Oncelik
CLI Guru - Cisco Eğitim ve Danışmanlık Merkezi |

+ Konuyu Cevapla
Toplam 8 sonuçtan 1 ile 8 arasındakiler gösteriliyor.
Oncelik

Merhaba, Asagidaki ornek konfigde nat inside ve/veya outside tarafina gelen bir paketin access-listlerden hangi sirayla gececegi veya gecemeyecegi konusunda fikirleriniz nedir? ! interface FastEthernet0 ip address 192.168.30.40 255.255.255.0 ip nat

  1. #1
    ozkan Guest

    Standart Oncelik



    Merhaba,
    Asagidaki ornek konfigde nat inside ve/veya outside tarafina gelen
    bir paketin access-listlerden hangi sirayla gececegi veya
    gecemeyecegi konusunda fikirleriniz nedir?

    !
    interface FastEthernet0
    ip address 192.168.30.40 255.255.255.0
    ip nat outside
    ip access-group 3 in
    half-duplex
    !
    interface FastEthernet0
    ip address 172.30.40.50 255.255.255.0
    ip nat inside
    ip access-group 2 in
    speed auto
    half-duplex
    !
    ip nat pool pool 192.168.30.50 192.168.30.50 prefix-length 24
    ip nat inside source list 1 pool pool overload
    ip classless
    !
    ip route 0.0.0.0 0.0.0.0 192.168.30.201
    !
    access-list 1 permit 172.30.40.1
    access-list 1 permit 172.30.40.2
    access-list 1 permit 172.30.40.3
    !
    access-list 2 permit 172.30.40.1
    access-list 2 permit 172.30.40.2
    access-list 2 permit 172.30.40.10
    !
    access-list 101 permit 172.30.40.1 0.0.0.255 any
    !
    access-list 102 permit 172.10.10.10 0.0.0.255 any
    !
    access-list 3 deny 172.30.40.0
    access-list 3 permit any
    !






    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  2. #2
    ozkan karacayoglu Guest

    Standart Re: Oncelik


    Burada kafa karistiran Nat in kurulu olmasi:)
    Nat source listte olan ip ler nat ile, digerleri
    normal routing ile mi gider yada diger iplerin
    gecisine izin verilmez mi?
    Ve nat inside interface i altinda router once nat
    access-list ine mi bakar "ip access-group 2 in"
    listine mi?




    --- ozkan <[email protected]> wrote:
    [color=blue]
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya
    > outside tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    > [/color]




    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - Helps protect you from nasty viruses.
    [url]http://promotions.yahoo.com/new_mail[/url]


    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  3. #3
    Ozgur Guler Guest

    Standart Re: Oncelik


    merhaba,

    nat inside inte gelen paket,
    once interface acl -acl 2 den gecer.
    route edilir.
    nat acl i 1 den geçer.
    acl 1 ile match ederse natlanır, etmezse natlanmadan geçer.

    nat outside inte gelen paket...
    once interface acl - acl 3 den geçer.
    sonra nat tablosuna bakılır...
    state varsa, geçer route edilir yoksa drop olur...
    yani 1 nolu acl den geçmez.


    ozkan karacayoglu <[email protected]> wrote:
    Burada kafa karistiran Nat in kurulu olmasi:)
    Nat source listte olan ip ler nat ile, digerleri
    normal routing ile mi gider yada diger iplerin
    gecisine izin verilmez mi?
    Ve nat inside interface i altinda router once nat
    access-list ine mi bakar "ip access-group 2 in"
    listine mi?




    --- ozkan <[email protected]> wrote:
    [color=blue]
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya
    > outside tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    > [/color]




    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - Helps protect you from nasty viruses.
    [url]http://promotions.yahoo.com/new_mail[/url]


    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.


    Yahoo! Groups Sponsor
    Get unlimited calls to

    U.S./Canada


    ---------------------------------
    Yahoo! Groups Links

    To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



    ---------------------------------
    ALL-NEW Yahoo! Messenger - all new features - even more fun!

