配置lock-and-key(动态访问列表) 
版权声明:原创作品,谢绝转载!否则将追究法律责任。 |
Lock-and-Key的工作方式:
1. A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user connects via the virtual terminal port on the router.
2. The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server such as a TACACS+ or RADIUS server. 3. When the user passes authentication, they are logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.) 4. The user exchanges data through the firewall. 5. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can either be an idle timeout or an absolute timeout  实验描述 R1,R2通过F0/0与对端相连。R2,R3通过FRAME RELAY交换机与对端相连。 在R2的FO/0口配置动态访问列表来控制局域网用户(R1)与外网(R3)的访问。 配置实例 R1 conf t int f0/0 ip ad 10.1.1.1 255.255.255.0 no shut exit router rip ver 2 no auto net 10.0.0.0 end R3
conf t int s2/0 ip ad 10.1.2.3 255.255.255.0 encap frame no arp f no frame inver frame map ip 10.1.2.2 302 b no shut exit router rip ver 2 no auto net 10.0.0.0 end R2
conf t int f0/0 ip ad 10.1.1.2 255.255.255.0 no shut exit int s2/0 ip ad 10.1.2.2 255.255.255.0 encap frame no arp fr no frame inver frame map ip 10.1.2.3 203 b no shut ip access-group 100 in exit router rip ver 2 no auto net 10.0.0.0 exit access-list 100 permit tcp host 10.1.1.1 host 10.1.1.2 eq telnet access-list 100 dynamic cisco timeout 2 permit ip any any username cisco password ccie line vty 0 4 login local autocommand access-enable host timeout 1 end 校验 r3#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) r3#õ comm_serv_ccxx16>1 [Resuming connection 1 to 16r1 ... ] r1#ping 10.1.2.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1与R3相互不能PING通。
r1#telnet 10.1.1.2 Trying 10.1.1.2 ... Open User Access Verification Username: cisco Password: [Connection to 10.1.1.2 closed by foreign host] r1#ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms r2#sh access-lists Extended IP access list 100 10 permit tcp host 10.1.1.1 host 10.1.1.2 eq telnet (110 matches) 20 Dynamic cisco permit ip any any permit ip host 10.1.1.1 any (10 matches) (time left 41) r1#ping 10.1.2.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms r3#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/92 ms 本文出自 “穿过地狱去看海” 博客,谢绝转载! 本文出自 51CTO.COM技术博客 |
cj231210
博客统计信息
热门文章
最新评论
友情链接
