local and key
拓扑:
外部网络访问内部网络时做安全策略,通过认证才可访问
R1:
Router>en
Router#conf t
Router(config)#host R1
R1(config)#no ip do lo
R1(config)#line cons 0
R1(config-line)#no exec-t
R1(config-line)#logg sync
R1(config-line)#exi
R1(config)#int fa0/0
R1(config-if)#ip add 10.2.2.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int lo 0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#ip add 3.3.3.3 255.255.255.0 s
R1(config-if)#no sh
R1(config)#ip route 0.0.0.0 0.0.0.0 fa 0/0
R1(config)#end
R2:
Router>en
Router#conf t
Router(config)#host R2
R2(config)#no ip do lo
R2(config)#line cons 0
R2(config-line)#no exec-t
R2(config-line)#logg sync
R2(config-line)#exi
R2(config)#int fa0/0
R2(config-if)#ip add 10.2.2.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int lo 0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exi
R2(config)#ip route 0.0.0.0 0.0.0.0 fa0/0
做local and key:
R2(config)#username ccxx password passccie (创建用户名 密码)
R2(config)#access-list 100 per tcp any any eq 23 (只允许telnet)
R2(config)#access-list 100 dynamic ccxx per ip any any
R2(config)#line vty 0 4 (打开线程)
R2(config-line)#login local (套用)
R2(config-line)#autocommand access-enable host (host是只允许通过认证的这才主机访问,若没这一参数则只要一个主机通过认证其他的所有主机都可访问)
R2(config-line)#exi
R2(config)#int fa0/0
R2(config-if)#ip access-group 100 in (在接口下套用)
R2(config-if)#exi
验证:
R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
U.U. (没通过认证目标不可达)
R1#telnet 2.2.2.2
Trying 2.2.2.2 ... Open
User Access Verification
Username: ccxx (认证)
Password:
[Connection to 2.2.2.2 closed by foreign host]
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
在R2上查看发现 产生了一条动态的permit条目
R2#sh access-lists
Extended IP access list 100
10 permit tcp any any eq telnet (81 matches)
20 Dynamic ccxx permit ip any any
permit ip host 10.2.2.1 any (30 matches)