最新消息:阿啰哈,本人90后,目前单身,欢迎妹子们来撩!.(。→‿←。) 微信:frank01991

综合实验

Cisco 林志斌 1012浏览


Topology如上图(卡书于2010-10-08的实验

Emulator Version:GNS3 0.7.2;
Cisco IOS Version:c3640-ik9o3s-mz.123-26.bin;
VMware workstation :7.1.0 build-261024;
Operating System:Microsoft Windows Sever 2003 Enterprise Edition

Reference Commands:

Router(config)#host S1
S1(config)#no ip domain-lo(关闭域名服务,以免错误的输入被当成域名解析,避免漫长的解析时间)
S1(config)#line con 0
S1(config-line)#exec-t 0 0(登陆到路由器console口后无任何操作的话,不会自动退出,以防操作过程中被挤出)
S1(config-line)#logg syn(阻止控制台信息来打断当前的输入)
S1(config-line)#time log re 10(在登陆窗口的存活时间为十秒,不应该设置为0)
S1(config-line)#pass cisco
S1(config-line)#login
S1(config-line)#line vty 0 4
S1(config-line)#exec-t 0 30
S1(config-line)#logg syn
S1(config-line)#time log re 10
S1(config-line)#pass cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#ena sec cisco
S1(config)#ser password-en
S1(config)#ban motd %This is S1 switch%
S1(config)#^Z
S1#vlan data
S1(vlan)#vlan 2 name www
VLAN 2 modified:
Name: www
S1(vlan)#vlan 3 name pc
VLAN 3 modified:
Name: pc
S1(vlan)#exit
APPLY completed.
Exiting....
S1#conf t
S1(config)#int f0/1
S1(config-if)#switchport access vlan 2
S1(config-if)#no shut
S1(config)#int f0/2
S1(config-if)#switchport access vlan 3
S1(config-if)#no shut
S1(config-if)#int f0/3
S1(config-if)#switchport access vlan 3
S1(config-if)#no shut
S1(config-if)#int f0/0
S1(config-if)#switchport trunk encapsulation dot1q(封装dot1q)
S1(config-if)#switchport mode trunk
S1(config-if)#no shut
S1(config-if)#int vlan 2
S1(config-if)#no shut
S1(config-if)#int vlan 3
S1(config-if)#no shut

