedautoiinterfaceVlanlnoipaddressshutdowniipclasslessiproutelinecon0linevty04loginend

Rl#R2:Router>enRouter#coaftEnterconfigurationcommandszoneperline・EndwithCNTL/Z・Router(config)#hostnameR2R2(config)#intfaO/OR2(config-if)#ipadd //配迓端口TP地址R2(config-if)#noshut%LINK-5-CHANGED:InterfaceFastEthernetO/O^changedstaretoup%LINEPROTO-5-UPDOWN:LineprotocolonInterfaceFastEthernerO/OzchangedstatetoupR2(config-if)#exitR2(config)s2/0R2(config-if)#ipadd //配St端口TP地址R2(config-if)#noshut%LINK-5-CHANGED:InterfaceSerial2/0/%LINK-5-CHANGED:InterfaceSerial2/0/R2(config-if)#clockrate64000R2(config-if)#%LINK-5-CHANGED:TnterfaceSerial2/0z%LINE?ROTO-5-UPDOWN:LineprotocolonR2(config-if)#exitchangedstatetodown//配宜时钟频率changedstatetoupInterfaceSerial2/0rchangedstacetoupR2(config)route192・168・l・0255R2(config)route192・168・l・0255・255・255・0192・：68・2・丄l・0的静态路由R2(config)route4・0的静态路由R2(config)#endR2#%SYS-5-CONFIG_I:ConfiguredfromconsolebyconsoleR2#showiproute//配貝目标网段//配宜目标网段Codes:C-connected^S-static,I-IGRP,R-RTP,M-mobile,B-BGPD-ETGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2El-OSPFexternaltypelrE2-OSPFexternaltype2fE-EGPi-IS-IS,LI-IS-ISlevel-1,L2-IS-ISlevel-2zia-IS-ISinterareaw-candidatedefault,U-per-userstaticroute^o-ODRP■periodicdownloadedstaticrouteGatewayoflastresortisnotset/24[1/0]viaR2#/24/24/24isdirectlyconnected,Serial2/0[1/0]viaR2#conftEnterconfigurationcommandsGatewayoflastresortisnotset/24[1/0]viaR2#/24/24/24isdirectlyconnected,Serial2/0[1/0]viaR2#conftEnterconfigurationcommandszoneperline・EndwithCNTL/Z・R2(config)#acR2(config)#access-list?<l-99>I?standardaccesslist<100-199>IPextendedaccesslistR2(config)#access-list100?deny SpecifypacketstorejectpermitSpecifypacketstoforwardremarkAccesslistentrycommentR2(config)#access-list100perR2(config)#access-list100permit?eigrpCisco*sElGRProutingprotocolgre Cisco1sGREtunnelingicmpInternetControlMessageProtocolip AnyInternetProtocolospf OSPFroutingprotocoltcp TransmissionControlProtocoludp UserDatagramProtocol//web//源//web//源服务使用的是匕cp协议A.B.C.DSourceaddressany Anysourcehosthost AsinglesourcehostR2(config)#access-list100permittcphost?A・B・C・DSourceaddressR2(config)#access-list100permittcphost192・丄68・1・2?主机地址A.B.C.DanyDestinationaddressAnydestinationhostMatchonlypacketsonagivenportnumberMatchonlypacketswithagreaterportnumberhostAsingledestinationhostItMatchonlypacketswithalowerportnumberneqMatchonlypacketsnotonagivenportnumberrangeMatchonlypacketsintherangeofportnumbersR2(config)#access-list100permittcphost192・丄68・1・2host?A・B・C・DDestinationaddressR2(config)#access-list100permittcphost192・丄68・丄・2host192・168・4・2? //目标主机地址dscpMatchpacketswithgivendscpvalueestablishedMatchonlypacketsonagivenportnumberestablishedgtItMatchonlypacketswithagreaterportnumberMatchonlypacketswithalowerportnumberneqMatchonlypacketsnotonagivenportnumberprecedenceMatchpacketswithgivenprecedencevaluerangeMatchonlypacketsintherangeofportnumbers<cr>R2(config)#access-list100permittcphost192・丄68・1・2host192.168・4・2eq?ftppop3FileTransferProtocol(21)PostOfficeProtocolv3(110)smtptelnetSimpleMailTransportProtocol(25)Telnet(23)<0-65535>PortnumberWWWWorldWideWeb(HTTP,80)R2(config)#access-list100permittcphost192・168・1・2host192・1.68・4・2eqwww?//www服务dscp MatchpacketswithgivendscpvalueestablishedestablishedprecedenceMatchpacketswithgivenprecedencevalue<cr>R2(config)#access-list100permittcphost192・丄68.1.2host192・168・4・2eqwwwR2(config)#R2(config)#access~list100deny?eigrpCisco'sElGRProutingprotocolgre Cisco'sGREtunnelingicmpInternetControlMessageProtocolip AnyInternetProtocolospf OSPFroutingprotocoltcp TransmissionControlProtocoludp UserDatagramProtocolR2(config)#access-list100denyicmp? //禁止icmp协议，也就是pgg使用的协议A・B・C・DSourceaddressany Anysourcehosthost AsinglesourcehostR2(config)#access-list100denyicmphost?A.B.C.DSourceaddressR2(config)#access-list100denyicmphost192.168•丄・2?access-group Specifyaccesscontrolforpacketsaccess-group SpecifyaccesscontrolforpacketsA・B・C・DDestinationaddressany Anydestinationhosthost AsingledestinationhostR2(config)#access-list100denyicmphosthost192・1.68・4・2R2(config)#access-list<0-256>echoecho-replyhost-unreachablenet-unreachableport-unreachableprotocol-unreachablettl-exceededunreachable<0-256>echoecho-replyhost-unreachablenet-unreachableport-unreachableprotocol-unreachablettl-exceededunreachabletype-numechoecho-replyhost-unreachabl殳net-unreachableport-unreachableprotocol-unreachablett1-exceeaedunreachable<cr>R2(config)#access-list100denyicmphost192・168・J.