    [Non-text portions of this message have been removed]



    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    $4.98 domain names from Yahoo!. Register anything.
    [url]http://us.click.yahoo.com/Q7_YsB/neXJAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  4. #4
    ozkan karacayoglu Guest

    Standart Re: Oncelik


    ozgur tesekkurler



    --- Ozgur Guler <[email protected]> wrote:
    [color=blue]
    > merhaba,
    >
    > nat inside inte gelen paket,
    > once interface acl -acl 2 den gecer.
    > route edilir.
    > nat acl i 1 den geçer.
    > acl 1 ile match ederse natlanır, etmezse natlanmadan
    > geçer.
    >
    > nat outside inte gelen paket...
    > once interface acl - acl 3 den geçer.
    > sonra nat tablosuna bakılır...
    > state varsa, geçer route edilir yoksa drop olur...
    > yani 1 nolu acl den geçmez.
    >
    >
    > ozkan karacayoglu <[email protected]> wrote:
    > Burada kafa karistiran Nat in kurulu olmasi:)
    > Nat source listte olan ip ler nat ile, digerleri
    > normal routing ile mi gider yada diger iplerin
    > gecisine izin verilmez mi?
    > Ve nat inside interface i altinda router once nat
    > access-list ine mi bakar "ip access-group 2 in"
    > listine mi?
    >
    >
    >
    >
    > --- ozkan <[email protected]> wrote:
    >[color=green]
    > >
    > > Merhaba,
    > > Asagidaki ornek konfigde nat inside ve/veya
    > > outside tarafina gelen
    > > bir paketin access-listlerden hangi sirayla[/color]
    > gececegi[color=green]
    > > veya
    > > gecemeyecegi konusunda fikirleriniz nedir?
    > >
    > > !
    > > interface FastEthernet0
    > > ip address 192.168.30.40 255.255.255.0
    > > ip nat outside
    > > ip access-group 3 in
    > > half-duplex
    > > !
    > > interface FastEthernet0
    > > ip address 172.30.40.50 255.255.255.0
    > > ip nat inside
    > > ip access-group 2 in
    > > speed auto
    > > half-duplex
    > > !
    > > ip nat pool pool 192.168.30.50 192.168.30.50
    > > prefix-length 24
    > > ip nat inside source list 1 pool pool overload
    > > ip classless
    > > !
    > > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > > !
    > > access-list 1 permit 172.30.40.1
    > > access-list 1 permit 172.30.40.2
    > > access-list 1 permit 172.30.40.3
    > > !
    > > access-list 2 permit 172.30.40.1
    > > access-list 2 permit 172.30.40.2
    > > access-list 2 permit 172.30.40.10
    > > !
    > > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > > !
    > > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > > !
    > > access-list 3 deny 172.30.40.0
    > > access-list 3 permit any
    > > !
    > >
    > >
    > >
    > >
    > >[/color]
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Mail - Helps protect you from nasty viruses.
    > [url]http://promotions.yahoo.com/new_mail[/url]
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir
    > baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için
    > [email][email protected][/email] adresine bir
    > e-posta gönderebilirsiniz.
    >
    >
    > Yahoo! Groups Sponsor
    > Get unlimited calls to
    >
    > U.S./Canada
    >
    >
    > ---------------------------------
    > Yahoo! Groups Links
    >
    > To visit your group on the web, go to:
    > [url]http://groups.yahoo.com/group/cisco-ttl/[/url]
    >
    > To unsubscribe from this group, send an email to:
    > [email][email protected][/email]
    >
    > Your use of Yahoo! Groups is subject to the
    > Yahoo! Terms of Service.
    >
    >
    >
    > ---------------------------------
    > ALL-NEW Yahoo! Messenger - all new features - even
    > more fun!
    >
    > [Non-text portions of this message have been
    > removed]
    >
    >[/color]




    __________________________________
    Do you Yahoo!?
    The all-new My Yahoo! - Get yours free!
    [url]http://my.yahoo.com[/url]




    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  5. #5
    Serhat Uslay Guest

    Standart Re: Oncelik



    Su anda ikiside Fasteth0 gozukuyor. Herhalde 172.30.40.50 olan
    interface'in Fasteth1 olmasi lazim.

    Bu ciktida bazi duzeltmeler yapilabilir.

    1) Sadece 3 host Fasteth1 e trafik gonderebilir..172.30.40.1,
    172.172.30.40.2 ve 172.30.40.10 (access list 2). Ama bunlardan sadece
    172.30.40.1, 172.30.40.2 adreslerini degistirerek 192.168.30.50 adresini
    alabilir. 172.30.40.3 nat listesinde olmasina ragmen access list 2 'de
    olmadigi icin silinebilir.
    yani
    access-list 1 permit 172.30.40.1
    access-list 1 permit 172.30.40.2
    access-list 1 permit 172.30.40.3 ( bunu silip 172.30.40.10 yapin eger
    bunun trafik yollamasini isterseniz.).
    NAT'den sonra route bakilir, default route olarak hersey 192.168.30.201 'a
    yollanir.

    Disardan gelen trafik (yani Fasteth0 192.168.30.40'a ) acl 3 ile test
    edilir.Hersey gececek gibi gozukuyor 172.30.40.0 disinda. Ama 172.30.40.0
    zaten obur tarafta o yuzden ACL 3 biraz fazla...

    Serhat





    Please respond to [email][email protected][/email]

    To: [email][email protected][/email]
    cc:
    Subject: [cisco-ttl] Oncelik




    Merhaba,
    Asagidaki ornek konfigde nat inside ve/veya outside tarafina gelen
    bir paketin access-listlerden hangi sirayla gececegi veya
    gecemeyecegi konusunda fikirleriniz nedir?

    !
    interface FastEthernet0
    ip address 192.168.30.40 255.255.255.0
    ip nat outside
    ip access-group 3 in
    half-duplex
    !
    interface FastEthernet0
    ip address 172.30.40.50 255.255.255.0
    ip nat inside
    ip access-group 2 in
    speed auto
    half-duplex
    !
    ip nat pool pool 192.168.30.50 192.168.30.50 prefix-length 24
    ip nat inside source list 1 pool pool overload
    ip classless
    !
    ip route 0.0.0.0 0.0.0.0 192.168.30.201
    !
    access-list 1 permit 172.30.40.1
    access-list 1 permit 172.30.40.2
    access-list 1 permit 172.30.40.3
    !
    access-list 2 permit 172.30.40.1
    access-list 2 permit 172.30.40.2
    access-list 2 permit 172.30.40.10
    !
    access-list 101 permit 172.30.40.1 0.0.0.255 any
    !
    access-list 102 permit 172.10.10.10 0.0.0.255 any
    !
    access-list 3 deny 172.30.40.0
    access-list 3 permit any
    !







    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir
    e-posta gönderebilirsiniz.
    Yahoo! Groups Links












    ----
    This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If youhave received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachmentsfor viruses and other defects.
    To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we donot warrant the confidentiality or security of email or attachments we receive.

    [Non-text portions of this message have been removed]



    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  6. #6
    ozkan karacayoglu Guest

    Standart Re: Oncelik


    Serhat evet iki f0 olmuş haklisin:) ilgin icin de
    saol.
    Buradaki asil anlasilamayan konu:
    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi?
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir.



    --- Serhat Uslay <[email protected]> wrote:
    [color=blue]
    >
    > Su anda ikiside Fasteth0 gozukuyor. Herhalde
    > 172.30.40.50 olan
    > interface'in Fasteth1 olmasi lazim.
    >
    > Bu ciktida bazi duzeltmeler yapilabilir.
    >
    > 1) Sadece 3 host Fasteth1 e trafik
    > gonderebilir..172.30.40.1,
    > 172.172.30.40.2 ve 172.30.40.10 (access list 2). Ama
    > bunlardan sadece
    > 172.30.40.1, 172.30.40.2 adreslerini degistirerek
    > 192.168.30.50 adresini
    > alabilir. 172.30.40.3 nat listesinde olmasina ragmen
    > access list 2 'de
    > olmadigi icin silinebilir.
    > yani
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3 ( bunu silip
    > 172.30.40.10 yapin eger
    > bunun trafik yollamasini isterseniz.).
    > NAT'den sonra route bakilir, default route olarak
    > hersey 192.168.30.201 'a
    > yollanir.
    >
    > Disardan gelen trafik (yani Fasteth0 192.168.30.40'a
    > ) acl 3 ile test
    > edilir.Hersey gececek gibi gozukuyor 172.30.40.0
    > disinda. Ama 172.30.40.0
    > zaten obur tarafta o yuzden ACL 3 biraz fazla...
    >
    > Serhat
    >
    >
    >
    >
    >
    > Please respond to [email][email protected][/email]
    >
    > To: [email][email protected][/email]
    > cc:
    > Subject: [cisco-ttl] Oncelik
    >
    >
    >
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya outside
    > tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir
    > baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için
    > [email][email protected][/email] adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > ----
    > This email is intended for the named recipient only.
    > It may contain information which is confidential,
    > commercially sensitive, or copyright. If you are not
    > the intended recipient you must not reproduce or
    > distribute any part of the email, disclose its
    > contents, or take any action in reliance. If you
    > have received this email in error, please contact
    > the sender and delete the message. It is your
    > responsibility to scan this email and any
    > attachments for viruses and other defects.
    > To the extent permitted by law, Zurich and its
    > associates will not be liable for any loss or damage
    > arising in any way from this communication including
    > any file attachments. We may monitor email you send
    > to us, either as a reply to this email or any email
    > you send to us, to confirm our systems are protected
    > and for compliance with company policies. Although
    > we take reasonable precautions to protect the
    > confidentiality of our email systems, we do not
    > warrant the confidentiality or security of email or
    > attachments we receive.
    >
    > [Non-text portions of this message have been
    > removed]
    >
    >[/color]




