防火墙ACL

 
 
 
靠近源地址的设置扩展ACL
靠近目的地址的设置标准ACL
 
标准ACL配置步骤:
1,创建ACL
命令access-list access-list-number {permit|deny} source [mask]
2,将ACL绑定到指定接口
命令为在接口模式下 ip access-group access-list-number {in|out}
 
扩展ACL的配置步骤:
1,命令:
Router(config)#access-list access-list-number {permit|deny} 
 
protocol source source-wildcard [operator port] destination 
 
destination-wildcard [operator port ] [established] [log]
 
2,然后接口模式下启用扩展ACL即可
命令:ip access-group access-list-number {in|out}
 
 
查看接口ACL配置
 
sh ip int e0
 
查看ACL测试语句
 
sh access-lists
 
 
 
 
 
 
 
实验1:
 
 
PC1--------------R1-------------------R2---------------PC2
202.2------202.1-203.1---------203.2--201.1---------201.2
 
 
 
 
 
对于R1:
 
 
en
conf t
hostname R1
 
int s1/0
ip addr 61.1.1.1 255.255.255.0
no shut
int f0/0
ip addr 202.0.0.1 255.255.255.0
no shut
exi
 
router rip
version 2
net 61.1.1.0
net 202.0.0.0
end
 
 
对于R2:
 
 
en
conf t
hostname R2
 
int s1/0
ip addr 61.1.1.2 255.255.255.0
no shut
int f0/0
ip addr 201.0.0.1 255.255.255.0
no shut
exi
 
router rip
version 2
net 61.1.1.0
net 201.0.0.0
end
 
 
 
 
扩展访问控制列表对于R1:
 
en
conf t
access-list 101 permit tcp host 201.0.0.2 host 202.0.0.2 eq 53
access-list 101 permit udp host 201.0.02 host 202.0.0.2 eq 53
access-list 101 permit tcp host 201.0.02 host 202.0.0.2 eq 80
 
int s1/0
ip access-group 101 in
 
命名访问控制列表对于R1:
 
 
en
conf t
ip access-list extended lan2wan 
permit tcp host 202.0.0.2 eq 53  80  21 25 host 201.0.0.2
permit udp host 202.0.0.2 eq 53 host 201.0.0.2
end
 
sh ip access-lists
 
conf t
int s1/0
ip access-group lan2wan out
end
 
sh ip int s1/0