Article directory
- CCNA7: ACL, NAT (one-to-one, one-to-many, many-to-many), port mapping, remote login
-
- 1. Remote login:
- 2. ACL: Access Control List:
- 1. Access control:
-
- (1) Matching rules:
- (2) Classification:
-
- ①: Standard ACL:
- ②: Extended ACL:
- ③: Time-based ACL:
- 2. Define the flow of interest:
- 3. Experiment:
- Two, NAT:
-
- 1. One-to-one (static):
- 2. One-to-many (dynamic):
- 3. Port mapping:
- 4. Many-to-many (static or dynamic):
CCNA7: ACL, NAT (one-to-one, one-to-many, many-to-many), port mapping, remote login
1. Remote login:
The idea of remote login: first set a user name and password on the logged-in party, and then enable remote login. Virtual links 0-4, a total of 5 virtual links, allowing 5 people to log in at the same time.
R2(config)#username ccna privilege 15 secret cisco123 R2(config)#line vty 0 4 R2(config-line)#login local </code>
Let’s try to log in to R1 remotely, and the password is not displayed by default:
2. ACL: Access Control List:
First of all, we need to know that ACL has two functions: one is access control, and the other is
1. Access control:
Access control: On the interface where the router traffic enters and exits, the traffic enters and exits.
After defining the ACL list, call the list to the interface of the router. When the traffic passes through the interface, it will be matched. After the matching is successful, it can be processed according to the set action (permit, deny).
(1) Matching rules:
Match one by one from top to bottom, the previous match is executed according to the previous one, and the next one is not checked, and all are implicitly rejected at the end.
Explanation: This sentence means: if two policies are made for a network segment or a certain IP, then the order of the two policies will be compared, and the order of the two policies will be the one that appears first in the policy. implement. If no policy for other routes is added at the end, it will be denied by default.
(2) Category:
①: Standard ACL:
The standard ACL only pays attention to the source IP address in the packet, so when calling, it should be as close to the target as possible to avoid accidental deletion.
Standard ACL writing method: numbering method: 1~99, naming method: one name and one list.
Insufficient: When a rule in a table is to be deleted, the entire table disappears. The solution is to use show running-config and then copy the configuration inside to a document, and then modify it. Finally posted it.
②: Extended ACL:
Extended ACL focuses on source, destination IP address, destination port number, protocol number in the data packet. So it should be called close to the source, but not on the source. Because ACLcannot restrict other traffic (routing protocols) generated by the local router, so can deny traffic on the control plane of other routers.
Writing method: Extended ACL writing method: numbering method: 100~199, naming method: one name and one list.
Focus on the destination port number:
ICMP (ping) cross-layer encapsulation protocol, there is no port number
Telnet (remote login): port 23 under TCP
Features:
1. One name and one table, deleting one of the policies does not affect it.
2. There is a serial number for easy deletion and insertion.
③: Time-based ACL:
Create A list: R1(config)#time-range A =
R1(config-time-range)#absolute start 12:00 1 aug 2018 end 12:00 1 aug 2020
Define the total cycle time of the job for the entire list:
R1(config-time-range)#periodic daily 9:30 to 12:00
R1(config-time-range)#periodic daily 13:30 to 16:00
Create ACL extension list: A
R1(config)#ip access-list extended A
R1(config-ext-nacl)#permit ip host 172.16.20.253 any
R1(config-ext-nacl)#deny ip 172.16.20.0 0.0.0.255 any time-range A
R1(config-ext-nacl)#deny ip 172.16.10.0 0.0.0.255 any time-range A
R1(config-ext-nacl)#permit ip any any
2. Define the flow of interest:
Define the traffic of interest: match traffic for other strategies, and serve other strategies. Here you can refer to related strategies written in my other blog: CCNP9: Republishing Technology + Routing Strategy
If it’s just such an obscure statement, I don’t think it’s easy to understand. Next, I will use a small experiment to explain it to everyone in depth. This experiment.
3. Experiment:
For this experiment, I want to use the previous experimental diagram of one-arm routing (CCNA experiment: one-arm routing), and then add a little bit, the effect is as shown in the figure:
Let me explain again here, The router R2 on the left, the router R1 on the right, the switch in the middle is named sw1, and the switch on the right is named sw2. The PCs under the router on the right are all IPs obtained by DHCP, and the ones on the left are static. Note that the router on the right does one-arm routing, and there are two virtual sub-interfaces F0/0.1 (vlan2) and F0/0.2 (vlan3). The simulator I ended up using was Cisco Packet Tracer Instructor.
The IP is configured as above. After configuration, add two static routes. The rest can be viewed in my experiment diagram.
