欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  数据库

Context-Based Access Control (CBAC) 基于上下文的访问控制 实

程序员文章站 2022-06-17 14:55:34
...

【 实验 说明】 配置路由器出站流量检查,动态打开ACL条目 IOS:c7200-adventerprisek9-mz.124-24.T3.bin 【 实验 拓扑】 650) this.width=650;" border="0" alt="" src="http://cdn.verydemo.com/upload/2013_05_27/13695895224540.jpg" /> 【 实验 配置向

实验说明】

配置路由器出站流量检查,动态打开ACL条目


IOS:c7200-adventerprisek9-mz.124-24.T3.bin


实验拓扑】

Context-Based Access Control (CBAC) 基于上下文的访问控制 实

实验配置向导】

  • 将上面网络配置为 IP service 实验中的“Standard NAT with Overloading(PAT)”
  • 创建检查规则命名为 INSPECT,允许TCP协议
  • 创建检查规则命名为 INSPECT ,允许FTP流量通过路由器
  • 配置规则允许ICMP 并检查路由器自身产生的TCP与ICMP流量
  • 创建 INBOUND 访问控制列表,允许OSPF,并阻止其他流量
  • 在路由器的串口的入方向应用访问控制列表 INBOUND
  • 应用检查规则到路由器串口的出方向


实验配置】

--------------------------------实验PAT配置---------------------------------------------------------

R1:

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 10.0.0.4


R6:

interface FastEthernet0/0

ip address 10.0.0.6 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 10.0.0.4



R4:

interface Loopback0

ip address 150.1.4.4 255.255.255.0

ip ospf network point-to-point

no sh

!

interface FastEthernet0/0

ip address 10.0.0.4 255.255.255.0

ip nat inside

no sh

!

interface serial1/0

en fram

no sh

!

interface Serial1/0.1 point-to-point

ip address 155.1.0.4 255.255.255.0

frame-relay interface-dlci 405

ip nat outside

no sh

!

interface Serial1/1

ip address 155.1.45.4 255.255.255.0

clock rate 2000000

ip nat outside

no sh

!

router ospf 1

router-id 150.1.4.4

network 150.1.4.4 0.0.0.0 area 0

network 155.1.0.4 0.0.0.0 area 0

network 155.1.45.4 0.0.0.0 area 0

!

router bgp 1

bgp router-id 150.1.4.4

neighbor 150.1.5.5 remote-as 2

neighbor 150.1.5.5 ebgp-multihop 255

neighbor 150.1.5.5 update-source Loopback0

!

ip access-list standard INSIDE_NETWORK

permit 10.0.0.0 0.0.0.255

!

ip nat inside source list INSIDE_NETWORK interface Loop0 overload


R5:

interface Loopback0

ip address 150.1.5.5 255.255.255.0

ip ospf network point-to-point

no sh

!

interface Serial1/0

encapsulation frame-relay

no sh

!

interface Serial1/0.1 point-to-point

ip address 155.1.0.5 255.255.255.0

frame-relay interface-dlci 504

no sh

!

interface Serial1/1

ip address 155.1.45.5 255.255.255.0

clock rate 2000000

no sh

!

router ospf 1

router-id 150.1.5.5

network 150.1.5.5 0.0.0.0 area 0

network 155.1.0.5 0.0.0.0 area 0

network 155.1.45.5 0.0.0.0 area 0

!

router bgp 2

bgp router-id 150.1.5.5

neighbor 150.1.4.4 remote-as 1

neighbor 150.1.4.4 ebgp-multihop 255

neighbor 150.1.4.4 update-source Loopback0

neighbor 150.1.4.4 default-originate


------------------------------------------------CBAC 配置----------------------------------------------------------

实验配置】

R4:

ip inspect name INSPECT ftp

ip inspect name INSPECT icmp router-traffic

ip inspect name INSPECT tcp router-traffic

!

ip access-list ext INBOUND

permit ospf any any

deny ip any any log

!

interface Serial 0/1

ip access-group INBOUND in

ip inspect INSPECT out

!

interface Serial 0/0.1

ip access-group INBOUND in

ip inspect INSPECT out


实验验证】

R4#show ip inspect config

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name INSPECT

http alert is on audit-trail is off timeout 3600

ftp alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

telnet alert is on audit-trail is off timeout 3600

router alert is on audit-trail is off timeout 30

R6#telnet 150.1.5.5

Trying 150.1.5.5 ... Open

R5>

R4#show ip inspect sessions

Established Sessions

Session 650FF88C (10.0.0.6:54327)=>(150.1.5.5:23) tcp SIS_OPEN

Session 650FFB04 (150.1.4.4:40087)=>(150.1.5.5:179) tcp SIS_OPEN

R4#ping 150.1.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms

R4#telnet 150.1.5.5

Trying 150.1.5.5 ... Open