티스토리 뷰

네트워크/LAB실습 및 이론

[keduit]Extended Access-list -2023/03/22

흩노 2023. 3. 22. 19:12

---------------------------------------------------------------------------------

Extended Access-list

 

확장 액세스 리스트를 이용한 외부에서 내부로의 핑차단

[r2]

access-list 100 deny icmp any any echo -- 핑을차단한다

access-list 100 permit ip any any

int s1/0.23

ip access-group 100 in

 

smurf 공격 완화

[r2]

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

int s1/0.23

rate-limit input access-group 100 8000 32000 32000 conform-action transmit exceed-action drop

 

확장 named 액세스 리스트 r2 통한 내부외부 핑차단

[r2]

ip access-list extended CUTP

deny icmp any any echo

deny icmp any any echo-reply

permit ip any any

int s1/0.23

no ip access-group 100 in

ip access-group CUTP in

 

 

주중에는 09:00 to 18:00 인터넷 안되게(dns:53)(tcp, udp 막음)

[r2]

time-range WORK_ONLY

periodic weekdays 09:00 to 18:00

exit

no access-list 100

access-list 100 deny udp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 53

access-list 100 deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 80

access-list 100 deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 21

ftp : 20 제어 21 데이터

access-list 100 deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 23

access-list 100 permit ip any any

int s1/0.23

ip access-group 100 in

 

DNS : 53, http : 80, 텔넷 : 23, ftp : 20 데이터 21 제어, https:443

R2 access-list named 바꾸고 인터넷 근무시간만 deny

ip access-list extended NOWORK

deny udp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 53

deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 80 time-range WORK_ONLY

deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 443 time-range WORK_ONLY

deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 21

ftp : 20 제어 21 데이터

deny tcp 17.17.44.0 0.0.0.255 host 17.17.11.100 eq 23

permit ip any any

int s1/0.23

no ip access-group 100 in

ip access-group NOWORK in

 

--------------------------------------------------------------------------------------------

과제1 : R1 NAT

[R1]

ip access-list standard INGRESS

permit 17.17.33.0 0.0.0.255

permit 17.17.44.0 0.0.0.255

permit 17.17.11.0 0.0.0.255

ip nat inside source list INGRESS interface FastEthernet0/1 overload

exit

 

과제2 : R2 텔넷 프로세스에서 33.0/24 4.0/24 막아라

[R2]

access-list 50 deny 17.17.4.0 0.0.0.255

access-list 50 deny 17.17.33.0 0.0.0.255

access-list 50 permit any

line vty 0 4

access-class 50 in

pass cisco

login

exit

 

과제3 : 설정을 제거하고 같은 내용으로 s1/0.23 인바운드에서 막아보셈

인터페이스에서 막는것이기때매 출발지 목적지 프로토콜이 필요하므로 확장리스트

[R2]

no access-list 50

line vty 0 4

no access-class 50 in

pass cisco

login

exit

 

access-list 120 deny tcp 17.17.33.0 any eq 23

access-list 120 deny tcp 17.17.44.0 any eq 23

access-list 120 permit ip any any

int s1/0.23

ip access-group 110 in

 

 

(ip telnet soure-interface ???? 하면 포트에서 텔넷보냄.)

'네트워크 > LAB실습 및 이론' 카테고리의 다른 글

[keduit]DHCP_Relay_Agent, NAT_PT -2023/03/24  (0) 2023.03.24
IPv6 라우팅  (0) 2023.03.23
[keduit]DHCP 보강 -2023/03/17  (0) 2023.03.17
[keduit]RIP, Static 연결 partial_mesh -2023/03/16  (0) 2023.03.17
[개념정리] 메모리, GPU  (0) 2023.03.15
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2025/05   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
글 보관함