R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.3.2 R2(config)#ip route 192.168.2.0 255.255.255.0 192.168.3.2 R1(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.1 </code>
Now we start adding policies:
Ⅰ. PC6 on the left (192.168.4.2) cannot ping the computer under vlan2 on the right. The requirements are as follows:
(1) Use the standard ACL numbering method: call in the outbound direction of the F0/0.1 port on R1 .
reason:
The standard ACL only focuses on the location of the source IP, so when we add a policy on R2 (the router on the left), it will inevitably cause PC6 to be unable to access the computer under vlan3, and the same is true for the F0/1 port on R1. In order to reduce the occupation of network resources by such data packets as much as possible, we need to reject the data packets as early as possible, so we need to call in the outbound direction of F0/0.1 on R1 (the direction is ↓ in the figure) .
The configuration is as follows: Create 1 table: R1(config)#access-list 1 deny 192.168.4.2 R1(config)#access-list 1 permit any
f0/0.1 port to call:
R1(config)#int f0/0.1
R1(config-subif)#ip access-group 1 out
(2) Use the standard ACL naming method:
R1(config)#ip access-list standard a R1(config-std-nacl)#deny host 192.168.4.2 R1(config-std-nacl)#permit any
R1(config)#int f0/0.1
R1(config-subif)#ip access-group a out
Ⅱ. The next requirement is: Now there is another requirement that PC6 cannot ping PC0, but it can ping all other computers.
We delete the previous policy. Since the extended ACL is used, it can be accurately matched, so our best is the inbound call of the F0/0 port on the left router R2.
(1) Use the numbering method of extended ACL:
Deny traffic from host 192.168.4.2 to 192.168.1.2: R2(config)#access-list 100 deny ip host 192.168.4.2 host 192.168.1.2 R2(config)#access-list 100 permit ip any any
R2(config)#int f0/0
R2(config-if)#ip access-group 100 in
(2) Use the naming method of extended ACL:
R2(config)#ip access-list extended b R2(config-ext-nacl)#deny ip host 192.168.4.2 host 192.168.1.2 R2(config-ext-nacl)#permit ip any any
R2(config)#int f0/0
R2(config-if)#ip access-group b in
Ⅲ. Refuse PC6 to remotely log in to R1:
I am using the numbering method here:
R1(config)#access-list 101 deny tcp host 192.168.4.2 host 192.168.3.2 eq 23 R1(config)#access-list 101 permit ip any any R1(config)#int f0/1 R1(config-if)#ip access-group 101 in </code>
function | configuration |
---|---|
Standard ACL | R1(config)#access-list 1 deny host 192.168.1.1 (deny a single device) R1(config)#access-list 1 deny 192.168.1.0 (deny range) R1(config)#access-list 1 deny any (deny all) |
Extended ACL | R1(config)#access-list 100 deny ip host 192.168.1.1 host 192.168.1.2 R1(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 R1(config)#access-list 100 permit ip any any |
rule port | R1(config)#access-list 101 deny tcp host 1.1.1.1 host 2.2.2.2 eq 23 R1(config)#access-list 102 deny icmp host 1.1.1.1 host 2.2.2.2 |
Addition and deletion of naming style | R1(config)#ip access-list standard a R1(config-std-nacl)#15 deny host 1.1.1.1 R1(config-std-nacl)#no 15 |
Call strategy | R1( config)#int f0/0 R1(config-subif)ip access-group 1 out |
2. NAT:
The role of NAT is to implement network address translation (mutual conversion between public IP and private IP). As shown in the figure below, the local refers to the private IP, and the global refers to the public IP. The effect is as follows:
On the border router:
When traffic goes from inside to outside, the source IP address in the data packet is modified (internal local is changed to internal global);
When traffic enters from the outside, modify the target IP address (change the external global to external local)
Next, the figure we use to explain the experiment is as follows: the bottom layer configuration of the experiment and the computer IP are shown in the figure below. After that, R1 and R2 need to write two static and two default.
R1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2 R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 R2(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2 </code>
12.1.1.1 in the figure is the public IP, followed by the entire intranet. Next we need to do NAT on R2.
At this time, only the public IP 1.1.1.2 of the boundary can access the Internet:
Remember: Once NAT configuration is performed, the direction of each interface on the border router must be defined
1. One-to-one (static):
R2(config)#ip nat inside source static 192.168.1.2 12.1.1.1 (transfer local 192.168.1.2 to 12.1.1.1) R2(config)#int f1/0 R2(config-if)#ip nat outside R2(config-if)#int f0/0 R2(config-if)#ip nat inside R2(config-if)#int f0/1 R2(config-if)#ip nat inside </code>
We used one of the PCs to test, and it was no problem to achieve access to the external public network.
