User Tools

Site Tools


использование_списков_доступа

This is an old revision of the document!


Использование списков доступа

Доступ к vty

no access-list 1
! access-list 1 permit host 192.168.X.101
access-list 1 permit host 192.168.X.10
access-list 1 deny any

line vty 0 15
! no login ! for no password access
 access-class 1 in
end

Фильтрация пакетов

no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 permit tcp any host 192.168.X.10 eq 80
 permit tcp any host 192.168.X.10 eq 22
 permit icmp any 192.168.X.0 0.0.0.255
! permit tcp any host 172.16.1.X eq 80
! permit tcp any host 172.16.1.X eq 22
! permit icmp any host 172.16.1.X
 permit udp any any
 permit tcp any any established
 deny   ip any any log

interface FastEthernet1/1
 ip access-group ACL_FIREWALL in

end

NAT

ip access-list standard ACL_NAT
 permit 192.168.X.0 0.0.0.255
 permit 192.168.100+X.0 0.0.0.255
 deny any

ip nat inside source list ACL_NAT interface FastEthernet1/1 overload

ip nat inside source static tcp 192.168.X.10 22 172.16.1.X 22 extendable
ip nat inside source static tcp 192.168.X.10 80 172.16.1.X 80 extendable

interface FastEthernet1/0
 ip nat inside

interface FastEthernet1/1
 ip nat outside
router# show ip nat tr
router# clear ip nat tr *

Policy Routing

ip access-list extended ACL_REDIRECT_HTTP
 deny ip host 192.168.X.10 any
 permit tcp 192.168.X.0 0.0.0.255 any eq www

route-map RM_REDIRECT_HTTP permit 10
 match ip address ACL_REDIRECT_HTTP
 set ip next-hop 192.168.X.10

interface FastEthernet1/0
 ip policy route-map RM_REDIRECT_HTTP

FastEthernet1/0 - интерфейс подключенный к LAN

использование_списков_доступа.1316761670.txt.gz · Last modified: 2013/05/22 13:50 (external edit)