外网 企业路由 内网
R1-------S1/1-------S1/0--------R2--------S1/1--------S1/0-------R3
基本网络环境的搭建:
R1:
Router#confi t
Router(config)#host R1
R1(config)#int s1/1
R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#net 192.168.12.0
R1(config-router)#end
R3:
Router>en
Router#confi t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host R2
R2(config)#int s1/0
R2(config-if)#ip add 192.168.12.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config-if)#int s1/1
R2(config-if)#ip add 192.168.23.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#
R2(config-if)#exit
R2(config-router)#exit
R2(config)#router rip
R2(config-router)#net 192.168.12.0
R2(config-router)#net 192.168.23.0
R2(config-router)#end
R3:
Router>en
Router#confi t
Router(config)#host R3
R3(config)#int s1/0
R3(config-if)#ip add 192.168.23.2 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#router rip
R3(config-router)#net 192.168.23.0
R3(config-router)#end
配置telnet:
R1(config)#enable password 123
R1(config)#line vty 0 4
R1(config-line)#password 123
R1(config-line)#login
R1(config-line)#exit
R1(config)#exit
R3(config)#enable password 123
R3(config)#line vty 0 4
R3(config-line)#password 123
R3(config-line)#login
R3(config-line)#end
测试:
R1#ping 192.168.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/28 ms
R1#telnet 192.168.23.2
Trying 192.168.23.2 ... Open
User Access Verification
Password:
R3>en
Password:
R3:
R3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/26/44 ms
R3#telnet 192.168.12.1
Trying 192.168.12.1 ... Open
User Access Verification
Password:
R1>en
Password:
R1#
下面开始做动态ACL:
R2(config)#access-list 100 permit tcp any host 192.168.12.2 eq 23 开放telnet默认23号端口
R2(config)#access-list 100 permit tcp any host 192.168.12.2 eq 3001 开放telnet,端口3001
R2(config)#access-list 100 dynamic jintian timeout 120 permit ip any any
R2(config)#user cisco password huawei 设置本地数据库:用户名和密码
R2(config)#line vty 0 3
R2(config-line)#login local 指明telnet登陆验证时:采用验证的方式:本地认证
R2(config-line)#autocommand access-enable host timeout 5
R2(config-line)#line vty 4
R2(config-line)#login local
R2(config-line)#rotary 1
R2(config-line)#int s1/0
R2(config-if)#ip access-group 100 in
R2(config-if)#exit
R2(config)#user cisco password huawei
解析:
R2(config)#access-list 100 dynamic jintian timeout 120 permit ip any any
建立动态ACL,access-list dynamic
Jintian :为动态ACL的名称
Timeout 120 为动态ACL绝对时间。
autocommand access-enable host timeout 5 空闲时间:匹配访问控制列表后,允许的访问时间
测试:外网已经无法连通内网了。
R1#ping 192.168.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#telnet 192.168.23.2
Trying 192.168.23.2 ...
% Destination unreachable; gateway or host down
R1#
开始尝试telnet企业内网路由器:
R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open
User Access Verification
Username: cisco
Password:
% List#100-jintian already contains this IP address pair 已经登陆
[Connection to 192.168.12.2 closed by foreign host] 连接关闭
R1#
外网再次尝试连接内网:
R1#ping 192.168.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/29/56 ms
R1#telnet 192.168.23.2
Trying 192.168.23.2 ... Open
User Access Verification
Password:
R3>
外网已经可以访问内网了。
查看R2:
R2#show ip access-lists
Extended IP access list 100
10 permit tcp any host 192.168.12.2 eq telnet (330 matches)
20 permit tcp any host 192.168.12.2 eq 3001
30 Dynamic jintian permit ip any any
permit ip host 192.168.12.1 any (18 matches) (time left 44)
telnet 192.168.12.2 已经关闭。这个时候如果需要远程管理企业的路由器。可以如下测试:
R1#telnet 192.168.12.2 3001
Trying 192.168.12.2, 3001 ... Open
User Access Verification
Username:
Username: cisco
Password:
R2>
动态ACL试验完成。
