一、题目环境

实验拓扑
28320-t2rh0s4v898.png

地址规划
23712-1r6s5rfmvs1.png

实验要点

· Verify connectivity among devices before firewall configuration.
·在配置防火墙之前,检查设备之间的连接。
· Use ACLs to ensure remote access to the routers is available only from management station PC-C.
·使用acl确保对路由器的远程访问只能从PC-C。 
· Configure ACL’s on R1 and R3 to mitigate attacks.
·在R1和R3上配置ACL,以减少攻击。
· Verify ACL functionality.
·验证ACL功能

二、配置过程

1. Configure ACL 10 to block all remote access to the routers except from PC-C.
//配置ACL 10以阻止除PC-C之外的所有对路由器的远程访问。

R1(config)#access-list 10 permit host 192.168.3.3
R2(config)#access-list 10 permit host 192.168.3.3
R3(config)#access-list 10 permit host 192.168.3.3

2. Use the access-class command to apply the access list to incoming traffic on the VTY lines.
//使用access-class命令将ACL应用于VTY行上的传入流量。

R1(config)#line vty 0 4 
R1(config-line)#access-class 10 in
R2(config)#line vty 0 4 
R2(config-line)#access-class 10 in
R3(config)#line vty 0 4 
R3(config-line)#access-class 10 in

3. Configure ACL 100 to block all specified traffic from the outside network.
//配置ACL 100以阻止来自外部网络的所有指定流量
On R3, block all packets containing the source IP address from the following pool of addresses: 127.0.0.0/8, any RFC 1918 private addresses, and any IP multicast address.
//在R3上,从以下地址池中阻塞所有包含源IP地址的包:127.0.0.0/8、任何RFC 1918私有地址和任何IP多播地址。

R3(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)#access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)#access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)#access-list 100 deny ip 224.0.0.0 15.255.255.255 any
R3(config)#access-list 100 permit ip any any

4. Use the ip access-group command to apply the access list to incoming traffic on interface Serial 0/0/1.
//使用ip access-group命令将acl应用于接口串行0/0/1上的传入流量。

R3(config)#interface serial 0/0/1
R3(config-if)#ip access-group 100 in

//验证过后可以把acl应用取消了,no ip access-group 100

5. Configure ACL 110 to permit only traffic from the inside network.
//配置ACL 110只允许来自内部网络的流量

R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 any

6. Use the ip access-group command to apply the access list to incoming traffic on interface F0/1.
//将ACL应用于接口F0/1上的传入流量

R3(config)#interface fastEthernet 0/1
R3(config-if)#ip access-group 110 in

7. Configure ACL 120 to specifically permit and deny the specified traffic.
//配置ACL 120以明确允许和拒绝指定的流量。
Permit any outside host to access DNS, SMTP, and FTP services on server PC-A, deny any outside host access to HTTPS services on PC-A, and permit PC-C to access R1 via SSH.
//允许任何外部主机访问服务器PC-A上的DNS、SMTP和FTP服务,拒绝任何外部主机访问PC-A上的HTTPS服务,允许PC-C通过SSH访问R1。

R1(config)#access-list 120 permit udp any host 192.168.1.3 eq domain
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq smtp
R1(config)#access-list 120 permit tcp any host 192.168.1.3 eq ftp
R1(config)#access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)#access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22

8. Use the ip access-group command to apply the access list to incoming traffic on interface S0/0/0.
//ACL应用于S0/0/0接口上的传入流量

R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 120 in

9. Permit ICMP echo replies and destination unreachable messages from the outside network (relative to R1)
允许ICMP回显应答和目标不可到达的消息从外部网络(相对于R1)

R1(config)#access-list 120 permit icmp any any echo-reply 
R1(config)#access-list 120 permit icmp any any unreachable
R1(config)#access-list 120 deny icmp any any
R1(config)#access-list 120 permit ip any any

实验完整配置文档


R1 running-config
Building configuration…

Current configuration : 1642 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R1
!
!
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username SSHadmin privilege 15 secret 5 11mERr$OBJ1/J.XbT5.JhwNHVc7p/
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name ccnasecurity.com
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip access-group 120 in
clock rate 128000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
ip flow-export version 9
!
!
access-list 10 permit host 192.168.3.3
access-list 120 permit udp any host 192.168.1.3 eq domain
access-list 120 permit tcp any host 192.168.1.3 eq smtp
access-list 120 permit tcp any host 192.168.1.3 eq ftp
access-list 120 deny tcp any host 192.168.1.3 eq 443
access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 deny icmp any any
access-list 120 permit ip any any
!
!
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password 7 0822455D0A1606181C1B0D517F
login
!
line aux 0
!
line vty 0 4
access-class 10 in
password 7 0822455D0A1613030B1B0D517F
login local
transport input ssh
!
!
ntp update-calendar
!
End


R2 running-config
Building configuration…

Current configuration : 1263 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R2
!
!
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username SSHadmin privilege 15 secret 5 11mERr$OBJ1/J.XbT5.JhwNHVc7p/
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name ccnasecurity.com
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
clock rate 128000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1
ip route 192.168.3.0 255.255.255.0 10.2.2.1
!
ip flow-export version 9
!
!
access-list 10 permit host 192.168.3.3
!
!
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password 7 0822455D0A1606181C1B0D517F
login
!
line aux 0
!
line vty 0 4
access-class 10 in
password 7 0822455D0A1613030B1B0D517F
login local
transport input ssh
!
!
ntp update-calendar
!
End


R3 running-config
Building configuration…

Current configuration : 1520 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R3
!
!
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username SSHadmin privilege 15 secret 5 11mERr$OBJ1/J.XbT5.JhwNHVc7p/
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name ccnasecurity.com
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
ip flow-export version 9
!
!
access-list 10 permit host 192.168.3.3
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 permit ip any any
!
!
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password 7 0822455D0A1606181C1B0D517F
login
!
line aux 0
!
line vty 0 4
access-class 10 in
password 7 0822455D0A1613030B1B0D517F
login local
transport input ssh
!
!
ntp update-calendar
!
end