Router(config)#host Private
Private(config)#line con 0
Private(config-line)#exec-t 0 0
Private(config-line)#logg syn
Private(config-line)#time log re 10
Private(config-line)#pass cisco
Private(config-line)#login
Private(config-line)#line vty 0 4
Private(config-line)#exec-t 0 30
Private(config-line)#logg syn
Private(config-line)#time log re 10
Private(config-line)#pass cisco
Private(config-line)#login
Private(config-line)#line aux 0
Private(config-line)#exec-t 0 30
Private(config-line)#logg syn
Private(config-line)#time log re 10
Private(config-line)#pass cisco
Private(config-line)#login
Private(config-line)#exit
Private(config)#ena sec cisco
Private(config)#ser password-en
Private(config)#ban motd %This is Private router%
Private(config)#int f0/0
Private(config-if)#no ip add
Private(config-if)#no shut
Private(config-if)#int f0/0.1
Private(config-subif)#des connection to vlan 2
Private(config-subif)#encapsulation dot1q 2(封装上dot1q,打上vlan2标签)
Private(config-subif)#ip add 172.16.2.1 255.255.255.0
Private(config-subif)#int f0/0.2
Private(config-subif)#des connection to vlan 3
Private(config-subif)#encapsulation dot1q 3
Private(config-subif)#ip add 172.16.3.1 255.255.255.0
Private(config-subif)#int s1/0
Private(config-if)#des connection to Public router
Private(config-if)#ip add 220.248.192.1 255.255.255.252
Private(config-if)#no shut
Private(config-if)#exit
Private(config)#ip route 0.0.0.0 0.0.0.0 220.248.192.2
Private(config)#ip domain-name cisco.com(开启SSH,先得设置domain-name)
Private(config)#aaa new-model
Private(config)#crypto key generate rsa(生成RSA密钥)
The name for the keys will be: Private.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys ...[OK]
*Mar  1 00:09:02.023: %SSH-5-ENABLED: SSH 1.5 has been enabledsh time
Private(config)#ip ssh time 30(定义30秒超时)
Private(config)#ip ssh authentication-retries 2(验证重试次数为3)
Private(config)#ip ssh logging events(显示SSH日志事件)
Private(config)#ip ssh source-interface f0/0(指定SSH流量源)
Private(config)#username kashu privilege 15 password 0 kashu123(设置登陆的用户名和密码)
Private(config)#access-list 1 remark permit subnet 172.16.2.0 to vty
Private(config)#access-list 1 per 172.16.2.0 0.0.0.255 log
Private(config)#line vty 0 4
Private(config-line)#transport input ssh(vtp线路上只允许通过SSH流量)
Private(config-line)#access-class 1 in(在vty线路上设置ACL)
Private(config-line)#exit
Private(config)#ip name-server 1.1.1.2(指定DNS server)
Private(config)#ntp server 1.1.1.2(指定NTP server)
Private(config)#logging 1.1.1.2(指定日志系统server)
Private(config)#ip nat pool kashu 220.248.192.1 220.248.192.1 netmask 255.255.255.0(定义NAT地址池)
Private(config)#ip nat inside source list 2 pool kashu overload(将ACL与地址池进行关联,overload是PAT的标志)
Private(config)#ip nat inside source static tcp 172.16.2.2 80 220.248.192.1 80(映射内部WWW服务到公网)
Private(config)#ip nat inside source static tcp 172.16.2.2 443 220.248.192.1 443(映射内部WWW服务到公网,如果有https)
Private(config)#access-list 2 remark permit subnet 172.16.2.0 and 172.16.3.0 to access Internet
Private(config)#access-list 2 per 172.16.2.0 0.0.0.255 log
Private(config)#access-list 2 per 172.16.3.0 0.0.0.255 log
Private(config)#int range f0/0.1 - f0/0.2(注意,在子接口上设置进口)
Private(config-if-range)#ip nat inside(PAT进口)
Private(config-if-range)#int s1/0
Private(config-if)#ip nat outside(PAT出口)
Private(config-if)#exit
Private(config)#time-range per-ip(定义时间,用于基于时间的ACL)
Private(config-time-range)#periodic weekdays 7:30 to 18:00(每个工作日的7:30到18:00)
Private(config-time-range)#exit
Private(config)#access-list 100 remark Permit ip from 7:30 to 18:00 in weekdays
Private(config)#access-list 100 per ip any any log time-range per-ip(基于时间的ACL,根据时间进行数据包的过滤)
Private(config)#ip dhcp pool kashu(定义DHCP地址池)
Private(dhcp-config)#network 172.16.3.0 255.255.255.0
Private(dhcp-config)#default-router 172.16.3.1(默认网关)
Private(dhcp-config)#dns-server 1.1.1.2(DNS服务器)
Private(dhcp-config)#domain-name cisco.com(域名)
Private(dhcp-config)#lease 0 11 30(租约为0天11小时30分钟)
Private(dhcp-config)#exit
Private(config)#ip dhcp excluded-address 172.16.3.1(排除网关IP)
Private(config)#ip dhcp excluded-address 172.16.3.41 172.16.3.254(排除多余IP)
Private(config)#ip dhcp conflict logging(地址冲突日志)

Router(config)#host Public
Public(config)#line con 0
Public(config-line)#exec-t 0 0
Public(config-line)#logg syn
Public(config-line)#time log re 10
Public(config-line)#pass cisco
Public(config-line)#login
Public(config-line)#line vty 0 4
Public(config-line)#exec-t 0 30
Public(config-line)#logg syn
Public(config-line)#time log re 10
Public(config-line)#pass csco
Public(config-line)#pass cisco
Public(config-line)#login
Public(config-line)#line aux 0
Public(config-line)#exec-t 0 30
Public(config-line)#logg syn
Public(config-line)#time log re 10
Public(config-line)#pass cisco
Public(config-line)#login
Public(config-line)#exit
Public(config)#ena sec cisco
Public(config)#ser password-en
Public(config)#ban motd %This is Public router%
Public(config)#int s1/0
Public(config-if)#des connection to Private router
Public(config-if)#ip add 220.248.192.2 255.255.255.252
Public(config-if)#no shut
Public(config-if)#int f0/0
Public(config-if)#des connection to WWW.DNS.Syslog.NTP server
Public(config-if)#ip add 1.1.1.1 255.255.255.0
Public(config-if)#no shut

验证效果:
在172.16.2.2服务器上可以使用SSH成功登陆到Private路由器上:

 
在Private路由器上使用DNS解析OK:
 
当然,IP的自动获取也是成功的!
 
