ACL,NAT和DHCP的使用和配置

1、ACL，NAT和DHCP的使用和配置实验目的：熟练掌握ACL，NAT和DHCP的原理以及在CISCO IOS上对它们进行配置的方法实验内容：ACL的配置 NAT的配置DHCP的配置实验条件：2600系列路由器两台，2900交换机一台，PC两台一ACL的配置（一）标准ACL Step 1 在路由器上配置主机名和密码Step 2 配置以太网段上的PCa. PC 1IP address Subnet mask Default gateway b. PC 2IP address Subnet mask 2

2、Default gateway Step 3 保存配置GAD#copy running-config startup-configStep 4 通过ping命令测试两台PC到缺省网关的连接性Step 5 阻止PC访问路由器的以太口GAD(config)#access-list 1 deny 55GAD(config)#access-list 1 permit anyStep 6 从路由器ping两台PCStep 7 把ACL应用到接口上GAD(config-if)#ip access-group 1 inS

3、tep 8 从两台PC ping路由器Step 9 创建新的ACLaccess-list 2 permit 54Step 10 把ACL应用的接口上ip access-group 2 inStep 11 从两台PC ping路由器GAD#show running-configversion 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname GAD!ip subnet-zero!ip audit no

4、tify logip audit po max-events 100!interface FastEthernet0/0ip address ip access-group 2 inno ip directed-broadcast!interface Serial0/0no ip addressno ip directed-broadcastno ip mroute-cacheshutdownno fair-queue!interface Serial0/1no ip addressno ip directed-broadcastshutdo

5、wn!ip classlessno ip http server!access-list 1 deny 55access-list 1 permit anyaccess-list 2 permit 54!line con 0transport input noneline aux 0line vty 0 4!end（二）扩展ACLStep 1 配置路由器GAD的主机名和密码Step 2 配置以太网段上的PCa. PC 1IP address Subnet mask

6、Default gateway b. PC 2IP address Subnet mask Default gateway Step 3 保存配置GAD#copy running-config startup-configStep 4 通过ping命令测试两台PC到缺省网关的连接性Step 5 用Web浏览器连接路由器Step 6 防止通过以太网接入80端口GAD(config)#access-list 101 deny tcp 55 any eq 80GA

7、D(config)#access-list 101 permit ip any anyStep 7 应用ACL到接口GAD(config-if)#ip access-group 101 inStep 8 从PC Ping路由器Step 9 用Web浏览器连接路由器Step 10 从PC接入路由器GAD#show running-configBuilding configuration.Current configuration:!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service

8、password-encryption!hostname GAD!memory-size iomem 10ip subnet-zerono ip domain-lookup!ip audit notify logip audit po max-events 100!process-max-time 200!interface FastEthernet0/0ip address ip access-group 101 inno ip directed-broadcast!interface Serial0/0ip address 192.168

9、.2.1 no ip directed-broadcast!interface Serial0/1no ip addressno ip directed-broadcastshutdown!ip classlessip http server!access-list 101 deny tcp 55 any eq wwwaccess-list 101 permit ip any any!line con 0password ciscologintransport input noneline aux 0line vty 0 4pa

10、ssword ciscologin!no scheduler allocateend（三）命名ACLStep 1 配置路由器的主机名和密码Step 2 配置以太网段上的PCa. PC 1IP address Subnet mask Default gateway b. PC 2IP address Subnet mask Default gateway Step 3 保存配置GAD#copy running-config startup-confi

11、gStep 4 通过ping命令测试两台PC到缺省网关的连接性Step 5 阻止主机访问以太口GAD(config)#ip access-list standard no_accessGAD(config-std-nacl)#deny 55GAD(config-std-nacl)#permit anyStep 6 从PC Ping路由器Step 7 应用ACL到接口上GAD(config-if)#ip access-group no_access inStep 8 从PC Ping路由器GAD#show running-configBuilding co

12、nfiguration.Current configuration : 638 bytes!version 12.2!hostname GAD!enable secret 5 $1$rzr7$l9H/aXmOyxeCAiPAUoGLq.!ip subnet-zero!interface FastEthernet0/0ip address ip access-group no_access in!interface Serial0/0no ip addressshutdownno fair-queue!interface Serial0/1no

13、 ip addressshutdown!ip classlessno ip http server!ip access-list standard no_accessdeny 55permit any!line con 0password ciscologinline aux 0password ciscologinline vty 0 4password ciscologin!endGAD#show ip access-listsStandard IP access list no_accessdeny , wildcard b

14、its 55 (18 matches)permit any一NAT的配置（一）静态和动态NAT Step 1 配置路由器346 - 489 CCNA 4: WAN Technologies v 3.1 - Lab 1.1.4c Copyright 粕 2003, Cisco Systems, Inc.ISPRouter#configure terminalRouter(config)#hostname ISPISP(config)#enable password ciscoISP(config)#enable secret classISP(config)#line consol

