interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat outside
!
router rip
version 2
passive-interface Loopback0
network 12.0.0.0
network 20.0.0.0
!
ip nat outside source static udp 12.1.1.1 520 224.0.0.0 520 extendable
r2#sh ip route
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
R 10.0.0.0/8 [120/1] via 12.1.1.1, 00:00:16, Ethernet0/0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Ethernet0/0
r2#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp --- --- 224.0.0.0:520 12.1.1.1:520
r2#
r2#deb ip nat
IP NAT debugging is on
r2#deb ip rip
RIP protocol debugging is on
r2#
*Mar 1 02:41:50.797: RIP: received v2 update from 12.1.1.1 on Ethernet0/0
*Mar 1 02:41:50.797: 10.0.0.0/8 via 0.0.0.0 in 1 hops
*Mar 1 02:42:04.392: RIP: sending v2 update to 224.0.0.9 via Ethernet0/0 (12.1.1.2)
*Mar 1 02:42:04.392: RIP: build update entries
*Mar 1 02:42:04.392: 20.0.0.0/8 via 0.0.0.0, metric 1, tag 0
r2#
*Mar 1 02:42:20.173: RIP: received v2 update from 12.1.1.1 on Ethernet0/0
*Mar 1 02:42:20.177: 10.0.0.0/8 via 0.0.0.0 in 1 hops
===================================================================
!
hostname r1
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
!
router rip
version 2
passive-interface Loopback0
network 10.0.0.0
network 12.0.0.0
r1#deb ip rip
RIP protocol debugging is on
r1#deb ip pac
IP packet debugging is on
r1#
*Mar 1 15:33:04.893: RIP: sending v2 update to 224.0.0.9 via Ethernet0/0 (12.1.1.1)
*Mar 1 15:33:04.893: RIP: build update entries
*Mar 1 15:33:04.893: 10.0.0.0/8 via 0.0.0.0, metric 1, tag 0
*Mar 1 15:33:04.893: IP: s=12.1.1.1 (local), d=224.0.0.9 (Ethernet0/0), len 52, sending broad/multicast
*Mar 1 15:33:13.936: IP: s=12.1.1.2 (Ethernet0/0), d=224.0.0.9, len 52, rcvd 2
*Mar 1 15:33:13.936: RIP: received v2 update from 12.1.1.2 on Ethernet0/0
*Mar 1 15:33:13.936: 20.0.0.0/8 via 0.0.0.0 in 1 hops
r1#
*Mar 1 15:33:33.043: RIP: sending v2 update to 224.0.0.9 via Ethernet0/0 (12.1.1.1)
*Mar 1 15:33:33.043: RIP: build update entries
*Mar 1 15:33:33.043: 10.0.0.0/8 via 0.0.0.0, metric 1, tag 0
*Mar 1 15:33:33.043: IP: s=12.1.1.1 (local), d=224.0.0.9 (Ethernet0/0), len 52, sending broad/multicast
*Mar 1 15:33:40.692: IP: s=12.1.1.2 (Ethernet0/0), d=224.0.0.9, len 52, rcvd 2
*Mar 1 15:33:40.692: RIP: received v2 update from 12.1.1.2 on Ethernet0/0
*Mar 1 15:33:40.696: 20.0.0.0/8 via 0.0.0.0 in 1 hops
r1#
r1#
r1#sh ip route
R 20.0.0.0/8 [120/1] via 12.1.1.2, 00:00:20, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Ethernet0/0#p#2)自反访问表的超时:
a.对于TCP流量,当下列三种情况中任何一种出现时,才会删除临时性的访问表:
a)两个连续的FIN标志被检测到,之后5秒钟删除。
在正常情况下,TCP在断开连接时需要经历四次握手:
TCP是一个双向的协议,前两次握手,断开从source到destination的连接,
后两次握手,断开从destination到source的连接。
临时性访问表的删除之所以要延迟5秒,是为了给TCP连接的断开一个缓冲的时间,保证TCP能够平滑的断开连接。
b)RST标志被检测到,立即删除。
c)配置的空闲超时值到期(缺省是300秒)。
b.对于UDP,由于没有各种标志,所以只有当配置的空闲超时值(300秒)到期才会删除临时性的访问表。
FTP的两种模式:
a)standard-mode(标准模式):
标准模式的特点:
1)ftp-server端使用两个wellknown端口,21和20 , 21号端口为控制信道,20号端口为数据信息。
2)数据由ftp-server端始发。
b)passive-mode(被动模式):
被动模式的特点:
1)ftp-server端使用一个wellknown端口和一个 >1024的随机端口,此例中为21和1800 , 21号端口为控制信道,1800号端口为数据信息。
2)数据由ftp-client端始发。
通过以上分析,我们发现对于被动模式的FTP,自反访问表可以正常工作(因为数据是由ftp-client端始发)
但是对于标准模式的FTP,自反访问表将不能正常工作
(因为数据由ftp-server端从20号端口始发,当ftp-server向client返回数据时,与临时性访问表不匹配)
例:
允许由内部192.168.10.0/24始发的HTTP,SMTP, TCP流量可以出去, 其余的流量全部拒绝。
RA:
!
ip access-list extended OUTBOUND
permit tcp 192.168.10.0 0.0.0.255 any eq www reflect CISCO
permit tcp 192.168.10.0 0.0.0.255 any eq smtp reflect CISCO
permit tcp 192.168.10.0 0.0.0.255 any eq reflect CISCO
!
!
ip access-list extended INBOUND
permit tcp any eq ftp-data 192.168.10.0 0.0.0.255
evaluate CISCO
!
int s0
ip access-group OUBOUND out
ip access-group INBOUND in
!
ip reflexive-list timeout 300 (设置临时性访问条目的生存期,缺省为300秒)