LAB: LỌC TRAFFIC VỚI REFLEXIVE ACL Đăng ngày: 9/12/2014 Bởi: Trương Quang Lân Lượt xem bài: 235 Mục đích Cấu hình router sử dụng ACL tạo ACL entries để trả traffic cách tự động Mô hình Hướng dẫn – Nhiệm vụ cho phép host bên truy cập nguồn tài nguyên bên thông qua TELNET HTTP Thêm vào đó, PING cho phép – Cấu hình router R4 sử dụng ‘Standard NAT with Overloading (PAT)’ – Tạo access-list OUTBOUND cho phép kết nối TCP hướng đến port 80 23 Các kết nối ‘phản xạ’ (hướng trả về) access-list MIRROR – – Ngoài ra, cho phép ICMP echo hướng ‘phản xạ’ access-list MIRROR Tạo access-list INBOUND Ước lượng (Evaluate) access-list MIRROR cho phép thêm OSPF traffic Từ chối log tất traffic khác – Apply access-list OUTBOUND (hướng out) INBOUND (hướng in) interface Fa0/0 R4 – Chú ý rằng, traffic router (bắt nguồn từ router) mặc định không bị kiểm tra reflexive access-list Cấu hình tham khảo Bước 1: Cấu hình bản: địa IP, định tuyến OSPF, NAT PAT Router R4 interface Loopback0 ip address 150.1.4.4 255.255.255.0 ! interface FastEthernet0/0 ip address 155.1.45.4 255.255.255.0 ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.0.4 255.255.255.0 ip nat inside duplex auto speed auto ! router ospf log-adjacency-changes network 150.1.4.0 0.0.0.255 area network 155.1.45.0 0.0.0.255 area ! ip classless ip http server ip nat inside source list interface Loopback0 overload ! access-list permit 10.0.0.0 0.0.0.255 ! control-plane ! ! line logging synchronous line aux line vty login Router R5 interface FastEthernet0/0 ip address 155.1.45.5 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 150.1.5.5 255.255.255.0 duplex auto speed auto no keepalive ! router ospf log-adjacency-changes network 150.1.5.0 0.0.0.255 area network 155.1.45.0 0.0.0.255 area ! ip classless ! ! ip http server no ip http secure-server ! control-plane ! line line aux line vty privilege level 15 no login Router R1 interface FastEthernet0/1 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.4 ! line line aux line vty privilege level 15 no login Bước 2: Cấu hình access-list INBOUND OUTBOUND router R4 ip access-list extended INBOUND evaluate MIRROR permit ospf any any deny ip any any log ! ip access-list extended OUTBOUND permit tcp any any eq telnet reflect MIRROR permit tcp any any eq www reflect MIRROR permit icmp any any echo reflect MIRROR Apply access-list OUTBOUND (hướng out) INBOUND (hướng in) interface Fa0/0 R4 interface FastEthernet0/0 ip access-group INBOUND in ip access-group OUTBOUND out Bước 3: Kiểm tra R1#telnet 150.1.5.5 Trying 150.1.5.5 … Open R5> R4#show ip access MIRROR Reflexive IP access list MIRROR permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches) (time left 295) R1#ping 150.1.5.5 size 1500 repeat 10 Type escape sequence to abort Sending 10, 1500-byte ICMP Echos to 150.1.5.5, timeout is seconds: !!! R4#show ip acce MIRROR Reflexive IP access list MIRROR permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33 matches) (time left 252) R4#telnet 150.1.5.5 Trying 150.1.5.5 … %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 150.1.5.5(23) -> 155.1.45.4(21042), packet % Connection timed out; remote host not responding R4#ping 150.1.5.5 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is seconds: … Success rate is percent (0/5) %SEC-6-IPACCESSLOGP: list INBOUND denied icmp host 150.1.5.5-> host 155.1.45.4(21042), packet Chú ý: Ban dầu chưa có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) dù ta có dùng extended ping (dùng source 150.1.4.4) để ping 150.1.5.5 không Sau có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) ping R4#ping Protocol [ip]: Target IP address: 150.1.5.5 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 150.1.4.4 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is seconds: Packet sent with a source address of 150.1.4.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R4#sh ip acce R4#sh ip access-lists MIRROR Reflexive IP access list MIRROR permit icmp host 150.1.5.5 host 150.1.4.4 (49 matches) (time left 280) ... chưa có reflexive access-list permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left 299) dù ta có dùng extended ping (dùng source 150.1.4.4) để ping 150.1.5.5 không Sau có reflexive. .. abort Sending 10, 1500-byte ICMP Echos to 150.1.5.5, timeout is seconds: !!! R4#show ip acce MIRROR Reflexive IP access list MIRROR permit icmp host 150.1.5.5 host 150.1.4.4 (29 matches) (time left... OUTBOUND out Bước 3: Kiểm tra R1#telnet 150.1.5.5 Trying 150.1.5.5 … Open R5> R4#show ip access MIRROR Reflexive IP access list MIRROR permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 43992 (33