Documente Academic
Documente Profesional
Documente Cultură
Mr.Kriangsak Namkot
jodoi@jodoi.com
jodoi1819@hotmail.com
http://www.jodoi.com
Day 4
• Security ( ACL ) , Standard Access Lists ,
Extended Access Lists, Named ACLs
• Network Address Translation (NAT), Static
NAT , Dynamic NAT , PAT (Overloading)
• LAB Configuration
Access Lists
Access list
- Standard 1-99 ,1300-1999
- Extended 100-199 , 2000-2699
Standard access list (1-99)
Config#access-list (access
_______number) ______
(permit,deny) ______
(SA) ______
(wildcard)
Ex
Config#access-list 1 deny 192.168.12.100 0.0.0.0
Config#access-list 1 permit any
Config#interface S0
Config#ip access-group 1 in
Access Lists
Standard access list (1-99)
#show ip interface S0 เพื่อตรวจสอบว่า access-list ถูก set ไว้หรือไม่
Ex Block telnet
Config#access-list 2 deny 192.168.1.2 0.0.0.0
Config#access-list 2 permit any
Config#line vty 0 4
(config-line)#access-class 2 in
Access Lists
Extended access list (100-199)
(access number) (permit,deny) (protocol tcp,udp,icmp) SA wildcard
config#access-list __________ _________ ___________ ____ ______
DA ________
_____ wildcard __________
Eq,Neq,lt,gt _________
Port number
Ex
Config#access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.10.10.2 0.0.0.0 eq 23
config#interface S0
config-if#ip access-group 101 in
Access Lists
Name access list
Config#ip access-list Standard _______
Name
Extended
Ex Standdard Ex Extended
config#ip access-list standard Internet config#ip access-list extended BlockVirus2
config#deny tcp any any eq 135
config# permit 192.168.40.25 0.0.0.0
Config#deny tcp any any eq 4899
config#permit 192.168.40.26 0.0.0.0 Config#permit ip any any
config#interface e0 config#interface S0
config-if#ip access-group internet in config-if#ip access-group BlockVirus2 in
Well-Known Port
ECHO Server ---> TCP/7
DISCARD Server ---> TCP/9
DAYTIME Server ---> TCP/13
CHARGET Server ---> TCP/19
FTP Server ---> TCP/21
SSH Server ---> TCP/22
Telnet Server ---> TCP/23
SMTP Server ---> TCP/25
DNS Server ---> TCP/53 and UDP/53
DHCP Server ---> UDP/68
Web Server ---> TCP/80 (HTTP)
Secure Web Server ---> TCP/443 (HTTPS)
POP3 Server ---> TCP/110
IMAP Server ---> TCP/143
SNMP Server ---> UDP/161
LDAP Server ---> TCP/389
Web Proxy Server ---> TCP/3128 or TCP/8080
Network AddressTranslation
NAT
- Static
- dynamic
- Overloading
Static
Config#ip nat inside source static 192.168.1.2 10.10.10.3
Config#interface e0 Config#interface S0
Config-if#ip nat inside Config-if#ip nat outside
Dynamic
Config#ip nat pool name pool start ip end ip netmask netmask
Ex
Config#ip nat pool ISP 10.10.10.4 10.10.10.8 netmask 255.255.255.0
Config#access-list 1 permit 192.168.1.0 0.0.0.255
Config#ip nat inside source list 1 pool ISP
Config#interface e0 Config#interface S0
Config-if#ip nat inside Config-if#ip nat outside
Network AddressTranslation
Overloading
Config#interface e0 Config#interface S0
Config-if#ip nat inside Config-if#ip nat outside
ตัวอย่าง
• routerB#debug ip nat