This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
использование_списков_доступа [2010/11/16 14:17] val |
использование_списков_доступа [2012/08/23 08:55] val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Использование списков доступа ====== | ====== Использование списков доступа ====== | ||
- | ===== Доступ к vty ===== | + | ===== для ограничения доступа к vty ===== |
<code> | <code> | ||
no access-list 1 | no access-list 1 | ||
! access-list 1 permit host 192.168.X.101 | ! access-list 1 permit host 192.168.X.101 | ||
access-list 1 permit host 192.168.X.10 | access-list 1 permit host 192.168.X.10 | ||
- | access-list 1 permit host 192.168.X.4 | ||
access-list 1 deny any | access-list 1 deny any | ||
line vty 0 15 | line vty 0 15 | ||
! no login ! for no password access | ! no login ! for no password access | ||
+ | ! privilege level 15 | ||
access-class 1 in | access-class 1 in | ||
end | end | ||
</code> | </code> | ||
- | ===== Фильтрация пакетов ===== | + | ===== для организации пакетного фильтра ===== |
<code> | <code> | ||
+ | no ip access-list extended ACL_FIREWALL | ||
ip access-list extended ACL_FIREWALL | ip access-list extended ACL_FIREWALL | ||
- | permit tcp any host 192.168.X.3 eq www | + | permit tcp any host 192.168.X.10 eq 80 |
- | permit icmp any any | + | permit tcp any host 192.168.X.10 eq 22 |
+ | permit icmp any 192.168.X.0 0.0.0.255 | ||
+ | permit ip any host 172.16.1.X | ||
permit udp any any | permit udp any any | ||
permit tcp any any established | permit tcp any any established | ||
Line 26: | Line 29: | ||
interface FastEthernet1/1 | interface FastEthernet1/1 | ||
ip access-group ACL_FIREWALL in | ip access-group ACL_FIREWALL in | ||
+ | |||
+ | end | ||
</code> | </code> | ||
- | ===== NAT ===== | + | ===== для организации сервиса NAT ===== |
<code> | <code> | ||
ip access-list standard ACL_NAT | ip access-list standard ACL_NAT | ||
+ | permit 192.168.X.0 0.0.0.255 | ||
permit 192.168.100+X.0 0.0.0.255 | permit 192.168.100+X.0 0.0.0.255 | ||
deny any | deny any | ||
- | ip nat inside source list ACL_NAT interface FastEthernet1/1 overload | + | ip nat inside source list ACL_NAT interface FastEthernet1/1 overload |
+ | |||
+ | ip nat inside source static udp 192.168.X.10 53 172.16.1.X 53 extendable | ||
+ | ip nat inside source static tcp 192.168.X.10 53 172.16.1.X 53 extendable | ||
+ | ip nat inside source static tcp 192.168.X.10 22 172.16.1.X 22 extendable | ||
+ | ip nat inside source static tcp 192.168.X.10 80 172.16.1.X 80 extendable | ||
interface FastEthernet1/0 | interface FastEthernet1/0 | ||
Line 45: | Line 56: | ||
<code> | <code> | ||
router# show ip nat tr | router# show ip nat tr | ||
+ | |||
router# clear ip nat tr * | router# clear ip nat tr * | ||
</code> | </code> | ||
+ | |||
+ | ===== для управления политиками маршрутизации ===== | ||
+ | <code> | ||
+ | ip access-list extended ACL_REDIRECT_HTTP | ||
+ | deny ip host 192.168.X.10 any | ||
+ | permit tcp 192.168.X.0 0.0.0.255 any eq www | ||
+ | |||
+ | route-map RM_REDIRECT_HTTP permit 10 | ||
+ | match ip address ACL_REDIRECT_HTTP | ||
+ | set ip next-hop 192.168.X.10 | ||
+ | |||
+ | interface FastEthernet1/0 | ||
+ | ip policy route-map RM_REDIRECT_HTTP | ||
+ | </code> | ||
+ | |||
+ | FastEthernet1/0 - интерфейс подключенный к LAN | ||
+ |