The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
access lists на cisco 2610xm, !*! tigran_astranet, 14-Мрт-07, 17:47  [смотреть все]
Здравствуйте!

Прописал в cisco следующие access list`ы:
access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46

Из них видно что только определенные ip имеют доступ к хосту 62.33.28.46, но статистика хоста говорит совсем о другом....то есть ip не входящие в список разрешенных, попадают к хосту 62.33.28.46...что я сделал не так????

Ответить | Сообщить модератору
  • access lists на cisco 2610xm, !*! vit5, 18:08 , 14-Мрт-07 (1)
    • access lists на cisco 2610xm, !*! tigran_astranet, 19:52 , 14-Мрт-07 (2)
      >
      >покажи сам интерфейс куда вяжешь асл
      >как смотришь статистику ip не входящие в список разрешенных
      >адреса из этой сети или из другой
      >
      >попробуй
      >сделать еще так
      >access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46 log
      >access-list 122 deny   ip any any log - хотя она
      >должна включаться по умолчанию
      >
      >и включи терминал монитор
      >будет сыпатся чтонибудь в лог по запрету
      >если да то акл работает
      >а вот в какую сторону он работает это решать тебе
      >ip access group 122 in или out
      >
      >>
      В соответствии с Вашим советом изменил конфиг:

      interface FastEthernet0/0

      .............................

      ip access-group 122 out

      .............................

      access-list 122 permit ip host 62.33.28.96 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
      access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
      access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46
      access-list 122 permit ip any any

      но ситуация такая же....cisco все равно пропускает другие ip к этому хосту....


      Ответить | Сообщить модератору
      • access lists на cisco 2610xm, !*! vit5, 08:30 , 15-Мрт-07 (3)
        • access lists на cisco 2610xm, !*! tigran_astranet, 10:30 , 15-Мрт-07 (4)
          >покажи конфиг!

          Показываю:

          Current configuration : 4198 bytes
          !
          version 12.3
          service timestamps debug datetime msec
          service timestamps log datetime msec
          service password-encryption
          !
          hostname gw.astra-net.ru
          !
          boot-start-marker
          boot system flash:c2600-ipbase-mz.123-14.T7.bin
          boot-end-marker
          !
          enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
          enable password xxxxxxxxxxxxxxxxxx
          !
          aaa new-model
          !
          !
          aaa authentication login default local
          aaa authentication ppp default group radius
          aaa authorization exec default local
          aaa authorization network default group radius
          aaa accounting delay-start
          aaa accounting update newinfo periodic 2
          aaa accounting network default start-stop group radius
          !
          aaa session-id common
          !
          resource policy
          !
          clock timezone pdt 3
          clock summer-time pdt recurring
          no network-clock-participate slot 1
          no network-clock-participate wic 0
          ip subnet-zero
          ip cef
          !
          !
          no ip dhcp use vrf connected
          !
          !
          ip name-server 212.48.192.8
          ip name-server 195.161.15.19
          vpdn enable
          vpdn ip udp ignore checksum
          !
          vpdn-group 1
          ! Default PPTP VPDN group
          accept-dialin
            protocol pptp
            virtual-template 1
          source-ip 10.0.0.1
          !
          no ftp-server write-enable
          async-bootp dns-server 212.48.192.8 195.161.15.19
          !
          username admin password xxxxxxxxxxxxxxxxxxxx
          !
          !
          !
          interface FastEthernet0/0
          ip address 10.0.0.1 255.255.255.0 secondary
          ip address 62.33.28.97 255.255.255.224 secondary
          ip address 62.33.28.65 255.255.255.224 secondary
          ip address 10.0.1.1 255.255.255.0 secondary
          ip address 62.33.28.9 255.255.255.248 secondary
          ip address 62.33.28.17 255.255.255.240 secondary
          ip address 62.33.28.33 255.255.255.224 secondary
          ip address 10.0.20.1 255.255.255.0 secondary
          ip address 62.33.28.6 255.255.255.252
          ip route-cache flow
          speed auto
          half-duplex
          ntp broadcast
          no mop enabled
          !
          interface FastEthernet0/0.1
          encapsulation dot1Q 100
          ip address 10.0.10.1 255.255.255.0 secondary
          ip address 62.33.28.129 255.255.255.128
          no snmp trap link-status
          !
          interface Virtual-Template1
          ip unnumbered FastEthernet0/0
          ip access-group 122 out
          ip route-cache flow
          ip mroute-cache
          no peer default ip address
          ppp authentication pap
          !
          interface Group-Async1
          ip unnumbered FastEthernet0/0
          encapsulation ppp
          dialer in-band
          dialer idle-timeout 1000000
          dialer-group 1
          async mode interactive
          peer default ip address pool DialUpLp
          ppp authentication pap
          group-range 33 40
          !
          ip local pool DialUpLp 62.33.28.98 62.33.28.105
          ip classless
          ip route 0.0.0.0 0.0.0.0 62.33.28.5
          ip flow-export source FastEthernet0/0
          ip flow-export version 5
          ip flow-export destination 62.33.28.94 9991
          ip flow-export destination 62.33.28.5 9996
          !
          no ip http server
          !
          access-list 122 permit ip host 62.33.28.96 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.144 host 62.33.28.46
          access-list 122 permit ip host 62.33.28.221 host 62.33.28.46
          access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46 log
          access-list 122 permit ip any any
          snmp-server community astra-net.ru RO
          snmp-server enable traps tty
          radius-server host 62.33.28.94 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxx
          E
          !
          control-plane
          !
          !
          line con 0
          line 33 40
          script modem-off-hook offhook
          modem InOut
          transport input all
          autoselect ppp
          flowcontrol software
          line aux 0
          line vty 0 4
          password xxxxxxxxxxxxxxxxxxxx
          !
          ntp clock-period 17208555
          ntp server 147.45.0.4
          ntp server 147.45.15.34
          !
          end

          Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру