Coggle requires JavaScript to display documents.
Packets are filtered based on addresses and paramsRules allow packets to be either permitted or denied
Packets can be filtered to manipulate behavior and actionsParams and forwarding behavior can be altered as a result
each ruel have one action / action can be denied or permitthen we have the source and the wildcard maskin wildcard mask we have 2 values 0 / 10 > means must match1 > we dont carefor example if we hace an ip 192.168.1.1 > can we match 192.168.1.0 ? > yes we can cyz the 1st 24 bits of 0.0.0.255 are 0 meaning must match > last one 255 are all 1 > we dont care acl 2000rule 5 deny source 192.168.1.0 0.0.0.255if no match - start at 5 / distance step is 5 by default > cuz sometimes we want to insert some other rules into the ACL soo we can continue to configure rule 6rule 10 deny source 192.168.2.0 0.0.0.255f no match >rule 15 deny source 172.16.0.0 0.0.0.255f no match >rule 20 permit source anyany ip address can match this ruleif we can match any of these prev rules > we can pass
acl 2000rule 5 deny source 192.168.1.0 0.0.0.255if no match - start at 5 / distance step is 5 by default > cuz sometimes we want to insert some other rules into the ACL soo we can continue to configure rule 6rule 10 deny source 192.168.2.0 0.0.0.255f no match >rule 15 deny source 172.16.0.0 0.0.0.255f no match >rule 20 permit source anyany ip address can match this ruleif we can match any of these prev rules > we can pass
[RT]>acl 2000[RT-acl-basic-2000]>rule deny source 192.168.1.0 0.0.0.255[RT-acl-basic-2000]>rule permist source 192.168.2.0 0.0.0.255[RT]>interface GigabitEthernet 0/0/0[RT-GigabitEthernet0/0/0]>traffic-filter outbound acl 2000means on this interface > if the outbound traffic can match that rule 2000 > then well do the implementation of itConfig VLIDATION[Host]>ping 200.10.10.1[RT]>display acl 2000the rules and matching order can be verfied for each ACLBasic ACL rules are matched based on each source IP address
[RT]>acl 3000[RT-acl-adv-3000]>rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0.0.0.0 destination-port eq 21[RT-acl-adv-3000]>rrule deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0[RT-GigabitEtherenet0/0/1]>traffic filter inbound acl 3000means on this interface > if the inbound traffic can match that rule 3000 > then well do the implementation of itConfiguration VALIDATION[RT]>display acl 3000Advanced ACL rules defined in the range of 3000-3999 add complexity to the number of params used for filtering
[RT]>nat address-group 1 202.110.10.8 202.110.10.15[RT]>nat address-group 2 202.110.60.1 202.110.60.30[RT]> acl 2000[RT-acl-basic-2000]>rule permit source 192.168.1.0 0.0.0.255[RT]> acl 2001[RT-acl-basic-2001]>rule permit source 192.168.2.0 0.0.0.255[RT]>interface GigabitEtherenet 0/0/0[RT-GigabitEtherenet0/0/0]>nat outbound 2000 address-group 1[RT-GigabitEtherenet0/0/0]>nat outbound 2001 address-group 2on that interface we config 2 nat 1st oubound based on 2000 rule and 2nd based on 2001 rule
ConfigurationVALIDATION - enables confirmation of Tunnel status and params [RT]>display interface Tunnel 0/0/1
for authorization we can configure some groups >> Device Groups > Private(Admin) / Public(ADmin) / Public(Staff) >> configuring diffrent servers into diffrent groups of hosts-users and also users to diffrent userGroup based on conditions like priviliege and acess time
for the Auth 1st we must have a NAT NetAceessSserver Router on which we can configure usernames and passwords for users (hosts)when auth req comes > NAS check the database if the cred match > then access grantedUser access is managed based on an authentification schemeAuthentification Mode NoneLocal (auth users locally on the Router we store the cred) /RADIUS mode (we will use the remote server to store the credentials )
NoneLocal (auth users locally on the Router we store the cred) /RADIUS mode (we will use the remote server to store the credentials )
to easily help us manage and manage the servers , destination Nets >> we can config domains >> diffrent users in diffrent domains with diffrent privileige levels , diffrent authorizations to access to the Destination NetsDifffrent schemescan be applied to users in diffrent domains
[RT]>aaa[RT-aaa]>local-user userName password cipher passwd[RT-aaa]>authentification-scheme auth1[RT-aaa-authen-auth1]>authentification-mode local[RT-aaa-authen-auth1]>quit[RT-aaa]>authorization-scheme auth2[RT-aaa-authorization-auth2]>authorization-mode local[RT-aaa-authorization-auth2]>quit[RT-aaa]>domain domainName[RT-aaa-domain-domainName]>authentification-scheme auth1[RT-aaa-domain-domainName]>authorization-scheme auth2CHECK[]>display domain name domainNameLocal AAA schemes are associated with indiivdual domainsAR does not supp accounting scheme soo its set to defaultfor the accouting we must deploy the remote server or the Huawei TACACS server
a measure taken against rapid depletion of IP addressesGateways operates as private/public address boundarywe deploy the NAT in the Router connecting us with internet which translate private to public and public to private
The WAN interface adddress used as single public address for all internal users, with numbers used to distinguish sessions.
MD5SHA-1SHA-2
DES3DESAES
LocalAddressRemoteAddressSPI SecParamIndex InboundSPI outboundKeyTransform (Proposal)
LocalAddress should be itselfRemoteAddress should be RTBSPI SecParamIndex Inbound should be outbound of RTBSPI outbound should be inbound of RTBKeyTransform (Proposal)same For RTBand if these params are correct > they will setup this IPSec Tunnel
match the acl rules enc and forward into the Tunneldoes not match rules and get dropped (Discarded)cannot verified by the acl rules and get forwarded normally outside the tunnel (Normally forwarded)
[RT]>ip route-static 10.1.2.8 24 20.1.1.2 (Ensure Reachability)Identify interesting traffic[RT]>acl number 3001Establish IPSec Proposal[RT-acl-adv-3001]>rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[RT]>ipsec proposal tran1[RT-ipseec-proposal-tran1]>esp authentification-algorithm sha1IPSec VPN Proposal Verification[RT]>display ipsec proposalDisplay Params of an IPSec prooposalProposal params must match for both peering interfaces
[RT]>ipsec policy P1 10 manualbind the interesting traffic and the proposal[RT-ipsec-policy-manual-P1-10]>security acl 3001[RT-ipsec-policy-manual-P1-10]>proposal tran1sa configurration[RT-ipsec-policy-manual-P1-10]>tunnel remote 20.1.1.2[RT-ipsec-policy-manual-P1-10]>tunnel local 10.1.1.1spi sec param index should be matched by other side[RT-ipsec-policy-manual-P1-10]>sa spi outbound esp 54321[RT-ipsec-policy-manual-P1-10]>sa spi inbound esp 12345[RT-ipsec-policy-manual-P1-10]>sa string-key outbound esp simple Keyname[RT-ipsec-policy-manual-P1-10]>sa string-key inbound esp simple Keyname
[RT]>interface GigabitEthernet 0/0/1[RT-GigabitEthernet0/0/1]>ipsec policy P1[RT-GigabitEthernet0/0/1]>quit
[RT]>display ipsec policy