Astranet Posted March 14, 2007 Posted March 14, 2007 Здравствуйте! Прописал в cisco следующие access list`ы: interface FastEthernet0/0 ............................. ip access-group 122 out ............................. access-list 122 permit ip host 62.33.28.96 host 62.33.28.46 access-list 122 permit ip host 62.33.28.141 host 62.33.28.46 access-list 122 permit ip host 62.33.28.240 host 62.33.28.46 access-list 122 permit ip host 62.33.28.235 host 62.33.28.46 access-list 122 permit ip host 62.33.28.152 host 62.33.28.46 access-list 122 permit ip host 62.33.28.247 host 62.33.28.46 access-list 122 permit ip host 62.33.28.203 host 62.33.28.46 access-list 122 permit ip host 62.33.28.248 host 62.33.28.46 access-list 122 permit ip host 62.33.28.11 host 62.33.28.46 access-list 122 permit ip host 62.33.28.84 host 62.33.28.46 access-list 122 permit ip host 62.33.28.157 host 62.33.28.46 access-list 122 permit ip host 62.33.28.149 host 62.33.28.46 access-list 122 permit ip host 62.33.28.67 host 62.33.28.46 access-list 122 permit ip host 62.33.28.120 host 62.33.28.46 access-list 122 permit ip host 62.33.28.119 host 62.33.28.46 access-list 122 permit ip host 62.33.28.79 host 62.33.28.46 access-list 122 deny ip 62.33.28.0 0.0.0.255 host 62.33.28.46 access-list 122 permit ip any any Из них видно что только определенные ip имеют доступ к хосту 62.33.28.46, но статистика хоста говорит совсем о другом....то есть ip не входящие в список разрешенных, попадают к хосту 62.33.28.46...что я сделал не так???? Вставить ник Quote
zander Posted March 14, 2007 Posted March 14, 2007 (edited) Здравствуйте! Прописал в cisco следующие access list`ы: interface FastEthernet0/0 ............................. ip access-group 122 out ............................. access-list 122 permit ip host 62.33.28.96 host 62.33.28.46 access-list 122 permit ip host 62.33.28.141 host 62.33.28.46 access-list 122 permit ip host 62.33.28.240 host 62.33.28.46 access-list 122 permit ip host 62.33.28.235 host 62.33.28.46 access-list 122 permit ip host 62.33.28.152 host 62.33.28.46 access-list 122 permit ip host 62.33.28.247 host 62.33.28.46 access-list 122 permit ip host 62.33.28.203 host 62.33.28.46 access-list 122 permit ip host 62.33.28.248 host 62.33.28.46 access-list 122 permit ip host 62.33.28.11 host 62.33.28.46 access-list 122 permit ip host 62.33.28.84 host 62.33.28.46 access-list 122 permit ip host 62.33.28.157 host 62.33.28.46 access-list 122 permit ip host 62.33.28.149 host 62.33.28.46 access-list 122 permit ip host 62.33.28.67 host 62.33.28.46 access-list 122 permit ip host 62.33.28.120 host 62.33.28.46 access-list 122 permit ip host 62.33.28.119 host 62.33.28.46 access-list 122 permit ip host 62.33.28.79 host 62.33.28.46 access-list 122 deny ip 62.33.28.0 0.0.0.255 host 62.33.28.46 access-list 122 permit ip any any Из них видно что только определенные ip имеют доступ к хосту 62.33.28.46, но статистика хоста говорит совсем о другом....то есть ip не входящие в список разрешенных, попадают к хосту 62.33.28.46...что я сделал не так???? Ну правильно, последняя строчка разрешает всем, кто не перечислен до неё Должно так: access-list 122 permit ip host 62.33.28.96 host 62.33.28.46 access-list 122 permit ip host 62.33.28.141 host 62.33.28.46 access-list 122 permit ip host 62.33.28.240 host 62.33.28.46 access-list 122 permit ip host 62.33.28.235 host 62.33.28.46 access-list 122 permit ip host 62.33.28.152 host 62.33.28.46 access-list 122 permit ip host 62.33.28.247 host 62.33.28.46 access-list 122 permit ip host 62.33.28.203 host 62.33.28.46 access-list 122 permit ip host 62.33.28.248 host 62.33.28.46 access-list 122 permit ip host 62.33.28.11 host 62.33.28.46 access-list 122 permit ip host 62.33.28.84 host 62.33.28.46 access-list 122 permit ip host 62.33.28.157 host 62.33.28.46 access-list 122 permit ip host 62.33.28.149 host 62.33.28.46 access-list 122 permit ip host 62.33.28.67 host 62.33.28.46 access-list 122 permit ip host 62.33.28.120 host 62.33.28.46 access-list 122 permit ip host 62.33.28.119 host 62.33.28.46 access-list 122 permit ip host 62.33.28.79 host 62.33.28.46 access-list 122 deny ip any any Edited March 14, 2007 by zander Вставить ник Quote
