实验39:动态ACL
1.实验目的
通过本实验可以掌握:
1)动态ACL 工作原理
2)配置动态ACL
3)动态ACL 调试
2.拓扑结构
实验拓扑如图所示。
 
3.实验步骤
注:动态ACL Cisco IOS 的一种安全特性,它使用户能在防火墙中临时打开一个缺口,而
不会破坏其它已配置了的安全限制。
 
 
本实验要求如果PC0 所在网段想要访问路由器R1 WWW 服务
r0(config)#int f1/0
r0(config-if)#ip add 192.168.64.10 255.255.255.0
r0(config-if)#no sh
r0(config-if)#do ping 192
*Mar  1 00:10:48.919: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:10:49.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
r0(config-if)#do ping 192.168.64.134
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/18/36 ms
r0(config-if)#exit
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar  1 00:11:19.499: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:11:20.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#
*Mar  1 00:11:43.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r0(config-if)#
*Mar  1 00:12:13.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net
*Mar  1 00:14:19.343: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#net 192.168.64.0
r0(config-router)#
r0(config-router)#do ping 1.1.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/60 ms
r0(config-router)#do ping 192.168.64.134
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/40 ms
r0(config-router)#exit
r0(config-if)#exit
*Mar  1 00:31:15.763: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
 
 
 
R1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar  1 00:12:17.699: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar  1 00:12:18.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.2.0  
r1(config-router)#net 1.1.1.0
r1(config-router)#net 172.16.1.0
r1(config-router)#exit
r1(config)#
*Mar  1 00:13:59.363: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
r1(config)#
*Mar  1 00:14:18.843: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.16.1.2      YES manual up                    up     
Serial0/1                  172.16.2.1      YES manual up                    up     
Serial0/2                  unassigned      YES unset  administratively down down   
Serial0/3                  unassigned      YES unset  administratively down down   
Loopback1                  1.1.1.1         YES manual up                    up     
r1(config)#$ 101 permit tcp  host 192.168.64.134 host 1.1.1.1 eq www        
r1(config)#$ 101 dynamic test timeout 100 permit tcp  host 192.168.64.134 host 1.1.1.1 eq www //dynamic”定义动态ACL,“timeout”定义动态ACL 绝对的超时时间
 
r1(config)#int s0/0
r1(config-if)#ip access-group 101 in
r1(config-if)#do ping 172.16.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/52 ms
r1(config-if)#
*Mar  1 00:31:10.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: holding time expired
r1(config-if)#
Success rate is 0 percent (0/5)
r1(config-if)#do sh access-list 101
Extended IP access list 101
    10 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
    20 Dynamic test permit tcp host 192.168.64.134 host 1.1.1.1 eq www
此时在主机192.168.64.134 上访问1.1.1.1 Web 服务,成
功。
 
 
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#
*Mar  1 00:09:52.643: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:09:53.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#
*Mar  1 00:10:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r2(config-if)#
*Mar  1 00:12:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp
% Incomplete command.
 
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.2.0
r2(config-router)#no
*Mar  1 00:13:59.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)#