    __________________________________
    Do you Yahoo!?
    Jazz up your holiday email with celebrity designs. Learn more.
    [url]http://celebrity.mail.yahoo.com[/url]


    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    $4.98 domain names from Yahoo!. Register anything.
    [url]http://us.click.yahoo.com/Q7_YsB/neXJAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  7. #7
    Serhat Uslay Guest

    Standart Re: Oncelik



    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi? Hayir,edilmez...
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir. Eger bu paket Nat icin aday bir paket ise ve daha
    once session yoksa NAT tablosu yaratilir onun icin ve route edilir. Eger
    aday degilse drop edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir. Evet, acl 3 anti-spoof icin kullanilabilir..

    Serhat


    Please respond to [email][email protected][/email]

    To: [email][email protected][/email]
    cc:
    Subject: Re: [cisco-ttl] Oncelik



    Serhat evet iki f0 olmuş haklisin:) ilgin icin de
    saol.
    Buradaki asil anlasilamayan konu:
    -Nat source listinde olmayan bir ip adresi diger
    interfac e route edilirmi?
    -ve Nat outside a gelen bir paket eger nat session
    varsa gecer ama session yoksa drop mu edilir yada yine
    normal route mu edilir.
    -son olarak access-list 3 deki tanimlama anti-ip
    spoofing icin yeterlimidir.



    --- Serhat Uslay <[email protected]au> wrote:
    [color=blue]
    >
    > Su anda ikiside Fasteth0 gozukuyor. Herhalde
    > 172.30.40.50 olan
    > interface'in Fasteth1 olmasi lazim.
    >
    > Bu ciktida bazi duzeltmeler yapilabilir.
    >
    > 1) Sadece 3 host Fasteth1 e trafik
    > gonderebilir..172.30.40.1,
    > 172.172.30.40.2 ve 172.30.40.10 (access list 2). Ama
    > bunlardan sadece
    > 172.30.40.1, 172.30.40.2 adreslerini degistirerek
    > 192.168.30.50 adresini
    > alabilir. 172.30.40.3 nat listesinde olmasina ragmen
    > access list 2 'de
    > olmadigi icin silinebilir.
    > yani
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3 ( bunu silip
    > 172.30.40.10 yapin eger
    > bunun trafik yollamasini isterseniz.).
    > NAT'den sonra route bakilir, default route olarak
    > hersey 192.168.30.201 'a
    > yollanir.
    >
    > Disardan gelen trafik (yani Fasteth0 192.168.30.40'a
    > ) acl 3 ile test
    > edilir.Hersey gececek gibi gozukuyor 172.30.40.0
    > disinda. Ama 172.30.40.0
    > zaten obur tarafta o yuzden ACL 3 biraz fazla...
    >
    > Serhat
    >
    >
    >
    >
    >
    > Please respond to [email][email protected][/email]
    >
    > To: [email][email protected][/email]
    > cc:
    > Subject: [cisco-ttl] Oncelik
    >
    >
    >
    >
    > Merhaba,
    > Asagidaki ornek konfigde nat inside ve/veya outside
    > tarafina gelen
    > bir paketin access-listlerden hangi sirayla gececegi
    > veya
    > gecemeyecegi konusunda fikirleriniz nedir?
    >
    > !
    > interface FastEthernet0
    > ip address 192.168.30.40 255.255.255.0
    > ip nat outside
    > ip access-group 3 in
    > half-duplex
    > !
    > interface FastEthernet0
    > ip address 172.30.40.50 255.255.255.0
    > ip nat inside
    > ip access-group 2 in
    > speed auto
    > half-duplex
    > !
    > ip nat pool pool 192.168.30.50 192.168.30.50
    > prefix-length 24
    > ip nat inside source list 1 pool pool overload
    > ip classless
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > !
    > access-list 1 permit 172.30.40.1
    > access-list 1 permit 172.30.40.2
    > access-list 1 permit 172.30.40.3
    > !
    > access-list 2 permit 172.30.40.1
    > access-list 2 permit 172.30.40.2
    > access-list 2 permit 172.30.40.10
    > !
    > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > !
    > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > !
    > access-list 3 deny 172.30.40.0
    > access-list 3 permit any
    > !
    >
    >
    >
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir
    > baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için
    > [email][email protected][/email] adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > ----
    > This email is intended for the named recipient only.
    > It may contain information which is confidential,
    > commercially sensitive, or copyright. If you are not
    > the intended recipient you must not reproduce or
    > distribute any part of the email, disclose its
    > contents, or take any action in reliance. If you
    > have received this email in error, please contact
    > the sender and delete the message. It is your
    > responsibility to scan this email and any
    > attachments for viruses and other defects.
    > To the extent permitted by law, Zurich and its
    > associates will not be liable for any loss or damage
    > arising in any way from this communication including
    > any file attachments. We may monitor email you send
    > to us, either as a reply to this email or any email
    > you send to us, to confirm our systems are protected
    > and for compliance with company policies. Although
    > we take reasonable precautions to protect the
    > confidentiality of our email systems, we do not
    > warrant the confidentiality or security of email or
    > attachments we receive.
    >
    > [Non-text portions of this message have been
    > removed]
    >
    >[/color]




