Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading) LAB Configuration
Access Control Lists Access Control lists - Standard 1-99 ,1300-1999 - Extended 100-199 , 2000-2699 Standard access list (1-99) Config#access-list _______ ______ ______ ______ Ex Config#access-list 1 deny 192.168.12.100 0.0.0.0 Config#access-list 1 permit any Config#interface S0 Config#ip access-group 1 in (SA) (wildcard) (access number) (permit,deny)
Access Control Lists Standard access list (1-99) #show ip interface S0 เพื่อตรวจสอบว่า access-list ถูก set ไว้หรือไม่ Ex Block telnet Config#access-list 2 deny 192.168.1.2 0.0.0.0 Config#access-list 2 permit any Config#line vty 0 4 (config-line)#access-class 2 in
Access Control Lists Extended access list (100-199) config#access-list __________ _________ ___________ ____ ______ _____ ________ __________ _________ Ex Config#access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.10.10.2 0.0.0.0 eq 23 Config#access-list 101 permit ip any any config#interface S0 config-if#ip access-group 101 in SA wildcard (access number) (permit,deny) (protocol tcp,udp,icmp) DA wildcard Eq,Neq,lt,gt Port number
Access Control Lists Name access list Config#ip access-list _______ Ex Standdard config#ip access-list standard Internet config# permit 192.168.40.25 0.0.0.0 config#permit 192.168.40.26 0.0.0.0 config#interface e0 config-if#ip access-group internet in Standard Extended Name Ex Extended config#ip access-list extended BlockVirus2 config#deny tcp any any eq 135 Config#deny tcp any any eq 4899 Config#permit ip any any config#interface S0 config-if#ip access-group BlockVirus2 in
Well-Known Port ECHO Server ---> TCP/7 DISCARD Server ---> TCP/9 DAYTIME Server ---> TCP/13 CHARGET Server ---> TCP/19 FTP Server ---> TCP/21 SSH Server ---> TCP/22 Telnet Server ---> TCP/23 SMTP Server ---> TCP/25 DNS Server ---> TCP/53 and UDP/53 DHCP Server ---> UDP/68 Web Server ---> TCP/80 (HTTP) Secure Web Server ---> TCP/443 (HTTPS) POP3 Server ---> TCP/110 IMAP Server ---> TCP/143 SNMP Server ---> UDP/161 LDAP Server ---> TCP/389 Web Proxy Server ---> TCP/3128 or TCP/8080 The Well Known Ports are those from 0 through 1023. http://www.iana.org/assignments/port-numbers
Network AddressTranslation NAT Static dynamic Overloading Config#ip nat inside source static 192.168.1.2 10.10.10.3 Config#interface e0 Config-if#ip nat inside #debug ip nat เพื่อตรวจสอบดูว่ามีการทำ nat static หรือไม่ Config#interface S0 Config-if#ip nat outside
ตัวอย่าง routerB#debug ip nat 00:28:33: NAT: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1276] 00:28:33: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1276] 00:28:34: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1277] 00:28:34: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1277] 00:28:35: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1279] 00:28:35: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1279] 00:28:36: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1281] 00:28:36: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1281] 00:28:42: NAT*: s=192.168.4.2->10.10.10.6, d=10.10.10.1 [1283] 00:28:42: NAT*: s=10.10.10.1, d=10.10.10.6->192.168.4.2 [1283]
Network AddressTranslation Dynamic Config#ip nat pool name pool start ip end ip netmask netmask Ex Config#ip nat pool ISP 10.10.10.4 10.10.10.8 netmask 255.255.255.0 Config#access-list 1 permit 192.168.1.0 0.0.0.255 Config#ip nat inside source list 1 pool ISP Config#interface e0 Config#interface S0 Config-if#ip nat inside Config-if#ip nat outside
Network AddressTranslation Overloading Config#access-list 1 permit 192.168.1.0 0.0.0.255 Config#ip nat inside source list 1 interface S0 overload หรือ สามารถทำ overloading แบบ dynamic Config#ip nat inside source list 1 pool name pool overload Config#interface e0 Config#interface S0 Config-if#ip nat inside Config-if#ip nat outside
ตัวอย่าง routerB#debug ip nat 00:41:39: NAT: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1789] 00:41:39: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1789] 00:41:40: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1790] 00:41:40: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1790] 00:41:41: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1792] 00:41:41: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1792] 00:41:42: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1794] 00:41:42: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1794] 00:41:43: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1795] 00:41:43: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1795] 00:41:44: NAT*: s=192.168.4.2->10.10.10.2, d=192.168.1.1 [1797] 00:41:44: NAT*: s=192.168.1.1, d=10.10.10.2->192.168.4.2 [1797]
ตัวอย่าง routerB#debug ip nat 00:52:12: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2332] 00:52:12: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2332] 00:52:13: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2333] 00:52:13: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2333] 00:52:14: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2337] 00:52:14: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2337] 00:52:15: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2339] 00:52:15: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2339] 00:52:16: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2340] 00:52:16: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2340] 00:52:17: NAT*: s=192.168.4.3->10.10.10.2, d=10.10.10.1 [2342] 00:52:17: NAT*: s=10.10.10.1, d=10.10.10.2->192.168.4.3 [2342]
Ex Static NAT ip nat inside source list 7 interface Serial0 overload ip nat inside source static tcp 192.168.42.30 5900 203.149.9.218 5900 extendable ip nat inside source static udp 192.168.42.30 5900 203.149.9.218 5900 extendable ip nat inside source static udp 192.168.42.30 5800 203.149.9.218 5800 extendable ip nat inside source static tcp 192.168.42.30 5800 203.149.9.218 5800 extendable ip nat inside source static tcp 192.168.42.2 6500 203.149.9.219 6500 extendable ip nat inside source static tcp 192.168.42.2 80 203.149.9.219 80 extendable ip nat inside source static tcp 192.168.42.5 143 203.149.9.218 143 extendable ip nat inside source static tcp 192.168.42.5 21 203.149.9.218 21 extendable ip nat inside source static tcp 192.168.42.5 20 203.149.9.218 20 extendable ip nat inside source static tcp 192.168.42.5 22 203.149.9.218 22 extendable ip nat inside source static udp 192.168.42.5 53 203.149.9.218 53 extendable ip nat inside source static tcp 192.168.42.5 53 203.149.9.218 53 extendable ip nat inside source static tcp 192.168.42.5 110 203.149.9.218 110 extendable ip nat inside source static tcp 192.168.42.5 25 203.149.9.218 25 extendable ip nat inside source static udp 192.168.42.5 22 203.149.9.218 22 extendable ip nat inside source static tcp 192.168.42.5 80 203.149.9.218 80 extendable