Ejemplo de configuración de una ACL Nombrada
Las listas de acceso indican un conjunto de reglas que proporcionan un control de paquetes que entran a las interfaces y paquetes que salen de las interfaces.
Las acl estándar que no especifican direcciones de destino y deben ser utilizadas cerca al destino.
Las acl extendidas permiten revisar ip destino, ip origen, protocolo y puerto y se deben ubicar cerca del origen del tráfico.
Router(config)#ip access-list standard 1
Router(config-std-nacl)#permit 192.168.10.1
Router(config-std-nacl)#deny any
Router(config-std-nacl)#exit
Router(config-std-nacl)
Router(config-ext-nacl)
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit tcp any 192.168.10.0 0.0.0.255 eq ssh
^
Router(config-ext-nacl)#permit tcp any 192.168.10.0 0.0.0.255 eq ?
<0-65535> Port number
domain Domain Name Service (DNS, 53)
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
Router(config-ext-nacl)#permit tcp any 192.168.10.0 0.0.0.255 eq domain ?
established established
<cr>
Router(config-ext-nacl)#permit tcp any 192.168.10.0 0.0.0.255 eq domain established
Router(config-ext-nacl)#deny ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Router(config-ext-nacl)#deny tcp any any
Router(config-ext-nacl)#deny udp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Router(config-ext-nacl)#deny udp any 192.168.10.0 0.0.0.255 ?
eq Match only packets on a given port number
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
<cr>
Router(config-ext-nacl)#deny udp any 192.168.10.0 0.0.0.255 lt 1023
Router(config-ext-nacl)#10 permit udp 192.168.10.23 0.0.0.255 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Router(config-ext-nacl)#10 permit udp 192.168.10.23 0.0.0.255 lt ?
<0-65535> Port number
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
domain Domain Name Service (DNS, 53)
isakmp Internet Security Association and Key Management Protocol (500)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
snmp Simple Network Management Protocol (161)
tftp Trivial File Transfer Protocol (69)
Desde la consfiguracion del router, quedaria de esta forma:
show run
access-list 1 permit host 192.168.10.1
access-list 1 deny any
access-list 100 permit udp 192.168.10.0 0.0.0.255 lt domain any
access-list 100 permit tcp any 192.168.10.0 0.0.0.255 eq domain established
access-list 100 deny tcp any any
access-list 100 deny udp any 192.168.10.0 0.0.0.255 lt 1023
Asignar listas a los puertos del router:
Router(config)#interface gigabitEthernet 0/0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#ip access-group 100 out
No comments:
Post a Comment