Re: [cisco-ttl] Oncelik

From: Serhat Uslay (serhat.uslay_at_zurich.com.au)
Date: Sun Dec 26 2004 - 19:46:39 GMT

  • Next message: Yalcin ERDEM: "RE: [cisco-ttl] router load balance sorunu"

    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi? Hayir,edilmez...
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir. Eger bu paket Nat icin aday bir paket ise ve daha
    once session yoksa NAT tablosu yaratilir onun icin ve route edilir. Eger
    aday degilse drop edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir. Evet, acl 3 anti-spoof icin kullanilabilir..

    Serhat

    Please respond to cisco-ttl_at_yahoogroups.com

    To: cisco-ttl_at_yahoogroups.com
    cc:
    Subject: Re: [cisco-ttl] Oncelik

    Serhat evet iki f0 olmuş haklisin:) ilgin icin de
    saol.
    Buradaki asil anlasilamayan konu:
    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi?
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir.

    --- Serhat Uslay <serhat.uslay_at_zurich.com.au> wrote:

    >
    > Su anda ikiside Fasteth0 gozukuyor. Herhalde
    > 172.30.40.50 olan
    > interface'in Fasteth1 olmasi lazim.
    >
    > Bu ciktida bazi duzeltmeler yapilabilir.
    >
    > 1) Sadece 3 host Fasteth1 e trafik
    > gonderebilir..172.30.40.1,
    > 172.172.30.40.2 ve 172.30.40.10 (access list 2). Ama
    > bunlardan sadece
    > 172.30.40.1, 172.30.40.2 adreslerini degistirerek
    > 192.168.30.50 adresini
    > alabilir. 172.30.40.3 nat listesinde olmasina ragmen
    > access list 2 'de
    > olmadigi icin silinebilir.
    > yani
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3 ( bunu silip
    > 172.30.40.10 yapin eger
    > bunun trafik yollamasini isterseniz.).
    > NAT'den sonra route bakilir, default route olarak
    > hersey 192.168.30.201 'a
    > yollanir.
    >
    > Disardan gelen trafik (yani Fasteth0 192.168.30.40'a
    > ) acl 3 ile test
    > edilir.Hersey gececek gibi gozukuyor 172.30.40.0
    > disinda. Ama 172.30.40.0
    > zaten obur tarafta o yuzden ACL 3 biraz fazla...
    >
    > Serhat
    >
    >
    >
    >
    >
    > Please respond to cisco-ttl_at_yahoogroups.com
    >
    > To: cisco-ttl_at_yahoogroups.com
    > cc:
    > Subject: [cisco-ttl] Oncelik
    >
    >
    >
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya outside
    > tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir
    > baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için
    > cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > ----
    > This email is intended for the named recipient only.
    > It may contain information which is confidential,
    > commercially sensitive, or copyright. If you are not
    > the intended recipient you must not reproduce or
    > distribute any part of the email, disclose its
    > contents, or take any action in reliance. If you
    > have received this email in error, please contact
    > the sender and delete the message. It is your
    > responsibility to scan this email and any
    > attachments for viruses and other defects.
    > To the extent permitted by law, Zurich and its
    > associates will not be liable for any loss or damage
    > arising in any way from this communication including
    > any file attachments. We may monitor email you send
    > to us, either as a reply to this email or any email
    > you send to us, to confirm our systems are protected
    > and for compliance with company policies. Although
    > we take reasonable precautions to protect the
    > confidentiality of our email systems, we do not
    > warrant the confidentiality or security of email or
    > attachments we receive.
    >
    > [Non-text portions of this message have been
    > removed]
    >
    >

    __________________________________
    Do you Yahoo!?
    Jazz up your holiday email with celebrity designs. Learn more.
    http://celebrity.mail.yahoo.com

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    ----
    This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
    To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.
    [Non-text portions of this message have been removed]
    ------------------------ Yahoo! Groups Sponsor --------------------~--> 
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM
    --------------------------------------------------------------------~-> 
    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir. 
    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz. 
    Yahoo! Groups Links
    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/
    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com
    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     
    


    This archive was generated by hypermail 2.1.5 : Sun Dec 26 2004 - 23:47:23 GMT