网络工程 - 面向 Internet 的接口上的 ACL - 吾爱随笔录

面向 Internet 的接口上的 ACL

网络工程思科路由器 ACL 访问控制

2021-07-14 22:02:31

我必须设置和设计一个网络，如图所示：

我需要在内部接口和外部接口上配置 ACL。但是，当我实施访问列表时，流量受到影响，互联网连接不可用，外部用户也无法访问已发布的服务。

能否请您查看配置的 ACL 并提供有关此问题的线索？

! This ACL gets applied to the interface interface which is connected to my LAN

ip access-list extended INSIDE_ACL_IN
permit ip 20.20.20.0 0.0.0.15 any
deny ip any any 


==========================================================================================
==========================================================================================

! This ACL gets applied to the Outside interface which is connected to my Internet provider


ip access-list extended OUTSIDE_ACL_IN

deny ip 127.0.0.0 0.255.255.255 any 
deny ip 255.0.0.0 0.255.255.255 any 
deny ip 224.0.0.0 31.255.255.255 any 
deny ip host 0.0.0.0 any 
deny ip 10.0.0.0 0.255.255.255 any 
deny ip 172.16.0.0 0.15.255.255 any 
deny ip 192.0.2.0 0.0.0.255 any 
deny ip 192.168.0.0 0.0.255.255 any 
deny ip 14.0.0.0 0.255.255.255 any 
deny ip 169.254.0.0 0.0.255.255 any 
deny ip 198.18.0.0 0.0.255.255 any 
deny ip 66.238.29.0 0.0.0.31 any 
deny ip 240.0.0.0 15.255.255.255 any
deny ip 162.16.0.0 0.15.255.255 any
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
deny tcp any any eq bgp 
deny tcp any eq bgp any 
deny ipinip any any
deny gre any any
deny pim any any
deny 90 any any
deny ospf any any 
deny eigrp any any 
deny udp any eq rip any 
deny udp any any eq rip 
deny tcp any any eq 0 -input
deny udp any any eq 0 -input
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any eq 445
deny udp any any eq 445
deny tcp any any eq 901
deny udp any any eq 901
deny tcp any any eq 1080
deny udp any any eq 1080
deny tcp any any range 1433 1434
deny udp any any range 1433 1434
deny tcp any any eq 1900
deny udp any any eq 1900
deny tcp any any eq 3389
deny udp any any eq 3389
deny tcp any any eq 5000
deny udp any any eq 5000
permit icmp any 10.1.1.0 0.0.0.255 echo-reply
permit icmp any 10.1.1.0 0.0.0.255 unreachable
permit icmp any 10.1.1.0 0.0.0.255 time-exceeded
permit icmp any 10.1.1.0 0.0.0.255 source-quench
permit icmp any 10.1.1.0 0.0.0.255 packet-too-big
permit icmp any 10.1.2.0 0.0.0.255 echo-reply
permit icmp any 10.1.2.0 0.0.0.255 unreachable
permit icmp any 10.1.2.0 0.0.0.255 time-exceeded
permit icmp any 10.1.2.0 0.0.0.255 source-quench
permit icmp any 10.1.2.0 0.0.0.255 packet-too-big
permit icmp any 10.1.3.0 0.0.0.7 echo-reply
permit icmp any 10.1.3.0 0.0.0.7 unreachable
permit icmp any 10.1.3.0 0.0.0.7 time-exceeded
permit icmp any 10.1.3.0 0.0.0.7 source-quench
permit icmp any 10.1.3.0 0.0.0.7 packet-too-big
permit icmp any 172.16.0 0.0.0.7 echo-reply
permit icmp any 172.16.0 0.0.0.7 unreachable
permit icmp any 172.16.0 0.0.0.7 time-exceeded
permit icmp any 172.16.0 0.0.0.7 source-quench
permit icmp any 172.16.0 0.0.0.7 packet-too-big
deny icmp any any fragments
deny icmp any any redirect
deny icmp any any
deny tcp any 192.168.1.0 0.0.0.255 eq 22 
deny tcp any 192.168.1.0 0.0.0.255 eq telnet 
deny tcp any 192.168.1.0 0.0.0.255 eq www 
deny tcp any 192.168.1.0 0.0.0.255 eq 443 
deny tcp any 192.168.1.0 0.0.0.255 eq 22 
deny tcp any 192.168.1.0 0.0.0.255 eq telnet 
deny tcp any 192.168.1.0 0.0.0.255 eq www 
deny tcp any 192.168.1.0 0.0.0.255 eq 443 
deny tcp any host 20.20.20.2  eq 22 
deny tcp any host 20.20.20.2  eq telnet 
deny tcp any host 20.20.20.2  eq www 
deny tcp any host 20.20.20.2  eq 443 
deny tcp any host 20.20.20.2  eq 22 
deny tcp any host 20.20.20.2  eq telnet 
deny tcp any host 20.20.20.2  eq www 
deny tcp any host 20.20.20.2  eq 443 
permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 
permit icmp 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit icmp 172.16.0 0.0.0.7 172.16.0 0.0.0.7
deny tcp any 66.238.29.0 0.0.0.31  fragments
deny udp any 66.238.29.0 0.0.0.31  fragments
deny icmp any 66.238.29.0 0.0.0.31  fragments
deny udp any any eq snmp
deny udp any any eq snmptrap
deny ip 192.0.2.0 0.0.0.255 any  
deny ip 4.0.0.0 0.255.255.255 any  
deny ip 69.254.0.0 0.0.255.255 any   
permit ip any 10.1.0.0 0.0.255.255
permit ip any 172.16.0 0.0.0.7 
deny ip any any log

2个回答

您没有包括整个路由器配置（您确实应该这样做），但您似乎混淆了配置中的in和out关键字INSIDE_ACL_IN。在in和out关键字是从路由器的角度来看，这样应用permit ip 20.20.20.0 0.0.0.15 any（它应该是20.20.20.0 0.0.0.3）ACL从接口的10.10.0.0/29网络入站到路由器并没有真正意义。看起来您正试图允许从10.10.0.0/29网络中具有源地址的20.20.20.0/28网络入站的任何内容，但拒绝来自该接口的所有其他内容，这将拒绝从该10.10.0.0/29网络的网络接口从网络到路由器的流量。

您正在使用扩展访问列表，因此您希望将它们应用到尽可能靠近源的位置。

您是否有阻止 DNS 端口 53 的原因。如果您要按名称访问网站，DNS 在哪里解析？没有更多信息，这就是我开始的地方。从那里使用您的基本命令（如 ping 和 traceroute）来查看它被阻止的内容和位置。你否认了很多。不要忘记在每个 ACL 的末尾都是拒绝所有，即使您不添加它。

其它你可能感兴趣的问题

上一篇如何使用 Avaya IP Phone 配置 Cisco 3750 交换机下一篇网络地址转换如何在我的路由器上工作？