15、e 0ISP(config-line)#password ciscoISP(config-line)#loginISP(config-line)#exitISP(config)#line vty 0 4ISP(config-line)#password ciscoISP(config-line)#loginISP(config-line)#exitISP(config)#interface loopback 0ISP(config-if)#ip address 55ISP(config-if)#exitISP(config)#interface

16、serial 0ISP(config-if)#ip address 7 52ISP(config-if)#clock rate 64000ISP(config)#ip route 2 24 8ISP(config)#endISP#copy running-config startup-configGatewayRouter#configure terminalRouter(config)#hostname GatewayGateway(config)#enable password ci

17、scoGateway(config)#enable secret classGateway(config)#line console 0Gateway(config-line)#password ciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)#line vty 0 4Gateway(config-line)#password ciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)#interface fastet

18、hernet 0Gateway(config-if)#ip address Gateway(config-if)#no shutdownGateway(config-if)#exitGateway(config)#interface serial 0Gateway(config-if)#ip address 8 52Gateway(config-if)#no shutdownGateway(config)#ip route 7Step 2 保存配置cop

19、y running-config startup-config.Step 3 为PC配置正确的IP地址，子网掩码和缺省网关Step 4 测试网络的连通性Step 5 创建静态路由ISP(config)#ip route 2 24 8ISP#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN

20、1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of las

21、t resort is not set/27 is subnetted, 1 subnetsS 2 1/0 via 8/30 is subnetted, 1 subnetsC 6 is directly connected, Serial0/0/32 is subnetted, 1 subnetsC is directly connected, Loopback0Step 6 创建缺省路由Gateway(config)#ip route 0.0

22、.0.0 7Gateway#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS

23、, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is 7 to network /30 is subnetted, 1 subnetsC 6 is directly connected, Serial0/0/

24、24 is subnetted, 1 subnetsC is directly connected, FastEthernet0/0S* /0 1/0 via 7Step 7 定义缺省的公有地址池Gateway(config)#ip nat pool public_access 0 2netmask 24Step 8 创建ACL定义内部私有的IP地址Gateway(config)#access-list 1 permit 55Step 9

25、定义内部列表到外部地址池的地址转换Gateway(config)#ip nat inside source list 1 pool public_accessStep 10 确定接口Gateway(config)#interface fastethernet 0Gateway(config-if)#ip nat insideGateway(config-if)#interface serial 0Gateway(config-if)#ip nat outsideStep 11 配置静态映射Gateway(config)#ip nat inside source static 10.10.10.

26、10 3Gateway#show ip nat translationsStep 12 测试配置ISP#ping 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 0, timeout is 2 seconds:.Success rate is 0 percent (0/5)ISP#ping 3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 199.99.9

27、.33, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 msISP#Gateway#show ip nat translationsPro Inside global Inside local Outside local Outside global- 3 0 - -汇总：Gateway NAT ConfigurationGateway#configure terminalGateway(config)#ip nat p

28、ool public_access 0 2 netmask 24Gateway(config)#access-list 1 permit 55Gateway(config)#ip nat inside source list 1 pool public_accessGateway(config)#interface fa0/0Gateway(config-if)#ip nat insideGateway(config-if)#interface serial 0/0Gateway(config

29、-if)#ip nat outsideGateway(config-if)#exitGateway(config)#ip nat inside source static 0 3Gateway(config)#exit（二）超载NATStep 1 配置路由器ISPRouter#configure terminalRouter(config)#hostname ISPISP(config)#enable password ciscoISP(config)#enable secret classISP(config)#line console 0ISP(co

30、nfig-line)#password ciscoISP(config-line)#loginISP(config-line)#exitISP(config)#line vty 0 4ISP(config-line)#password ciscoISP(config-line)#loginISP(config-line)#exitISP(config)#interface loopback 0ISP(config-if)#ip address 55ISP(config-if)#exitISP(config)#interface serial 0I

31、SP(config-if)#ip address 7 52ISP(config-if)#no shutdownISP(config-if)#clock rate 64000ISP(config)#ip route 2 24 8ISP(config)#endISP#copy running-config startup-configGatewayRouter#configure terminalRouter(config)#hostname GatewayGateway(config)#e

32、nable password ciscoGateway(config)#enable secret classGateway(config)#line console 0Gateway(config-line)#password ciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)#line vty 0 4Gateway(config-line)#password ciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)

33、#interface fastethernet 0Gateway(config-if)#ip address Gateway(config-if)#no shutdownGateway(config-if)#exitGateway(config)#interface serial 0Gateway(config-if)#ip address 8 52Gateway(config-if)#no shutdownGateway(config)#ip route 200.2.2

