Access list, SOURCE NAT and DEST NAT
LABEL is a symbolic name that identify the l'access-list
NUM is the order number of the access-list and it tells the order of evaluation
ACTION tells the action to execute and it can be:
o deny
o deny-log
o permit
o permit-log
PROTOCOL tells which protocol is to be used, and it can be:
o TCP
o UDP
o ICMP
o GRE
o OSPF
o L2TPV3
o ANY
ADDRESS can be a network prefix (10.10.10.0/24) or the keyword any (to point any
address) or the keyword this (to point any address of the router itself)
PORT is a numeric value that identify the UDP or TCP port, or a string that identify the
service (Telnet, SSH, SNMP,...) or the keyword any.
When defined, through the command:
set apply-acl LABEL in-interface INTF out-interface INTF
you specify the network interfaces to which the access-list have to be applied.
For example, suppose to have a router where atm0 is the interface to the public network and eth0
to the internal one, to allow the TCP traffic from the external subnet 10.10.0.0/16 towards the
internal subnet 192.168.1.0 and block everything else:
set access-list secacc 10 permit protocol tcp from 10.10.0.0/16 to 192.168.1.0/24
set access-list secacc 20 deny protocol tcp from any to any
set apply-acl secacc in-interface atm0 out-interface eth0
To allow the host 88.1.1.1 to access the router only to through Telnet:
set access-list telnet 10 permit protocol tcp from 10.10.0.0/16 source-port any to 192.168.1.0/24
set access-list secacc 20 deny protocol tcp from any to any
set apply-acl secacc in-interface atm0 out-interface eth0
To remove a certain access-list:
set no-access-list LABEL NUM
to remove all the access-lists related to a LABEL:
set no-access-list LABEL
SOURCE NAT
The command
To Next Page
Loading...
Need help?
General
