?

?

R01是inside，lo0 為PC Client：11.11.11.1/24

R03是outside，lo0為internet server：22.22.22.1/24

R07是DMZ，lo0為DMZ區(qū)的server：33.33.33.1/24

R02模擬防火墻：

e0/0口為inside：1.1.1.1/30

e0/1為outside：2.2.2.1/30

s2/0為DMZ：3.3.3.1/30

實(shí)驗?zāi)康?#xff1a;

1、R01可以telnet 訪問DMZ區(qū)域的22.22.22.1；
2、R03不能telnet訪問R07；
3、R07不能主動訪問R01、R03；
4、R07開啟ICMP。

R2-FW#??? show run
Building configuration...

Current configuration : 2012 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-FW
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!????????
!
!
ip cef
no ip domain lookup
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!????????
!
!
!
!
interface Ethernet0/0
?ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
?ip address 3.3.3.1 255.255.255.248
!
interface Ethernet0/2
?no ip address
?shutdown
!
interface Ethernet0/3
?no ip address
?shutdown
!
interface Ethernet1/0
?no ip address
?shutdown
!
interface Ethernet1/1
?no ip address
?shutdown
!
interface Ethernet1/2
?no ip address
?shutdown
!
interface Ethernet1/3
?no ip address
?shutdown
!
interface Serial2/0
?ip address 2.2.2.1 255.255.255.0
?ip access-group test out
?serial restart-delay 0
!
interface Serial2/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial2/2
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial2/3
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/0
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial3/2
?no ip address
?shutdown
?serial restart-delay 0
!????????
interface Serial3/3
?no ip address
?shutdown
?serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 11.11.11.0 255.255.255.0 1.1.1.2
ip route 22.22.22.0 255.255.255.0 2.2.2.2
ip route 33.33.33.0 255.255.255.0 3.3.3.2
!

**************************************************************************
ip access-list extended test
?permit tcp host 1.1.1.2 host 22.22.22.1 eq telnet?

permit icmp any host 22.22.22.1

//這里的1.1.1.2為R01的接口地址，實(shí)際操作中，可以更換為Client的IP地址，或者為對端提供的轉(zhuǎn)換的公網(wǎng)地址。

**************************************************************************
!
!
!
!
!
!
!????????
control-plane
!
!
line con 0
?exec-timeout 0 0
?password 222
?logging synchronous
?login
line aux 0
line vty 0
?password 111
?login
line vty 1 4
?login
!
exception data-corruption buffer truncate
end

R2-FW#

?

轉(zhuǎn)載于:https://blog.51cto.com/51you/665536

與50位技術(shù)專家面對面20年技術(shù)見證，附贈技術(shù)全景圖

總結(jié)

以上是生活随笔為你收集整理的ACL访问策略的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。