ACL，NAT和DHCP的使用和配置

ACL，NAT和DHCP的使用和配置

实验目的：熟练掌握ACL，NAT和DHCP的原理以及在CISCO IOS上对它们进行配置的方法
实验内容：ACL的配置

NAT的配置
DHCP的配置
实验条件：2600系列路由器两台，2900交换机一台，PC两台

一．ACL的配置
（一）标准ACL

Step 1 在路由器上配置主机名和密码

Step 2 配置以太网段上的PC

a. PC 1

IP address 192.168.14.2

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

b. PC 2

IP address 192.168.14.3

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

Step 3 保存配置

GAD#copy running-config startup-config

Step 4 通过ping命令测试两台PC到缺省网关的连接性

Step 5 阻止PC访问路由器的以太口

GAD(config)#access-list 1 deny 192.168.14.0 0.0.0.255

GAD(config)#access-list 1 permit any

Step 6 从路由器ping两台PC

Step 7 把ACL应用到接口上

GAD(config-if)#ip access-group 1 in

Step 8 从两台PC ping路由器

Step 9 创建新的ACL

access-list 2 permit 192.168.14.1 0.0.0.254

Step 10 把ACL应用的接口上

ip access-group 2 in

Step 11 从两台PC ping路由器

GAD#show running-config

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname GAD

!

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

interface FastEthernet0/0

ip address 192.168.14.1 255.255.255.0

ip access-group 2 in

no ip directed-broadcast

!

interface Serial0/0

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

!

interface Serial0/1

no ip address

no ip directed-broadcast

shutdown

!

ip classless

no ip http server

!

access-list 1 deny 192.168.14.0 0.0.0.255

access-list 1 permit any

access-list 2 permit 192.168.14.1 0.0.0.254

!

line con 0

transport input none

line aux 0

line vty 0 4

!

end
（二）扩展ACL

Step 1 配置路由器GAD的主机名和密码

Step 2 配置以太网段上的PC

a. PC 1

IP address 192.168.14.2

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

b. PC 2

IP address 192.168.14.3

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

Step 3 保存配置

GAD#copy running-config startup-config

Step 4 通过ping命令测试两台PC到缺省网关的连接性

Step 5 用Web浏览器连接路由器

Step 6 防止通过以太网接入80端口

GAD(config)#access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq 80

GAD(config)#access-list 101 permit ip any any

Step 7 应用ACL到接口

GAD(config-if)#ip access-group 101 in

Step 8 从PC Ping路由器

Step 9 用Web浏览器连接路由器

Step 10 从PC接入路由器

GAD#show running-config

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname GAD

!

!

memory-size iomem 10

ip subnet-zero

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

process-max-time 200

!

interface FastEthernet0/0

ip address 192.168.14.1 255.255.255.0

ip access-group 101 in

no ip directed-broadcast

!

interface Serial0/0

ip address 192.168.2.1 255.255.255.0

no ip directed-broadcast

!

interface Serial0/1

no ip address

no ip directed-broadcast

shutdown

!

ip classless

ip http server

!

access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq www

access-list 101 permit ip any any

!

line con 0

password cisco

login

transport input none

line aux 0

line vty 0 4

password cisco

login

!

no scheduler allocate

end

（三）命名ACL

Step 1 配置路由器的主机名和密码

Step 2 配置以太网段上的PC

a. PC 1

IP address 192.168.14.2

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

b. PC 2

IP address 192.168.14.3

Subnet mask 255.255.255.0

Default gateway 192.168.14.1

Step 3 保存配置

GAD#copy running-config startup-config

Step 4 通过ping命令测试两台PC到缺省网关的连接性

Step 5 阻止主机访问以太口

GAD(config)#ip access-list standard no_access

GAD(config-std-nacl)#deny 192.168.14.0 0.0.0.255

GAD(config-std-nacl)#permit any

Step 6 从PC Ping路由器

Step 7 应用ACL到接口上

GAD(config-if)#ip access-group no_access in

Step 8 从PC Ping路由器

GAD#show running-config

Building configuration...

Current configuration : 638 bytes

!

version 12.2

!

hostname GAD

!

enable secret 5 $1$rzr7$l9H/aXmOyxeCAiPAUoGLq.

!

ip subnet-zero

!

interface FastEthernet0/0

ip address 192.168.14.1 255.255.255.0

ip access-group no_access in

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

ip classless

no ip http server

!

!

ip access-list standard no_access

deny 192.168.14.0 0.0.0.255

permit any

!

line con 0

password cisco

login

line aux 0

password cisco

login

line vty 0 4

password cisco

login

!

end

GAD#show ip access-lists

Standard IP access list no_access

deny 192.168.14.0, wildcard bits 0.0.0.255 (18 matches)

permit any

一．NAT的配置
（一）静态和动态NAT

Step 1 配置路由器

346 - 489 CCNA 4: WAN Technologies v 3.1 - Lab 1.1.4c Copyright 粕 2003, Cisco Systems, Inc.

