再用telnet做演示:
在R3上telnet R1:
r3#telnet 192.168.12.1
Trying 192.168.12.1 ...
% Destination unreachable; gateway or host down
此时从 R1上telnet R3:
r1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password:
r3>
在R2上查看ACL可以发现,RACL_tcp 中多了一条临时的ACL:
r2#sh access-list
Extended IP access list EXTERNAL
10 evaluate RACL_icmp
20 evaluate RACL_tcp
30 deny ip any any (37 matches)
Extended IP access list INTERNAL
10 permit icmp any any reflect RACL_icmp (31 matches)
20 permit tcp any any reflect RACL_tcp (141 matches)
30 deny ip any any
Reflexive IP access list RACL_icmp
permit icmp host 192.168.23.3 host 192.168.12.1 (19 matches) (time left 277)
Reflexive IP access list RACL_tcp
permit tcp host 192.168.23.3 eq telnet host 192.168.12.1 eq 28109 (51 matches) (time left 297)
CBAC的配置:
初始配置同上面的RACL
现在在R2上配置CBAC:
ip access-list extended EXTERNAL
deny icmp any any
deny tcp any any
deny ip any any
exit
ip inspect name CBAC icmp
ip inspect name CBAC tcp
在R2的外部接口s1/1上激活CBAC:
interface s1/1
ip access-group EXTERNAL in
ip inspect CBAC out
exit
此时查看CBAC状态表,发现什么也没有
r2#sh ip inspect sessions
r2#
在R3 上ping R1:
r3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
再在R1 上 ping R3:
r1#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/119/300 ms
此时再查看CBAC的状态表:
r2#sh ip inspect sessions
Established Sessions
Session 65F31950 (192.168.12.1:8)=>(192.168.23.3:0) icmp SIS_OPEN
r2#
同样,R1能够telnet到R3:
r1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password:
r3>
但是,R3却不能telnet到R1:
r3#telnet 192.168.12.1
Trying 192.168.12.1 ...
% Destination unreachable; gateway or host down
查看CBAC状态表:
r2#sh ip inspect sessions
Established Sessions
Session 65F31690 (192.168.12.1:39966)=>(192.168.23.3:23) tcp SIS_OPEN
责任编辑:小草
您现在的位置: 