Re: [cisco-ttl] Oncelik

From: ozkan karacayoglu (ozkan_izmir_at_yahoo.com)
Date: Fri Dec 24 2004 - 08:22:57 GMT

  • Next message: Levent Akcal: "Re: [cisco-ttl] port mirror"

       Serhat evet iki f0 olmuş haklisin:) ilgin icin de
    saol.
    Buradaki asil anlasilamayan konu:
    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi?
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir.

    --- Serhat Uslay <serhat.uslay_at_zurich.com.au> wrote:

    >
    > Su anda ikiside Fasteth0 gozukuyor. Herhalde
    > 172.30.40.50 olan
    > interface'in Fasteth1 olmasi lazim.
    >
    > Bu ciktida bazi duzeltmeler yapilabilir.
    >
    > 1) Sadece 3 host Fasteth1 e trafik
    > gonderebilir..172.30.40.1,
    > 172.172.30.40.2 ve 172.30.40.10 (access list 2). Ama
    > bunlardan sadece
    > 172.30.40.1, 172.30.40.2 adreslerini degistirerek
    > 192.168.30.50 adresini
    > alabilir. 172.30.40.3 nat listesinde olmasina ragmen
    > access list 2 'de
    > olmadigi icin silinebilir.
    > yani
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3 ( bunu silip
    > 172.30.40.10 yapin eger
    > bunun trafik yollamasini isterseniz.).
    > NAT'den sonra route bakilir, default route olarak
    > hersey 192.168.30.201 'a
    > yollanir.
    >
    > Disardan gelen trafik (yani Fasteth0 192.168.30.40'a
    > ) acl 3 ile test
    > edilir.Hersey gececek gibi gozukuyor 172.30.40.0
    > disinda. Ama 172.30.40.0
    > zaten obur tarafta o yuzden ACL 3 biraz fazla...
    >
    > Serhat
    >
    >
    >
    >
    >
    > Please respond to cisco-ttl_at_yahoogroups.com
    >
    > To: cisco-ttl_at_yahoogroups.com
    > cc:
    > Subject: [cisco-ttl] Oncelik
    >
    >
    >
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya outside
    > tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir
    > baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için
    > cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > ----
    > This email is intended for the named recipient only.
    > It may contain information which is confidential,
    > commercially sensitive, or copyright. If you are not
    > the intended recipient you must not reproduce or
    > distribute any part of the email, disclose its
    > contents, or take any action in reliance. If you
    > have received this email in error, please contact
    > the sender and delete the message. It is your
    > responsibility to scan this email and any
    > attachments for viruses and other defects.
    > To the extent permitted by law, Zurich and its
    > associates will not be liable for any loss or damage
    > arising in any way from this communication including
    > any file attachments. We may monitor email you send
    > to us, either as a reply to this email or any email
    > you send to us, to confirm our systems are protected
    > and for compliance with company policies. Although
    > we take reasonable precautions to protect the
    > confidentiality of our email systems, we do not
    > warrant the confidentiality or security of email or
    > attachments we receive.
    >
    > [Non-text portions of this message have been
    > removed]
    >
    >

                    
    __________________________________
    Do you Yahoo!?
    Jazz up your holiday email with celebrity designs. Learn more.
    http://celebrity.mail.yahoo.com

    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    $4.98 domain names from Yahoo!. Register anything.
    http://us.click.yahoo.com/Q7_YsB/neXJAA/yQLSAA/26EolB/TM
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     



    This archive was generated by hypermail 2.1.5 : Fri Dec 24 2004 - 19:33:57 GMT