【 实验 说明】 配置路由器出站流量检查，动态打开acl条目 ios：c7200-adventerprisek9-mz.124-24.t3.bin 【 实验 拓扑】 650) this.width=650; border=0 alt= src=http://cdn.verydemo.com/upload/2013_05_27/13695895224540.jpg /> 【 实验 配置向
【实验说明】
配置路由器出站流量检查，动态打开acl条目
ios：c7200-adventerprisek9-mz.124-24.t3.bin
【实验拓扑】
650) this.width=650; border=0 alt= src=http://cdn.verydemo.com/upload/2013_05_27/13695895224540.jpg>
【实验配置向导】
将上面网络配置为 ip service 实验中的“standard nat with overloading(pat)” 创建检查规则命名为 inspect，允许tcp协议 创建检查规则命名为 inspect ，允许ftp流量通过路由器 配置规则允许icmp 并检查路由器自身产生的tcp与icmp流量 创建 inbound 访问控制列表，允许ospf，并阻止其他流量 在路由器的串口的入方向应用访问控制列表 inbound 应用检查规则到路由器串口的出方向
【实验配置】
--------------------------------实验pat配置---------------------------------------------------------
r1:
interface fastethernet0/0
ip address 10.0.0.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.0.0.4
r6:
interface fastethernet0/0
ip address 10.0.0.6 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.0.0.4
r4：
interface loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
no sh
!
interface fastethernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
no sh
!
interface serial1/0
en fram
no sh
!
interface serial1/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
no sh
!
interface serial1/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
no sh
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source loopback0
!
ip access-list standard inside_network
permit 10.0.0.0 0.0.0.255
!
ip nat inside source list inside_network interface loop0 overload
r5:
interface loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
no sh
!
interface serial1/0
encapsulation frame-relay
no sh
!
interface serial1/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
no sh
!
interface serial1/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
no sh
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source loopback0
neighbor 150.1.4.4 default-originate
------------------------------------------------cbac 配置----------------------------------------------------------
【实验配置】
r4:
ip inspect name inspect ftp
ip inspect name inspect icmp router-traffic
ip inspect name inspect tcp router-traffic
!
ip access-list ext inbound
permit ospf any any
deny ip any any log
!
interface serial 0/1
ip access-group inbound in
ip inspect inspect out
!
interface serial 0/0.1
ip access-group inbound in
ip inspect inspect out
【实验验证】
r4#show ip inspect config
session audit trail is disabled
session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
inspection rule configuration
inspection name inspect
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
telnet alert is on audit-trail is off timeout 3600
router alert is on audit-trail is off timeout 30
r6#telnet 150.1.5.5
trying 150.1.5.5 ... open
r5>
r4#show ip inspect sessions
established sessions
session 650ff88c (10.0.0.6:54327)=>(150.1.5.5:23) tcp sis_open
session 650ffb04 (150.1.4.4:40087)=>(150.1.5.5:179) tcp sis_open
r4#ping 150.1.5.5
type escape sequence to abort.
sending 5, 100-byte icmp echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms
r4#telnet 150.1.5.5
trying 150.1.5.5 ... open