But One-to-one actually realizes a fixed mapping between local private and local global, when the external global pings the local global , the actual ping is local private, and the segment can be judged by the hop count of the router. The following figure is the PC4ping local global picture:
We observe the TTL and find that it is 125, which means that 3 routers have passed (TTL: time to live, every time a data packet passes through a router, the TTL will be reduced by 1, TTL generally has 3 values: 64, 128, 255)
To sum up: We feel that one-to-one is not very meaningful, so we will use the following one-to-many which is of great significance.
2. One-to-many (dynamic):
One-to-many has an alias called: PAT Port Address Translation
What is done above is to transfer a local private IP address to a public IP address, and now do one-to-many: convert multiple private IP addresses For the same public IP address, rely on the port number in the data packet to distinguish.
For example, when these private network IPs go to visit Baidu, the data packets it sends will carry the port number to the border router. For example, the following correspondences:
Private network IP and its port | After conversion (public network IP and its port) |
---|---|
192.168.1.1:1111 192.168.1.2:2222 192.168.1.3:3333 |
12.1.1.1:1111 12.1.1.1:2222 12.1.1.1:3333 |
In this way, one-to-many access is realized. Now the problem comes. Since the port is used, it is inevitable to encounter the situation that the ports of the data packets sent by the two IPs will be the same, and NAT is solved in this way:
When a port conflict occurs, NAT will change a port number, and the changed port will be recorded in a table. When the external global IP sends a message, according to This table forwards the packet to the original IP.
Here comes the problem again. As mentioned above, when the port conflict is converted to another port being idle, it is fine, so when all 65535 ports are occupied, will it not be possible to send out?
That’s right, the defect of one-to-many is here. When there are too many users, the delay will be very large. When the released port is less than the amount of data packet forwarding, there will be a delay. 65535 in a single point of time After the packet goes out, it must come back, the port is released, and then the next one. In short, it is stuck until it explodes, and no matter how high the bandwidth is, it is useless. Therefore, this kind of one-to-many is only suitable for occasions such as small and medium-sized enterprises. To solve this problem, we need to talk about many-to-many next.
Usage method: first use ACL to define the traffic of interest, which private IP addresses are translated, and then define NAT.
Clear the NAT from the previous step:
R2(config)#no ip nat inside source static 192.168.1.2 12.1.1.1 </code>
The one-to-many configuration is as follows:
R2(config)#access-list 1 permit 192.168.1.0 0.0.0.255 R2(config)#access-list 1 permit 192.168.2.0 0.0.0.255 R2(config)#access-list 1 permit 192.168.3.0 0.0.0.255 R2(config)#ip nat inside source list 1 interface f1/0 overload Note: list 1: local list 1, interface f1/0 means local global, overload load
Since we have defined the direction of the interface before, the following ones do not need to be typed, but it is normal to type.
R2(config)#int f1/0
R2(config-if)#ip nat outside
R2(config-if)#int f0/0
R2(config-if)#ip nat inside
R2(config-if)#int f0/1
R2(config-if)#ip nat inside
Use the command: show ip nat translations to view the corresponding relationship
Let me add here that one-to-many can be used in conjunction with one-to-two, so that when the external network accesses the local server, it can directly correspond to it. If you don’t have money to buy two IPs, you can also achieve one-to-one effect. Use the port forwarding function.
3. Port mapping:
We can map the fixed port of the public IP on the border router (for example, 80) to the server in the intranet (192.168.1.100), so that when accessing 12.1.1.1 through the outside and the port is 80, the target IP address
R2(config)#ip nat inside source static tcp 192.168.1.100 80 12.1.1.1 80 </code>
If you set up another http server:
We can then browse the interface and enter the server IP and port http://12.1.1.1:8080 to access another server.
R2(config)#ip nat inside source static tcp 192.168.1.200 80 12.1.1.1 8080 When 12.1.1.2 is accessed externally and the target port is 8080, the target IP address must be converted to 192.168.1.200, and the port number is 8080 </code>
4. Many-to-many (static or dynamic):
Many-to-many is to convert multiple IPs into multiple IPs
How to use: use ACL first, then use NAT
R2(config)#access-list 2 permit 192.168.0.0 0.0.255.255 (define the local address range) R2(config)#ip nat pool xxx 12.1.1.3 12.1.1.10 netmask 255.255.255.0 (define the internal global address) R2(config)#ip nat inside source list 2 pool xxx overload (configure many-to-many NAT) </code>
When configuring many-to-many NAT, whether carries overload will determine static or dynamic many-to-many, and if it does not carry overload, it will be static many-to-many
No overload-static many-to-many: The first nine private IP addresses on the border router form one-to-one with the nine public IP addresses. When the 10th person wants to visit, it needs to be unused by the first 9 people and can be used after a certain period of time after release.
Carrying overload-dynamic many-to-many: cyclically occupying each public IP address for PAT (each single point can bear 65535x the number of public IPs data packets)