Using reflexive ACL to control the access to the internal and external network

Conditions:

1. R1 for intranet router

2. R2 for connecting the internal and external network routing

3. R3 for Extranet routing

Networking requirements:

Intranet can access the external network, but the extranet can not access the intranet.

Principle: reflexive ACL

R1:

Configuring Interface IP

Router (config) #int s0/0

Router (config-if) #ip add 10.1.1.1 255.255.255.0

Router (config-if) #no sh

Configuring Static Routes

Router (config) #ip Route 192.168.1.0 255.255.255.0 10.1.1.2

R2:

Configuring Interface IP

Router (config) #int s0/0

Router (config-if) #ip add 10.1.1.2 255.255.255.0

Router (config-if) #no sh

Router (config-if) #int S0/1

Router (config-if) #ip add 192.168.1.1 255.255.255.0

Router (config-if) #no sh

Create a name-based ACL request that allows intranet access to the extranet and generate a reflexive ACL subkey named AA

Router (config) #ip Access-list extended Request

Router (config-ext-nacl) #permit IP any reflect AA

Create a allow answer packet through routing, ACL name reply, reference entry AA

Router (config) #ip Access-list extended reply

Router (config-ext-nacl) #evaluate AA

Apply the request to the interface s0/0

Router (config) #int s0/0

Router (config-if) #ip Access-group request in

Apply the reply to the interface S0/1

Router (config) #int S0/1

Router (config-if) #ip Access-group reply in

R3:

Configuring Interface IP

Router (config) #int S0/1

Router (config-if) #ip add 192.168.1.2 255.255.255.0

Router (config-if) #no sh

Configuring Static Routes

Router (config-if) #ip Route 10.1.1.0 255.255.255.0 192.168.1.1

This article from "Jiangshan Smoke if Liu" blog, please be sure to keep this source http://45642777.blog.51cto.com/2139502/958187