1 / 13

Day 4

Day 4. Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading) LAB Configuration. Access Control Lists. Access Control lists - Standard 1-99 ,1300-1999 - Extended 100-199 , 2000-2699

daktari
Download Presentation

Day 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Day 4 • Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs • Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading) • LAB Configuration

  2. Access Control Lists Access Control lists - Standard 1-99 ,1300-1999 - Extended 100-199 , 2000-2699 Standard access list (1-99) Config#access-list_______ ______ ______ ______ Ex Config#access-list 1 deny 192.168.12.100 0.0.0.0 Config#access-list 1 permit any Config#interface S0 Config#ip access-group 1 in (SA) (wildcard) (access number) (permit,deny)

  3. Access Control Lists Standard access list (1-99) #show ip interface S0เพื่อตรวจสอบว่า access-list ถูก set ไว้หรือไม่ Ex Block telnet Config#access-list 2 deny 192.168.1.2 0.0.0.0 Config#access-list 2 permit any Config#line vty 0 4 (config-line)#access-class 2 in

  4. Access Control Lists Extended access list (100-199) config#access-list __________ _________ ___________ ____ ______ _____ ________ __________ _________ Ex Config#access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.10.10.2 0.0.0.0 eq 23 Config#access-list 101 permit ip any any config#interface S0 config-if#ip access-group 101 in SA wildcard (access number) (permit,deny) (protocol tcp,udp,icmp) DA wildcard Eq,Neq,lt,gt Port number

  5. Access Control Lists Name access list Config#ip access-list _______ Ex Standdard config#ip access-list standard Internet config# permit 192.168.40.25 0.0.0.0 config#permit 192.168.40.26 0.0.0.0 config#interface e0 config-if#ip access-group internet in Standard Extended Name Ex Extended config#ip access-list extended BlockVirus2 config#deny tcp any any eq 135 Config#deny tcp any any eq 4899 Config#permit ip any any config#interface S0 config-if#ip access-group BlockVirus2 in

  6. Well-Known Port ECHO Server ---> TCP/7 DISCARD Server ---> TCP/9 DAYTIME Server ---> TCP/13 CHARGET Server ---> TCP/19 FTP Server ---> TCP/21 SSH Server ---> TCP/22 Telnet Server ---> TCP/23 SMTP Server ---> TCP/25 DNS Server ---> TCP/53 and UDP/53 DHCP Server ---> UDP/68 Web Server ---> TCP/80 (HTTP) Secure Web Server ---> TCP/443 (HTTPS) POP3 Server ---> TCP/110 IMAP Server ---> TCP/143 SNMP Server ---> UDP/161 LDAP Server ---> TCP/389 Web Proxy Server ---> TCP/3128 or TCP/8080 The Well Known Ports are those from 0 through 1023. http://www.iana.org/assignments/port-numbers

  7. Network AddressTranslation NAT • Static • dynamic • Overloading Static Config#ip nat inside source static 192.168.1.210.10.10.3 Config#interface e0 Config-if#ip nat inside #debug ip nat เพื่อตรวจสอบดูว่ามีการทำ nat static หรือไม่ Config#interface S0 Config-if#ip nat outside

  8. ตัวอย่าง • routerB#debug ip nat • 00:28:33: NAT: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1276] • 00:28:33: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1276] • 00:28:34: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1277] • 00:28:34: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1277] • 00:28:35: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1279] • 00:28:35: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1279] • 00:28:36: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1281] • 00:28:36: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1281] • 00:28:42: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1283] • 00:28:42: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1283]

  9. Network AddressTranslation Dynamic Config#ip nat pool name poolstart ipend ipnetmask netmask Ex Config#ip nat pool ISP10.10.10.410.10.10.8 netmask 255.255.255.0 Config#access-list 1permit 192.168.1.00.0.0.255 Config#ip nat inside source list 1 pool ISP Config#interface e0 Config#interface S0 Config-if#ip nat inside Config-if#ip nat outside

  10. Network AddressTranslation Overloading Config#access-list 1permit 192.168.1.00.0.0.255 Config#ip nat inside source list 1interface S0 overload หรือ สามารถทำ overloading แบบ dynamic Config#ip nat inside source list 1 pool name pool overload Config#interface e0 Config#interface S0 Config-if#ip nat inside Config-if#ip nat outside

  11. ตัวอย่าง • routerB#debug ip nat • 00:41:39: NAT: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1789] • 00:41:39: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1789] • 00:41:40: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1790] • 00:41:40: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1790] • 00:41:41: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1792] • 00:41:41: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1792] • 00:41:42: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1794] • 00:41:42: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1794] • 00:41:43: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1795] • 00:41:43: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1795] • 00:41:44: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1797] • 00:41:44: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1797]

  12. ตัวอย่าง routerB#debug ip nat • 00:52:12: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2332] • 00:52:12: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2332] • 00:52:13: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2333] • 00:52:13: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2333] • 00:52:14: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2337] • 00:52:14: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2337] • 00:52:15: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2339] • 00:52:15: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2339] • 00:52:16: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2340] • 00:52:16: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2340] • 00:52:17: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2342] • 00:52:17: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2342]

  13. Ex Static NAT • ip nat inside source list 7 interface Serial0 overload • ip nat inside source static tcp 192.168.42.305900203.149.9.2185900 extendable • ip nat inside source static udp 192.168.42.305900203.149.9.2185900 extendable • ip nat inside source static udp 192.168.42.305800203.149.9.2185800 extendable • ip nat inside source static tcp 192.168.42.305800203.149.9.2185800 extendable • ip nat inside source static tcp 192.168.42.26500203.149.9.2196500 extendable • ip nat inside source static tcp 192.168.42.280203.149.9.21980 extendable • ip nat inside source static tcp 192.168.42.5143203.149.9.218143 extendable • ip nat inside source static tcp 192.168.42.521203.149.9.21821 extendable • ip nat inside source static tcp 192.168.42.520203.149.9.21820 extendable • ip nat inside source static tcp 192.168.42.522203.149.9.21822 extendable • ip nat inside source static udp 192.168.42.553203.149.9.21853 extendable • ip nat inside source static tcp 192.168.42.553203.149.9.21853 extendable • ip nat inside source static tcp 192.168.42.5110203.149.9.218110 extendable • ip nat inside source static tcp 192.168.42.525203.149.9.21825 extendable • ip nat inside source static udp 192.168.42.522203.149.9.21822 extendable • ip nat inside source static tcp 192.168.42.580203.149.9.21880 extendable

More Related