下面的实验,如何实现通过ACL控制实现除了PC3在内网的PC无法通过内网访问总部的Server,可以通过外网访问server 另外外网只能访问server的80端口? 哪位大侠帮忙分析一下这个访问列表如何配置
我的操作是:
外网只能访问80端口:
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.130 80 193.168.10.10 8080
ip classless
问题:好像不知道如何验证?
配置内网的pc无法访问server配置如下:
access-list 2 permit 192.168.10.128 0.0.0.127
ip access-list extended gfh
deny ip 192.168.10.0 0.0.0.127 host 192.168.10.130
permit ip any any
并且应用到R3的s0/0/0 s0/0/1 fa0/1 的in端口
问题:觉得这样好像无法做到出了PC3都不能访问,好像只要接到上海的PC都可以访问
interface FastEthernet0/0
ip address 193.168.10.9 255.255.255.248
ip access-group gfh in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.128
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.252
ip access-group gfh in
!
interface Serial0/0/1
ip address 192.168.10.5 255.255.255.252
ip access-group gfh in
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 192.168.10.128 0.0.0.127 area 0
network 192.168.10.0 0.0.0.3 area 0
network 192.168.10.4 0.0.0.3 area 0
network 193.168.10.8 0.0.0.7 area 0
!
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.130 80 193.168.10.10 8080
ip classless
ip route 0.0.0.0 0.0.0.0 193.168.10.10
!
!
access-list 2 permit 192.168.10.128 0.0.0.127
ip access-list extended gfh
deny ip 192.168.10.0 0.0.0.127 host 192.168.10.130
permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
配置内网的pc无法访问server配置如下:
access-list 2 permit 192.168.10.128 0.0.0.127
ip access-list extended gfh
deny ip 192.168.10.0 0.0.0.127 host 192.168.10.130
permit ip any any
并且应用到R3的s0/0/0 s0/0/1 fa0/1 的in端口
问题:觉得这样好像无法做到出了PC3都不能访问,好像只要接到上海的PC都可以访问
这个的确上海网段的都可以访问server,只允许主机就行了。
综合上面是否可以单独对PC3、广州和福州做acl,用扩展的acl是否方便些?
access-list 110
permit ip host 192.168.10.129 host 192.168.10.130
permit tcp host 192.168.10.130 host 192.168.10.130 eq 80
deny ip 192.168.10.64 0.0.0.63 host 192.168.10.130
inter fa0/1
ip access-group out
用在R3的fa0/1口out方向,也不对,其实最好的是用在R3上面的三层交换机fa0/2口out
方向