ISP

Router#configure terminal

Router(config)#hostname ISP

ISP(config)#enable password cisco

ISP(config)#enable secret class

ISP(config)#line console 0

ISP(config-line)#password cisco

ISP(config-line)#login

ISP(config-line)#exit

ISP(config)#line vty 0 4

ISP(config-line)#password cisco

ISP(config-line)#login

ISP(config-line)#exit

ISP(config)#interface loopback 0

ISP(config-if)#ip address 172.16.1.1 255.255.255.255

ISP(config-if)#exit

ISP(config)#interface serial 0

ISP(config-if)#ip address 200.2.2.17 255.255.255.252

ISP(config-if)#clock rate 64000

ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18

ISP(config)#end

ISP#copy running-config startup-config

Gateway

Router#configure terminal

Router(config)#hostname Gateway

Gateway(config)#enable password cisco

Gateway(config)#enable secret class

Gateway(config)#line console 0

Gateway(config-line)#password cisco

Gateway(config-line)#login

Gateway(config-line)#exit

Gateway(config)#line vty 0 4

Gateway(config-line)#password cisco

Gateway(config-line)#login

Gateway(config-line)#exit

Gateway(config)#interface fastethernet 0

Gateway(config-if)#ip address 10.10.10.1 255.255.255.0

Gateway(config-if)#no shutdown

Gateway(config-if)#exit

Gateway(config)#interface serial 0

Gateway(config-if)#ip address 200.2.2.18 255.255.255.252

Gateway(config-if)#no shutdown

Gateway(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17

Step 2 保存配置

copy running-config startup-config.

Step 3 为PC配置正确的IP地址，子网掩码和缺省网关

Step 4 测试网络的连通性

Step 5 创建静态路由

ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18

ISP#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS

inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

199.99.9.0/27 is subnetted, 1 subnets

S 199.99.9.32 [1/0] via 200.2.2.18

200.2.2.0/30 is subnetted, 1 subnets

C 200.2.2.16 is directly connected, Serial0/0

172.16.0.0/32 is subnetted, 1 subnets

C 172.16.1.1 is directly connected, Loopback0

Step 6 创建缺省路由

Gateway(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17

Gateway#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B –

BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS

inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 200.2.2.17 to network 0.0.0.0

200.2.2.0/30 is subnetted, 1 subnets

C 200.2.2.16 is directly connected, Serial0/0

10.0.0.0/24 is subnetted, 1 subnets

C 10.10.10.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 200.2.2.17

Step 7 定义缺省的公有地址池

Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62

netmask 255.255.255.224

Step 8 创建ACL定义内部私有的IP地址

Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255

Step 9 定义内部列表到外部地址池的地址转换

Gateway(config)#ip nat inside source list 1 pool public_access

Step 10 确定接口

Gateway(config)#interface fastethernet 0

Gateway(config-if)#ip nat inside

Gateway(config-if)#interface serial 0

Gateway(config-if)#ip nat outside

Step 11 配置静态映射

Gateway(config)#ip nat inside source static 10.10.10.10 199.99.9.33

Gateway#show ip nat translations

Step 12 测试配置

ISP#ping 10.10.10.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

ISP#ping 199.99.9.33

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 199.99.9.33, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

ISP#

Gateway#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 199.99.9.33 10.10.10.10 --- ---

汇总：

Gateway NAT Configuration

Gateway#configure terminal

Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224

Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255

Gateway(config)#ip nat inside source list 1 pool public_access

Gateway(config)#interface fa0/0

Gateway(config-if)#ip nat inside

Gateway(config-if)#interface serial 0/0

Gateway(config-if)#ip nat outside

Gateway(config-if)#exit

Gateway(config)#ip nat inside source static 10.10.10.10 199.99.9.33

Gateway(config)#exit

（二）超载NAT

Step 1 配置路由器

ISP

Router#configure terminal

Router(config)#hostname ISP

ISP(config)#enable password cisco

ISP(config)#enable secret class

ISP(config)#line console 0

ISP(config-line)#password cisco

ISP(config-line)#login

ISP(config-line)#exit

ISP(config)#line vty 0 4

ISP(config-line)#password cisco

ISP(config-line)#login

ISP(config-line)#exit

ISP(config)#interface loopback 0

ISP(config-if)#ip address 172.16.1.1 255.255.255.255

ISP(config-if)#exit

ISP(config)#interface serial 0

ISP(config-if)#ip address 200.2.2.17 255.255.255.252

ISP(config-if)#no shutdown

ISP(config-if)#clock rate 64000

ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18

ISP(config)#end

ISP#copy running-config startup-config

Gateway

Router#configure terminal

Router(config)#hostname Gateway

Gateway(config)#enable password cisco

Gateway(config)#enable secret class

Gateway(config)#line console 0

Gateway(config-line)#password cisco

Gateway(config-line)#login

Gateway(config-line)#exit

Gateway(config)#line vty 0 4

Gateway(config-line)#password cisco

Gateway(config-line)#login

Gateway(config-line)#exit

Gateway(config)#interface fastethernet 0

Gateway(config-if)#ip address 10.10.10.1 255.255.255.0

Gateway(config-if)#no shutdown

Gateway(config-if)#exit

Gateway(config)#interface serial 0

Gateway(config-if)#ip add