9일차 NAT ACL

* 본 게시물의 내용은 수업에서 배운 것을 정리한 것이므로 악용해서는 안됩니다.

  게시된 내용들은 잘 알려져있는 기술들입니다. 따라서  악용하더라도 쉽게 적발되니

  절대 악용해서는 안됩니다.

-------------------------------------------------------------------------------------------

가상 회사 토폴로지에 필요한 환경 적용

1. ACL

2. NAT

가상 회사의 토폴로지에 NAT 가 필요한 부분 파악

필요한 NAT 설정 확인

적용 및 통신 가능 여부 확인

3. VLAN

각각 서버, 팀들 VLAN 별로 나누어 주었고,

R1에서는 NAT, ACL을 설정 해주었는데,

NAT는

 ip access-list standard PRIVATE

 permit 10.10.0.0 0.0.255.255

ip nat inside source list PRIVATE int fa0/1 overload

이렇게 PRIVATE 라는 이름의 ACL로 10.10.0.0 대를 필터링해서

공인 아이피가 하나기 때문에 인터페이스로 PAT 형식으로 해줬다.

ACL은 다른 지사에서 본사 DB로 접근이 되야하므로 지사만 그 포트를 허용 해주게 하고 다른 사용자들은 DB 포트를 deny 시켰다.

또한 Static PAT를 적용 시켰는데, 외부에서(지사포함) WEB이나 DB서버를 선 접근 할 수 있어야 하기 때문에, 

ip nat inside source static tcp 10.10.10.100 80  192.168.0.140 80

ip nat inside source static tcp 10.10.50.2 18888 192.168.0.140 18888 

이런식으로 해주었다

아래는 토폴로지에 대한 전체적인 명령어다.

-----------------------------------------------------------------------------------

!영업

conf t

enable secret cisco

no ip domain-lookup

line vty 0 4

 password cisco 

 login

line console 0 

 exec-timeout 0 0

 logging synchronous

int f0/0

 ip add 10.10.10.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.10.10.254

!경영

conf t

enable secret cisco

no ip domain-lookup

line vty 0 4

 password cisco 

 login

line console 0 

 exec-timeout 0 0

 logging synchronous

int f0/0

 ip add 10.10.20.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.10.20.254

!제조

conf t

enable secret cisco

no ip domain-lookup

line vty 0 4

 password cisco 

 login

line console 0 

 exec-timeout 0 0

 logging synchronous

int f0/0

 ip add 10.10.30.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.10.30.254

!개발

conf t

enable secret cisco

no ip domain-lookup

line vty 0 4

 password cisco 

 login

line console 0 

 exec-timeout 0 0

 logging synchronous

int f0/0

 ip add 10.10.40.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.10.40.254

!ESW1

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 10

 name VLAN10

 exit

int f1/15

 sw mo access

 sw access vlan 10

 no shut

int f1/1

  sw mo access

 sw access vlan 10

 no shut

!ESW2

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 20

 name VLAN20

 exit

int f1/15

 sw mo access

 sw access vlan 20

 no shut

int f1/2

  sw mo access

 sw access vlan 20

 no shut

!ESW3

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 30

 name VLAN30

 exit

int f1/15

 sw mo access

 sw access vlan 30

 no shut

int f1/3

  sw mo access

 sw access vlan 30

 no shut

!ESW4

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 40

 name VLAN40

 exit

int f1/15

 sw mo access

 sw access vlan 40

 no shut

int f1/4

  sw mo access

 sw access vlan 40

 no shut

!ESW5

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 10

 name VLAN10

 exit

vlan 20

 name VLAN20

 exit

vlan 30

 name VLAN30

 exit

vlan 40

 name VLAN40

 exit

vlan 50

 name VLAN50

 exit

int fa1/1

  sw mo access

 sw access vlan 10

 no shut

int fa1/2

  sw mo access

 sw access vlan 20

 no shut

int fa1/3

  sw mo access

 sw access vlan 30

 no shut

int fa1/4

  sw mo access

 sw access vlan 40

 no shut

int fa1/5

 sw mo access

 sw access vlan 50

 no shut

int fa1/15

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport trunk native vlan 99

 switchport trunk allowed vlan 1,10,20,30,40,50,1002-1005

 no sh

!ESW6

conf t

enable sec cisco

line con 0

logg s

exec-t 0 0

exit

line vty 0 4

login local

exit

user admin pass cisco

int ran f1/0 - 15

sh

exit

vlan 50

 name VLAN50

int fa1/2

 sw mod ac

 sw acc vlan 50

 no shut

int fa1/5

 sw mod ac

 sw acc vlan 50

 no shut

!R1

conf t

enable secret cisco

no ip domain-lookup

line vty 0 4

 password cisco 

 login

line console 0 

 exec-timeout 0 0

 logging synchronous

int f0/0

 no sh

int f0/0.10

 encapsulation dot1q 10

 ip add 10.10.10.254 255.255.255.0

 ip nat inside

int f0/0.20

 encapsulation dot1q 20

 ip add 10.10.20.254 255.255.255.0

 ip nat inside

int f0/0.30

 encapsulation dot1q 30

 ip add 10.10.30.254 255.255.255.0

 ip nat inside

int f0/0.40

 encapsulation dot1q 40

 ip add 10.10.40.254 255.255.255.0

  ip nat inside

int f0/0.50

 encapsulation dot1q 50

 ip add 10.10.50.254 255.255.255.0

 ip nat inside

int f0/1

 ip add 192.168.0.140 255.255.255.0

 no sh

ip route  0.0.0.0 0.0.0.0 192.168.0.1

ip access-list standard PRIVATE

 permit 10.10.0.0 0.0.255.255

ip nat inside source list PRIVATE int fa0/1 overload

 

int fa0/1

 ip nat outside

 

ip access-list extended acl-in

  permit tcp host 192.168.0.149 host 192.168.0.140 eq 18888

 deny tcp any host 192.168.0.140 eq 18888

 permit ip any any

ip access-list extended acl-out

 permit tcp host 192.168.0.140 host 192.168.0.149 eq 18888 

 deny tcp host 192.168.0.140 any eq 18888

 permit ip any any

int fa0/1

 ip access-group acl-in in

 ip access-group acl-out out

ip nat inside source static tcp 10.10.50.1 80  192.168.0.140 80

ip nat inside source static tcp 10.10.50.2 18888 192.168.0.140 18888

 

 

----------------------------------------------------------------------------------

보완할 내용 :

외부에서 핑 안되게, 

DMZ