前言

2023-6-8 18:54:22

以下内容源自《【网络安全】》
仅供学习交流使用

推荐

配置标准ACL

实验五 标准ACL的配置

问题

络调通后，保证网络是通畅的。同时也很可能出现未经授权的非法访问。企业网络既要解决连连通的问题，还要解决网络安全的问题。
1)配置标准ACL实现拒绝PC2（IP地址为192.168.0.20）对Web Server P的浏览器访问

方案

访问控制是网络安全防范和保护的主要策略，它的主要任务是保证网络资源不被非法使用和访问。它是保证网络安全最重要的核心策略之一。
访问控制列表（Access Control Lists,ACL）是应用在路由器接口的指令列表。这些指令列表用来告诉路由器哪能些数据包可以收、哪能数据包需要拒绝。至于数据包是被接收还是拒绝，可以由类似于源地址、目的地址、端口号等的特定指示条件来决定。
标准访问控制列表只能根据数据包的源IP地址决定是否允许通过。
网络拓扑如图所示：

步骤

实现此案例需要按照如下步骤进行。
步骤一：在R1上配置IP地址及静态路由

tarena-R1(config)#interface f0/0
tarena-R1(config-if)#ip address 192.168.0.1 255.255.255.0
tarena-R1(config-if)#no shutdown
tarena-R1(config-if)#interface f0/1
tarena-R1(config-if)#ip address 192.168.1.1 255.255.255.0
tarena-R1(config-if)#no shutdown
tarena-R1(config-if)#exit
tarena-R1(config)#ip route 192.168.2.0 255.255.255.0 192.168.1.2

步骤二：在R2上配置IP地址及静态路由

tarena-R2(config)#interface f0/0
tarena-R2(config-if)#ip address 192.168.1.2 255.255.255.0
tarena-R2(config-if)#no shutdown
tarena-R2(config-if)#interface f0/1
tarena-R2(config-if)#ip address 192.168.2.1 255.255.255.0
tarena-R2(config-if)#no shutdown
tarena-R2(config-if)#exit
tarena-R2(config)#ip route 192.168.0.0 255.255.255.0 192.168.1.1

步骤三：在R1和R2上检查路由表

tarena-R1#show ip route 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route
Gateway of last resort is not set
C    192.168.0.0/24 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/1
S    192.168.2.0/24 [1/0] via 192.168.1.2

tarena-R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route
Gateway of last resort is not set
S    192.168.0.0/24 [1/0] via 192.168.1.1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/1

步骤四：测试主机到Web Server的连通性
在实施ACL之前先检查网络是否能够正常通信，因为没有任何限制，网络应该是处于连通状态。

配置主机

PC1测试如下所示：

PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F7FF:FED6:54CC
IP Address......................: 192.168.0.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.0.1
PC>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.2.100:Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 0ms, Average = 0ms
PC>

PC2测试如下所示：

PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:BAFF:FE98:9E29
IP Address......................: 192.168.0.20
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.0.1
PC>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time=2ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.2.100:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 2ms, Average = 0ms
PC>

步骤五：在R2上配置标准访问控制列表，并应用到Fa0/1端口出方向上
标准访问控制列表因为只能限制源IP地址，因此应该把ACL放到离目标最近的端口出方向上。
ACL的匹配规则中，最后有一条隐含拒绝全部。如果语句中全部是拒绝条目，那么最后必须存在允许语句，否则所有数据通信都将被拒绝。

tarena-R2(config)#access-list 1 deny host 192.168.0.20
tarena-R2(config)#access-list 1 permit any
tarena-R2(config)#interface f0/1
tarena-R2(config-if)#ip access-group 1 out

步骤六：分别在两台主机上测试到Web Server的连通性
PC1测试如下所示：

PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F7FF:FED6:54CC
IP Address......................: 192.168.0.10
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.0.1
PC>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time=1ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Reply from 192.168.2.100: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.2.100:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>

PC2测试如下所示：

PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:BAFF:FE98:9E29
IP Address......................: 192.168.0.20
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.0.1
PC>ping 192.168.2.100
Pinging 192.168.2.100 with 32 bytes of data:
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Ping statistics for 192.168.2.100:Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>

结果显示PC1（IP地址为192.168.0.10）可以正常访问Web Server，而PC2（IP地址为192.168.0.20）已经被192.168.1.2（R2）拒绝。
步骤七：在R2上查看相关的ACL信息

tarena-R2#show ip access-lists 
Standard IP access list 1deny host 192.168.0.20 (4 match(es))permit any (4 match(es)) 

最后

2023-6-8 19:32:02

你对我百般注视，
并不能构成万分之一的我，
却是一览无余的你。

祝大家逢考必过
点赞收藏关注哦