2014年2月23日 星期日

Extended Access Control List

Extended Access Control List

This LAB is extended access control list , only permit host C3 (IP : 192.168.1.3/24) to access Server S1(IP : 172.22.0.10/24) user port 80, and other hosts can not access S1 use port 80.


C1> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms


C1> ping 172.22.0.10 -3 -p 80
*192.168.1.254 tcp_seq=1 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=3 ttl=255 time=79.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)
*192.168.1.254 tcp_seq=5 ttl=255 time=63.000 ms (ICMP type:3, code:13, Communica
tion administratively prohibited)



C3> ping 172.22.0.10
172.22.0.10 icmp_seq=1 timeout
172.22.0.10 icmp_seq=2 ttl=63 time=78.000 ms
172.22.0.10 icmp_seq=3 ttl=63 time=62.000 ms
172.22.0.10 icmp_seq=4 ttl=63 time=63.000 ms
172.22.0.10 icmp_seq=5 ttl=63 time=79.000 ms



C3> ping 172.22.0.10 -3 -p 80
Connect   80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
SendData  80@172.22.0.10 seq=1 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=1 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=2 ttl=63 time=93.000 ms
SendData  80@172.22.0.10 seq=2 ttl=63 time=62.000 ms
Close     80@172.22.0.10 seq=2 ttl=63 time=78.000 ms
Connect   80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=3 ttl=63 time=78.000 ms
Close     80@172.22.0.10 seq=3 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
SendData  80@172.22.0.10 seq=4 ttl=63 time=63.000 ms
Close     80@172.22.0.10 seq=4 ttl=63 time=94.000 ms
Connect   80@172.22.0.10 seq=5 ttl=63 time=78.000 ms
SendData  80@172.22.0.10 seq=5 ttl=63 time=79.000 ms
Close     80@172.22.0.10 seq=5 ttl=63 time=125.000 ms



=======================================

extacl#
extacl#sh access-lists 100
Extended IP access list 100
    10 permit tcp host 192.168.1.3 host 172.22.0.10 eq www (25 matches)
    20 deny tcp any host 172.22.0.10 eq www (6 matches)
    30 permit ip any any (5 matches)

extacl#

=======================================
 !
hostname extacl
!

!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.22.0.254 255.255.255.0
 ip access-group 100 out
 ip virtual-reassembly
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit tcp host 192.168.1.3 host 172.22.0.10 eq www
access-list 100 deny   tcp any host 172.22.0.10 eq www
access-list 100 permit ip any any

!
!
!
end
=======================================


沒有留言:

張貼留言