34、.17Step 2 保存配置copy running-config startup-config.Step 3 为PC配置正确的IP地址，子网掩码和缺省网关Step 4 测试网络的连通性Step 5 创建缺省路由Gateway(config)#ip route serial 0Gateway#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF in

35、ter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGatew

36、ay of last resort is 7 to network /30 is subnetted, 1 subnetsC 6 is directly connected, Serial0/0/24 is subnetted, 1 subnetsC is directly connected, FastEthernet0/0S* /0 1/0 via 7Step 6 创建ACL定义内部私有的IP地址Gateway(config)#access-list 1

37、 permit 55Step 7 Define the PAT translation from inside list to outside addressGateway(config)#ip nat inside source list 1 interface serial 0 overloadStep 8 确定接口Gateway(config)#interface fastethernet 0Gateway(config-if)#ip nat insideGateway(config-if)#interface serial 0Gateway(conf

38、ig-if)#ip nat outsideStep 9 测试配置Gateway#show ip nat translationsPro Inside global Inside local Outside local Outside globaltcp 8:1086 0:1086 :23 :23icmp 8:768 0:768 :768 :768汇总：Gateway PAT configurationGateway#configure te

39、rminalEnter configuration commands, one per line. End with CNTL/Z.Gateway(config)#access-list 1 permit 55Gateway(config)#ip nat inside source list 1 interface serial 0/0 overloadGateway(config)#interface fa0/0Gateway(config-if)#ip nat insideGateway(config-if)#exitGateway(config)#in

40、terface serial 0/0Gateway(config-if)#ip nat outsideGateway(config-if)#exitGateway(config)#exitGateway#copy running-config startup-config一 DHCP的配置Step 1 配置路由器Remote router configurationRouter#configure terminalRouter(config)#hostname remoteremote(config)#enable password ciscoremote(config)#enable sec

41、ret classremote(config)#line console 0remote(config-line)#password ciscoremote(config-line)#loginremote(config-line)#exitremote(config)#line vty 0 4remote(config-line)#password ciscoremote(config-line)#loginremote(config-line)#exitremote(config)#interface fastethernet 0/0remote(config-if)#ip address

42、 remote(config-if)#no shutdownremote(config-if)#exitremote(config)#interface serial 0/0remote(config-if)#ip address 52remote(config-if)#no shutdownremote(config-if)#exitremote(config)#router ospf 1remote(config-router)#network 55 are

43、a 0remote(config-router)#network 55 area 0remote(config-router)#endremote#copy running-config startup-configCampus router configurationRouter#configure terminalRouter(config)#hostname campuscampus(config)#enable password ciscocampus(config)#enable secret classcampus(config)#line c

44、onsole 0campus(config-line)#password ciscocampus(config-line)#logincampus(config-line)#exitcampus(config)#line vty 0 4campus(config-line)#password ciscocampus(config-line)#logincampus(config-line)#exitcampus(config)#interface fastethernet 0/0campus(config-if)#ip address camp

45、us(config-if)#no shutdowncampus(config-if)#exitcampus(config)#interface serial 0/0campus(config-if)#ip address 52campus(config-if)#clock rate 56000campus(config-if)#no shutdowncampus(config-if)#exitcampus(config)#router ospf 1campus(config-router)#network 55

46、 area 0campus(config-router)#network 55 area 0campus(config-router)#endcampus#copy running-config startup-configStep 2 在路由器remote上启动OSPFremote(config)#router ospf 1remote(config-router)#network area 0remote(config-router)#network area 0Step 3

47、 在路由器campus启动OSPFcampus(config)#router ospf 1campus(config-router)#network 55 area 0campus(config-router)#network 55 area 0remote#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - O

48、SPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static rout

49、eGateway of last resort is not set/16 is variably subnetted, 3 subnets, 2 masksO /24 110/65 via , 00:00:12, Serial0/0C /24 is directly connected, FastEthernet0/0C /30 is directly connected, Serial0/0campus#show ip routeCodes: C - connected, S - sta

50、tic, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area*

51、 - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not set/16 is variably subnetted, 3 subnets, 2 masksC /24 is directly connected, FastEthernet0/0O /24 110/65 via , 00:00:14, Serial0/0C 172.

52、16.1.4/30 is directly connected, Serial0/0Step 4 保存配置copy running-config startup-config.Step 5 在路由器campus创建campus地址池campus(config)#ip dhcp pool campuscampus(dhcp-config)#network campus(dhcp-config)#default-router campus(dhcp-config)#dns-server campus(dhcp-config)#domain-name campus(dhcp-config)#netbios-name-server 0Step 6 在路由器campus创建remote地址池campus(dhcp-config)#ip dhcp pool remotecampus(dhcp