外网DNS服务器访问内网映射的WWW服务也没有问题:

 

当内网WWW服务器试图Ping外网Public路由器的220.248.192.2时,在Private路由器上开启debug,跟踪PAT的转换过程:

Private#debug ip nat
IP NAT debugging is on
Private#
.Oct  8 10:08:00.683: NAT: s=172.16.2.2->220.248.192.1, d=220.248.192.2 [2711]
.Oct  8 10:08:00.747: NAT*: s=220.248.192.2, d=220.248.192.1->172.16.2.2 [2711]
.Oct  8 10:08:01.683: NAT: s=172.16.2.2->220.248.192.1, d=220.248.192.2 [2712]
.Oct  8 10:08:01.695: NAT*: s=220.248.192.2, d=220.248.192.1->172.16.2.2 [2712]
.Oct  8 10:08:02.687: NAT: s=172.16.2.2->220.248.192.1, d=220.248.192.2 [2713]
.Oct  8 10:08:02.727: NAT*: s=220.248.192.2, d=220.248.192.1->172.16.2.2 [2713]
.Oct  8 10:08:03.719: NAT: s=172.16.2.2->220.248.192.1, d=220.248.192.2 [2714]
.Oct  8 10:08:03.747: NAT*: s=220.248.192.2, d=220.248.192.1->172.16.2.2 [2714]


当外网DNS服务器试图访问内网映射出来的WWW服务时,在Private路由器上开启debug,跟踪PAT的详细转换过程:

Private#debug ip nat detail
IP NAT detailed debugging is on
Private#
.Oct  8 10:13:46.079: NAT: Found matching static-portlist for proto:6 (172.16.2.2,80) -> (220.248.192.1, 80)
.Oct  8 10:13:46.083: NAT: o: tcp (1.1.1.2, 1093) -> (220.248.192.1, 80) [1994] 
.Oct  8 10:13:46.083: NAT: s=1.1.1.2, d=220.248.192.1->172.16.2.2 [1994]
.Oct  8 10:13:46.111: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2724]    
.Oct  8 10:13:46.111: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2724]
.Oct  8 10:13:46.179: NAT*: o: tcp (1.1.1.2, 1093) -> (220.248.192.1, 80) [1996]
.Oct  8 10:13:46.179: NAT*: s=1.1.1.2, d=220.248.192.1->172.16.2.2 [1996]
.Oct  8 10:13:46.183: NAT*: o: tcp (1.1.1.2, 1093) -> (220.248.192.1, 80) [1997]
.Oct  8 10:13:46.183: NAT*: s=1.1.1.2, d=220.248.192.1->172.16.2.2 [1997]
.Oct  8 10:13:46.299: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2725]    
.Oct  8 10:13:46.303: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2725]
.Oct  8 10:13:46.307: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2726]    
.Oct  8 10:13:46.307: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2726]
.Oct  8 10:13:46.379: NAT*: o: tcp (1.1.1.2, 1093) -> (220.248.192.1, 80) [1999]
.Oct  8 10:13:46.379: NAT*: s=1.1.1.2, d=220.248.192.1->172.16.2.2 [1999]
.Oct  8 10:13:46.499: NAT*: o: tcp (1.1.1.2, 1093) -> (220.248.192.1, 80) [2000]
.Oct  8 10:13:46.499: NAT*: s=1.1.1.2, d=220.248.192.1->172.16.2.2 [2000]
.Oct  8 10:13:46.503: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2727]    
.Oct  8 10:13:46.507: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2727]
.Oct  8 10:13:46.623: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2728]    
.Oct  8 10:13:46.623: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2728]
.Oct  8 10:13:46.671: NAT: i: tcp (172.16.2.2, 80) -> (1.1.1.2, 1093) [2729]    
.Oct  8 10:13:46.675: NAT: s=172.16.2.2->220.248.192.1, d=1.1.1.2 [2729]

再来看个小技巧

我们还可以把内部的WWW服务器默认端口改为大于1024的,如:1991
那么,会如何呢?没错,内网就必须要用http://172.16.2.2:1991来访问。可是,外网在访问的时候,难道也要在http://220.248.192.1后面加上1991吗?这样可真麻烦……
完全不必这样,我们可以在映射的时候,把端口也一并映射,对吧。
ip nat inside source static tcp 172.16.2.2 1991 220.248.192.1 80
这样就给内部服务器的1991端口和80端口做了个一对一的映射,外网在访问220.248.192.1的WWW服务时,就经过转换和映射,变成了访问172.16.2.2的1991端口,如此一来就进一步增强了内部服务器的安全性。

转载请注明:林志斌 » 综合实验

发表评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址