・2host292•丄68・4・2<cr><cr>R2(config)#access-list100denyicmphost192・168・J.・2host292•丄68・4・2<cr>R2(config)#access-list100denyicmphost192.168•丄・2host192・168・4・2R2(config)#R2(config)#ints2/0R2(config-if)#?bandwidth Setbandwidthinformationalparametercdp CD?interfacesubcommandsecho?echoclockConfigureserialinterfaceclockcryptoEncryption/Decryptioncommandscustom-queue-listAssignacustomqueuelisttoaninterfacedelaydescriptionencapsulationexitfair-queueframe-relayhold-queueiPkeepalivemtunoPPPpriority-groupservice-policyshutdovznSpecifyinterfacethroughputdelayInterfacespecificdescriptionSetencapsulationtypeforaninterfaceExitfrominterfaceconfigurationmodeEnableFairQueuingonanInterfaceSetframerelaypareunerersSerholdqueuedepthInterfaceInternetProtocolconfigcommandsEnablekeepaliveSertheinterfaceMaximumTransmissionUnit(MTU)NegateacommandorseritsdefaultsPoint-to-PointProtocolAssignaprioritygrouptoaninterfaceConfigureQoSServicePolicyShutdowntheselectedinterfacetx-rmg-limitzone-memberConfigurePAleveltransmitringlimitApplyzonenameR2(config-if)#ip?addressSettheIPaddressofaninterfacehello-intervalConfiguresIP-EIGRPhellointervalhelper-addressSpecifyadestinationaddressforUDPbroadcastsinspectApplyinspectnameipsCreateIPSrulemtuSetIPMaximumTransmissionUnitnatNATinterfacecommandsospfsplit-horizonsummary-addressOSPFinterfacecommandsPerformsplithorizonPerformaddresssummarizationvirtual-reassemblyR2(config-if)#ipacVirtualReassemblyR2(config-if)#ipaccess-group?<1-199>IPaccesslist(standardorextended)WORD Access-listnameR2(config-if)#ipaccess-group100?ininboundpacketsoutoutboundpacketsR2(config-if)#±paccess-group100out?//将控制列表应用于//将控制列表应用于s2/0R2(config-if)#±paccess-group100out端口R2(config-if)#R2(config-if)#R2(config-if)#endR2#%SYS-5-CONFIG_I:ConfiguredfromconsolebyconsoleR2#showrunR2#showrunning-configBuildingconfiguration・・・Currentconfiguration:901bytesiversion12・2noservicetimestampslogdatetimemsecnoservicetimesrampsdebugdatetimemsecnoservicepassword-encryprionihostnameR2interfaceFastEthernet0/0ipaddressduplexautospeedautoiinterfaceFastEthernetl/OnoipaddressduplexautospeedautoshutdowniinterfaceSerial2/0ipaddressipaccess-group100outclockrate64000iinterfaceSerial3/0noipaddressshutdowniinterfaceFastEthernet4/0noipaddressshutdowniinterfaceFastEthernet5/0noipaddressshutdowniipclasslessiprouteiprouteiiaccess-list100permittcphost192・168・JL・2host192・168・4・2eqwwwaccess-list100denyicmphost192・168・1.・2host192・168・4・2echolinecon0linevty04loginendR2#R3:Router>enRouter#conftEnterconfigurationcommandszoneperline・EndwithCNTL/Z・Router(config)^hostnameR3R3(config) faO/OR3(config-if)#ipaddR3(config-if)#noshut%LINK-5-CHANGED:InterfaceFastEthernetO/O^changedstatetoup%LINE?ROTO-5-UPDOWN:LineprotocolonInterfaceFastEthernetO/OzchangedstatetoupR3(config-if)#exitR3(config)#ints2/0R3(config-if)#ipaddR3(config-if)#noshut%LINK-5-CHANGED:InterfaceSerial2/0zchangedstatetoupR3(config-if)#R3(config-if)#%LINE?ROTO-5-UPDOWN:LineprotocolonInterfaceSerial2/0rchangedstatetoupR3(config-if)#exitR3(config)#iprouteR3(config)#endR3#%SYS-5-CONFIG_I:ConfiguredfromconsolebyconsoleR3#showiprouteCodes:C-connected^S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-ETGRP,EX-ElGRPexternal,0-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2El-OSPFexternaltypelrE2-OSPFexternaltype2,E-EGPi-IS-IS,LI-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute^o-ODRP-periodicdownloadedstaticrouteGatewayoflastresortis192・1.68・3・1.tonetwork0・0・0・0C 192.3.68・3・0/24isdirectlyconnecceazSerial2/0C 192・168・4・0/24isdirectlyconnected,FastEthernetO/OS*/0[1/0]viaR3#R3#R3#showrunBuildingconfiguration・・・Currentconfiguration:667bytesiversion丄2・2noservicetimestampslogdat