Astranet Posted March 14, 2007 Author Posted March 14, 2007 Здравствуйте! Прописал в cisco следующие access list`ы: interface FastEthernet0/0 ............................. ip access-group 122 out ............................. access-list 122 permit ip host 62.33.28.96 host 62.33.28.46 access-list 122 permit ip host 62.33.28.141 host 62.33.28.46 access-list 122 permit ip host 62.33.28.240 host 62.33.28.46 access-list 122 permit ip host 62.33.28.235 host 62.33.28.46 access-list 122 permit ip host 62.33.28.152 host 62.33.28.46 access-list 122 permit ip host 62.33.28.247 host 62.33.28.46 access-list 122 permit ip host 62.33.28.203 host 62.33.28.46 access-list 122 permit ip host 62.33.28.248 host 62.33.28.46 access-list 122 permit ip host 62.33.28.11 host 62.33.28.46 access-list 122 permit ip host 62.33.28.84 host 62.33.28.46 access-list 122 permit ip host 62.33.28.157 host 62.33.28.46 access-list 122 permit ip host 62.33.28.149 host 62.33.28.46 access-list 122 permit ip host 62.33.28.67 host 62.33.28.46 access-list 122 permit ip host 62.33.28.120 host 62.33.28.46 access-list 122 permit ip host 62.33.28.119 host 62.33.28.46 access-list 122 permit ip host 62.33.28.79 host 62.33.28.46 access-list 122 deny ip 62.33.28.0 0.0.0.255 host 62.33.28.46 access-list 122 permit ip any any Из них видно что только определенные ip имеют доступ к хосту 62.33.28.46, но статистика хоста говорит совсем о другом....то есть ip не входящие в список разрешенных, попадают к хосту 62.33.28.46...что я сделал не так???? Ну правильно, последняя строчка разрешает всем, кто не перечислен до неё Должно так: access-list 122 permit ip host 62.33.28.96 host 62.33.28.46 access-list 122 permit ip host 62.33.28.141 host 62.33.28.46 access-list 122 permit ip host 62.33.28.240 host 62.33.28.46 access-list 122 permit ip host 62.33.28.235 host 62.33.28.46 access-list 122 permit ip host 62.33.28.152 host 62.33.28.46 access-list 122 permit ip host 62.33.28.247 host 62.33.28.46 access-list 122 permit ip host 62.33.28.203 host 62.33.28.46 access-list 122 permit ip host 62.33.28.248 host 62.33.28.46 access-list 122 permit ip host 62.33.28.11 host 62.33.28.46 access-list 122 permit ip host 62.33.28.84 host 62.33.28.46 access-list 122 permit ip host 62.33.28.157 host 62.33.28.46 access-list 122 permit ip host 62.33.28.149 host 62.33.28.46 access-list 122 permit ip host 62.33.28.67 host 62.33.28.46 access-list 122 permit ip host 62.33.28.120 host 62.33.28.46 access-list 122 permit ip host 62.33.28.119 host 62.33.28.46 access-list 122 permit ip host 62.33.28.79 host 62.33.28.46 access-list 122 deny ip any any Если прописать, тот конфиг, что вы посоветовали, то с cisco только выше указанные ip будут иметь доступ на хост 62.33.28.46....а остальные ip небудут иметь доступ никуда... Вставить ник Quote
DRiVen Posted March 14, 2007 Posted March 14, 2007 (edited) Если прописать, тот конфиг, что вы посоветовали, то с cisco только выше указанные ip будут иметь доступ на хост 62.33.28.46....а остальные ip небудут иметь доступ никуда... Значит изначально неверно начали писать acl. Инвертируйте лист, запретите хосты из 62.33.28.0/24 не имеющие права на 62.33.28.46, остальное войдет в permit any any. Edited March 14, 2007 by DRiVen Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.