    __________________________________
    Do you Yahoo!?
    Jazz up your holiday email with celebrity designs. Learn more.
    [url]http://celebrity.mail.yahoo.com[/url]



    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir
    e-posta gönderebilirsiniz.
    Yahoo! Groups Links












    ----
    This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If youhave received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachmentsfor viruses and other defects.
    To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we donot warrant the confidentiality or security of email or attachments we receive.

    [Non-text portions of this message have been removed]



    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






  8. #8
    ozkan karacayoglu Guest

    Standart Re: Oncelik


    Tamamdir Serhat Tekrar saol.



    --- Serhat Uslay <[email protected]> wrote:
    [color=blue]
    >
    > -Nat source listinde olmayan bir ip adresi diger
    > interfac e route edilirmi? Hayir,edilmez...
    > -ve Nat outside a gelen bir paket eger nat session
    > varsa gecer ama session yoksa drop mu edilir yada
    > yine
    > normal route mu edilir. Eger bu paket Nat icin aday
    > bir paket ise ve daha
    > once session yoksa NAT tablosu yaratilir onun icin
    > ve route edilir. Eger
    > aday degilse drop edilir.
    > -son olarak access-list 3 deki tanimlama anti-ip
    > spoofing icin yeterlimidir. Evet, acl 3 anti-spoof
    > icin kullanilabilir..
    >
    > Serhat
    >
    >
    > Please respond to [email][email protected][/email]
    >
    > To: [email][email protected][/email]
    > cc:
    > Subject: Re: [cisco-ttl] Oncelik
    >
    >
    >
    > Serhat evet iki f0 olmuş haklisin:) ilgin icin de
    > saol.
    > Buradaki asil anlasilamayan konu:
    > -Nat source listinde olmayan bir ip adresi diger
    > interfac e route edilirmi?
    > -ve Nat outside a gelen bir paket eger nat session
    > varsa gecer ama session yoksa drop mu edilir yada
    > yine
    > normal route mu edilir.
    > -son olarak access-list 3 deki tanimlama anti-ip
    > spoofing icin yeterlimidir.
    >
    >
    >
    > --- Serhat Uslay <[email protected]> wrote:
    >[color=green]
    > >
    > > Su anda ikiside Fasteth0 gozukuyor. Herhalde
    > > 172.30.40.50 olan
    > > interface'in Fasteth1 olmasi lazim.
    > >
    > > Bu ciktida bazi duzeltmeler yapilabilir.
    > >
    > > 1) Sadece 3 host Fasteth1 e trafik
    > > gonderebilir..172.30.40.1,
    > > 172.172.30.40.2 ve 172.30.40.10 (access list 2).[/color]
    > Ama[color=green]
    > > bunlardan sadece
    > > 172.30.40.1, 172.30.40.2 adreslerini degistirerek
    > > 192.168.30.50 adresini
    > > alabilir. 172.30.40.3 nat listesinde olmasina[/color]
    > ragmen[color=green]
    > > access list 2 'de
    > > olmadigi icin silinebilir.
    > > yani
    > > access-list 1 permit 172.30.40.1
    > > access-list 1 permit 172.30.40.2
    > > access-list 1 permit 172.30.40.3 ( bunu silip
    > > 172.30.40.10 yapin eger
    > > bunun trafik yollamasini isterseniz.).
    > > NAT'den sonra route bakilir, default route olarak
    > > hersey 192.168.30.201 'a
    > > yollanir.
    > >
    > > Disardan gelen trafik (yani Fasteth0[/color]
    > 192.168.30.40'a[color=green]
    > > ) acl 3 ile test
    > > edilir.Hersey gececek gibi gozukuyor 172.30.40.0
    > > disinda. Ama 172.30.40.0
    > > zaten obur tarafta o yuzden ACL 3 biraz fazla...
    > >
    > > Serhat
    > >
    > >
    > >
    > >
    > >
    > > Please respond to [email][email protected][/email]
    > >
    > > To: [email][email protected][/email]
    > > cc:
    > > Subject: [cisco-ttl] Oncelik
