Context-Based Access Control (CBAC) 基于上下文的访问控制 实
【 实验 说明】 配置路由器出站流量检查,动态打开ACL条目 IOS:c7200-adventerprisek9-mz.124-24.T3.bin 【 实验 拓扑】 650) this.width=650;" border="0" alt="" src="http://cdn.verydemo.com/upload/2013_05_27/13695895224540.jpg" /> 【 实验 配置向
【实验说明】
配置路由器出站流量检查,动态打开ACL条目
IOS:c7200-adventerprisek9-mz.124-24.T3.bin
【实验拓扑】
【实验配置向导】
- 将上面网络配置为 IP service 实验中的“Standard NAT with Overloading(PAT)”
- 创建检查规则命名为 INSPECT,允许TCP协议
- 创建检查规则命名为 INSPECT ,允许FTP流量通过路由器
- 配置规则允许ICMP 并检查路由器自身产生的TCP与ICMP流量
- 创建 INBOUND 访问控制列表,允许OSPF,并阻止其他流量
- 在路由器的串口的入方向应用访问控制列表 INBOUND
- 应用检查规则到路由器串口的出方向
【实验配置】
--------------------------------实验PAT配置---------------------------------------------------------
|
R1: interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0
no sh ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6: interface FastEthernet0/0 ip address 10.0.0.6 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 10.0.0.4 R4: interface Loopback0 ip address 150.1.4.4 255.255.255.0 ip ospf network point-to-point no sh ! interface FastEthernet0/0 ip address 10.0.0.4 255.255.255.0 ip nat inside no sh ! interface serial1/0 en fram no sh ! interface Serial1/0.1 point-to-point ip address 155.1.0.4 255.255.255.0 frame-relay interface-dlci 405 ip nat outside no sh ! interface Serial1/1 ip address 155.1.45.4 255.255.255.0 clock rate 2000000 ip nat outside no sh ! router ospf 1 router-id 150.1.4.4 network 150.1.4.4 0.0.0.0 area 0 network 155.1.0.4 0.0.0.0 area 0 network 155.1.45.4 0.0.0.0 area 0 ! router bgp 1 bgp router-id 150.1.4.4 neighbor 150.1.5.5 remote-as 2 neighbor 150.1.5.5 ebgp-multihop 255 neighbor 150.1.5.5 update-source Loopback0 !
ip access-list standard INSIDE_NETWORK permit 10.0.0.0 0.0.0.255 ! ip nat inside source list INSIDE_NETWORK interface Loop0 overload |
R5:
interface Loopback0 ip address 150.1.5.5 255.255.255.0 ip ospf network point-to-point no sh ! interface Serial1/0 encapsulation frame-relay no sh ! interface Serial1/0.1 point-to-point ip address 155.1.0.5 255.255.255.0 frame-relay interface-dlci 504 no sh ! interface Serial1/1 ip address 155.1.45.5 255.255.255.0 clock rate 2000000 no sh ! router ospf 1 router-id 150.1.5.5 network 150.1.5.5 0.0.0.0 area 0 network 155.1.0.5 0.0.0.0 area 0 network 155.1.45.5 0.0.0.0 area 0 ! router bgp 2 bgp router-id 150.1.5.5 neighbor 150.1.4.4 remote-as 1 neighbor 150.1.4.4 ebgp-multihop 255 neighbor 150.1.4.4 update-source Loopback0 neighbor 150.1.4.4 default-originate |
------------------------------------------------CBAC 配置----------------------------------------------------------
【实验配置】
R4:
ip inspect name INSPECT ftp
ip inspect name INSPECT icmp router-traffic
ip inspect name INSPECT tcp router-traffic
!
ip access-list ext INBOUND
permit ospf any any
deny ip any any log
!
interface Serial 0/1
ip access-group INBOUND in
ip inspect INSPECT out
!
interface Serial 0/0.1
ip access-group INBOUND in
ip inspect INSPECT out
【实验验证】
R4#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
telnet alert is on audit-trail is off timeout 3600
router alert is on audit-trail is off timeout 30
R6#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>
R4#show ip inspect sessions
Established Sessions
Session 650FF88C (10.0.0.6:54327)=>(150.1.5.5:23) tcp SIS_OPEN
Session 650FFB04 (150.1.4.4:40087)=>(150.1.5.5:179) tcp SIS_OPEN
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms
R4#telnet 150.1.5.5
Trying 150.1.5.5 ... Open