To protect the security of the Intranet, you can only allow Intranet access to the Internet and not allow Internet access to the Intranet. Here, we use the self-reverse ACL of the cisco router.
You need to configure the routing protocol. The following configurations are for RIP Version1. You can also configure other configurations, such as VPN or OSPF.
Self-reverse ACL for Intranet access to the Internet
R1> en
R1 # conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1 (config) # ACL created by ip access-list extended aclout
R1 (config-ext-nacl) # permit tcp any reflect tcp sets this entry to self-inverse, and its name is tcp
Self-reverse ACL for Internet access to the Intranet
R1 (config) # ip access-list extended aclin
R1 (config-ext-nacl) # evaluate tcp generates an auto-inverse list (the first step is to generate an auto-inverse ACL named tcp, so the corresponding name is tcp)
R1 (config-ext-nacl) # permit udp any
Apply the self-countermeasure C to the corresponding interface
R1 (config) # int fa0/1 Internet interface
R1 (config-if) # ip access-group aclout out
R1 (config-if) # ip access-group aclin in
Then, you can only ping the Internet on the PC, but not the Intranet.
- Use the access control list to implement one-way network access