    > >
    > >
    > >
    > >
    > > Merhaba,
    > > Asagidaki ornek konfigde nat inside ve/veya[/color]
    > outside[color=green]
    > > tarafina gelen
    > > bir paketin access-listlerden hangi sirayla[/color]
    > gececegi[color=green]
    > > veya
    > > gecemeyecegi konusunda fikirleriniz nedir?
    > >
    > > !
    > > interface FastEthernet0
    > > ip address 192.168.30.40 255.255.255.0
    > > ip nat outside
    > > ip access-group 3 in
    > > half-duplex
    > > !
    > > interface FastEthernet0
    > > ip address 172.30.40.50 255.255.255.0
    > > ip nat inside
    > > ip access-group 2 in
    > > speed auto
    > > half-duplex
    > > !
    > > ip nat pool pool 192.168.30.50 192.168.30.50
    > > prefix-length 24
    > > ip nat inside source list 1 pool pool overload
    > > ip classless
    > > !
    > > ip route 0.0.0.0 0.0.0.0 192.168.30.201
    > > !
    > > access-list 1 permit 172.30.40.1
    > > access-list 1 permit 172.30.40.2
    > > access-list 1 permit 172.30.40.3
    > > !
    > > access-list 2 permit 172.30.40.1
    > > access-list 2 permit 172.30.40.2
    > > access-list 2 permit 172.30.40.10
    > > !
    > > access-list 101 permit 172.30.40.1 0.0.0.255 any
    > > !
    > > access-list 102 permit 172.10.10.10 0.0.0.255 any
    > > !
    > > access-list 3 deny 172.30.40.0
    > > access-list 3 permit any
    > > !
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > Bu listenin Cisco Systems ile herhangi bir
    > > baglantisi bulunmamaktadir.
    > >
    > > Listeden cikmak için
    > > [email][email protected][/email] adresine bir
    > > e-posta gönderebilirsiniz.
    > > Yahoo! Groups Links
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > ----
    > > This email is intended for the named recipient[/color]
    > only.[color=green]
    > > It may contain information which is confidential,
    > > commercially sensitive, or copyright. If you are[/color]
    > not[color=green]
    > > the intended recipient you must not reproduce or
    > > distribute any part of the email, disclose its
    > > contents, or take any action in reliance. If you
    > > have received this email in error, please contact
    > > the sender and delete the message. It is your
    > > responsibility to scan this email and any
    > > attachments for viruses and other defects.
    > > To the extent permitted by law, Zurich and its
    > > associates will not be liable for any loss or[/color]
    > damage[color=green]
    > > arising in any way from this communication[/color]
    > including[color=green]
    > > any file attachments. We may monitor email you[/color]
    > send[color=green]
    > > to us, either as a reply to this email or any[/color]
    > email[color=green]
    > > you send to us, to confirm our systems are[/color]
    > protected[color=green]
    > > and for compliance with company policies. Although
    > > we take reasonable precautions to protect the
    > > confidentiality of our email systems, we do not
    > > warrant the confidentiality or security of email[/color]
    > or[color=green]
    > > attachments we receive.
    > >
    > > [Non-text portions of this message have been
    > > removed]
    > >
    > >[/color]
    >
    >
    >
    >[/color]
    === message truncated ===


    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    [url]http://mail.yahoo.com[/url]


    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]






+ Konuyu Cevapla

Bu Konuyu Paylaşın !

Bu Konuyu Paylaşın !

Yetkileriniz

  • Konu Acma Yetkiniz Yok
  • Cevap Yazma Yetkiniz Yok
  • Eklenti Yükleme Yetkiniz Yok
  • Mesajınızı Değiştirme Yetkiniz Yok