說明:這是NA Lab,與Cater一起練習ACL之Lab。為了減少行數,拿掉不必要之設定。
實作條件:
一、PC3(192.168.10.192)、PC0(192.168.10.210)這兩台不能對外。
二、除了Server和固定IP外,其它電腦需用DHCP取得IP,並能連到WWW。
三、只有PC3(192.168.10.192)可以telnet到RO_A,其它不行。
四、要連到WWW,要打tw.yahoo.com才可以連,不是打IP連網頁。
五、因RO_ISP沒設定路由,所以RO_A、RO_B需設定PAT。
六、建立GRE,IP網段自行設定。
RO_A Show Run 如下:
Ro_A#sh run
Building configuration...
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_A
!
各介面之區域
interface Tunnel10
ip address 100.100.100.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 10.0.1.2
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.20.0
ip access-group 101 in
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.0.2 255.255.255.0
ip nat outside
!
PAT之區域
ip nat inside source list 1 interface Serial0/0/0 overload
ip classless
!
路由之區域
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 192.168.20.0 255.255.255.0 100.100.100.2
!
ACL之區域 (此LAB之重點)
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 permit tcp host 192.168.10.192 host 192.168.10.254 eq telnet
access-list 101 deny ip 192.168.10.192 0.0.0.18 any
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
第一行:允許192可以Telnet到RO_A
第二行:不允許192、210對外
第三行:無法讓其它PC Telnet
第四行:全部流量都允許,ACL最後隱藏一條deny any any
ACL是看順序,所以判斷很重要!
!
End
RO_B Show Run 如下:
Ro_B#sh run
Building configuration...
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_B
!
各介面之區域
interface Tunnel10
ip address 100.100.100.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 10.0.0.2
!
interface FastEthernet0/0
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.252
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.1.2 255.255.255.0
ip nat outside
!
PAT之區域
ip nat inside source list 2 interface Serial0/0/0 overload
ip classless
!
路由之區域
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 192.168.10.0 255.255.255.0 100.100.100.1
!
ACL之區域
access-list 2 permit 192.168.20.0 0.0.0.255
!
End
RO_ISP Show Run 如下:
Ro_ISP#sh run
Building configuration...
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_ISP
!
各介面之區域
interface FastEthernet0/0
ip address 192.168.30.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
clock rate 128000
!
interface Serial0/0/1
ip address 10.0.1.1 255.255.255.0
ip nat outside
clock rate 128000
!
End
留言列表
