URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 13076
[ Назад ]

Исходное сообщение
"access lists на cisco 2610xm"

Отправлено tigran_astranet , 14-Мрт-07 17:47 
Здравствуйте!

Прописал в cisco следующие access list`ы:
access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46

Из них видно что только определенные ip имеют доступ к хосту 62.33.28.46, но статистика хоста говорит совсем о другом....то есть ip не входящие в список разрешенных, попадают к хосту 62.33.28.46...что я сделал не так????


Содержание

Сообщения в этом обсуждении
"access lists на cisco 2610xm"
Отправлено vit5 , 14-Мрт-07 18:08 

покажи сам интерфейс куда вяжешь асл
как смотришь статистику ip не входящие в список разрешенных
адреса из этой сети или из другой

попробуй
сделать еще так
access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46 log
access-list 122 deny   ip any any log - хотя она должна включаться по умолчанию

и включи терминал монитор
будет сыпатся чтонибудь в лог по запрету
если да то акл работает
а вот в какую сторону он работает это решать тебе
ip access group 122 in или out

>



"access lists на cisco 2610xm"
Отправлено tigran_astranet , 14-Мрт-07 19:52 
>
>покажи сам интерфейс куда вяжешь асл
>как смотришь статистику ip не входящие в список разрешенных
>адреса из этой сети или из другой
>
>попробуй
>сделать еще так
>access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46 log
>access-list 122 deny   ip any any log - хотя она
>должна включаться по умолчанию
>
>и включи терминал монитор
>будет сыпатся чтонибудь в лог по запрету
>если да то акл работает
>а вот в какую сторону он работает это решать тебе
>ip access group 122 in или out
>
>>
В соответствии с Вашим советом изменил конфиг:

interface FastEthernet0/0

.............................

ip access-group 122 out

.............................

access-list 122 permit ip host 62.33.28.96 host 62.33.28.46
access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46
access-list 122 permit ip any any

но ситуация такая же....cisco все равно пропускает другие ip к этому хосту....



"access lists на cisco 2610xm"
Отправлено vit5 , 15-Мрт-07 08:30 
покажи конфиг!

"access lists на cisco 2610xm"
Отправлено tigran_astranet , 15-Мрт-07 10:30 
>покажи конфиг!

Показываю:

Current configuration : 4198 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gw.astra-net.ru
!
boot-start-marker
boot system flash:c2600-ipbase-mz.123-14.T7.bin
boot-end-marker
!
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
enable password xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update newinfo periodic 2
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
clock timezone pdt 3
clock summer-time pdt recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip name-server 212.48.192.8
ip name-server 195.161.15.19
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
source-ip 10.0.0.1
!
no ftp-server write-enable
async-bootp dns-server 212.48.192.8 195.161.15.19
!
username admin password xxxxxxxxxxxxxxxxxxxx
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0 secondary
ip address 62.33.28.97 255.255.255.224 secondary
ip address 62.33.28.65 255.255.255.224 secondary
ip address 10.0.1.1 255.255.255.0 secondary
ip address 62.33.28.9 255.255.255.248 secondary
ip address 62.33.28.17 255.255.255.240 secondary
ip address 62.33.28.33 255.255.255.224 secondary
ip address 10.0.20.1 255.255.255.0 secondary
ip address 62.33.28.6 255.255.255.252
ip route-cache flow
speed auto
half-duplex
ntp broadcast
no mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.0.10.1 255.255.255.0 secondary
ip address 62.33.28.129 255.255.255.128
no snmp trap link-status
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip access-group 122 out
ip route-cache flow
ip mroute-cache
no peer default ip address
ppp authentication pap
!
interface Group-Async1
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer in-band
dialer idle-timeout 1000000
dialer-group 1
async mode interactive
peer default ip address pool DialUpLp
ppp authentication pap
group-range 33 40
!
ip local pool DialUpLp 62.33.28.98 62.33.28.105
ip classless
ip route 0.0.0.0 0.0.0.0 62.33.28.5
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 62.33.28.94 9991
ip flow-export destination 62.33.28.5 9996
!
no ip http server
!
access-list 122 permit ip host 62.33.28.96 host 62.33.28.46
access-list 122 permit ip host 62.33.28.141 host 62.33.28.46
access-list 122 permit ip host 62.33.28.240 host 62.33.28.46
access-list 122 permit ip host 62.33.28.235 host 62.33.28.46
access-list 122 permit ip host 62.33.28.152 host 62.33.28.46
access-list 122 permit ip host 62.33.28.247 host 62.33.28.46
access-list 122 permit ip host 62.33.28.203 host 62.33.28.46
access-list 122 permit ip host 62.33.28.248 host 62.33.28.46
access-list 122 permit ip host 62.33.28.11 host 62.33.28.46
access-list 122 permit ip host 62.33.28.84 host 62.33.28.46
access-list 122 permit ip host 62.33.28.157 host 62.33.28.46
access-list 122 permit ip host 62.33.28.149 host 62.33.28.46
access-list 122 permit ip host 62.33.28.67 host 62.33.28.46
access-list 122 permit ip host 62.33.28.120 host 62.33.28.46
access-list 122 permit ip host 62.33.28.119 host 62.33.28.46
access-list 122 permit ip host 62.33.28.79 host 62.33.28.46
access-list 122 permit ip host 62.33.28.144 host 62.33.28.46
access-list 122 permit ip host 62.33.28.221 host 62.33.28.46
access-list 122 deny   ip 62.33.28.0 0.0.0.255 host 62.33.28.46 log
access-list 122 permit ip any any
snmp-server community astra-net.ru RO
snmp-server enable traps tty
radius-server host 62.33.28.94 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxx
E
!
control-plane
!
!
line con 0
line 33 40
script modem-off-hook offhook
modem InOut
transport input all
autoselect ppp
flowcontrol software
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxxxxx
!
ntp clock-period 17208555
ntp server 147.45.0.4
ntp server 147.45.15.34
!
end


"access lists на cisco 2610xm"
Отправлено vit5 , 15-Мрт-07 11:02 
>interface Virtual-Template1
> ip unnumbered FastEthernet0/0
> ip access-group 122 out

я так пологаю листы доступа надо повесить не на Virtual-Template1
как утебя а на сами интерфейсы