Current configuration: ! !version 1.3.1Q service timestamps log date service timestamps debug date no service password-encryption ! enable password 0 123456789 level 15 //定义路由器登陆的密码! ! interface FastEthernet0/0 //外网口,一般是固定光纤接入,有固定ip ip address 1.1.1.1 255.255.255.252 //指定外网口ip地址 no ip directed-broadcast ip nat outside //指定该端口在nat转换中的位置 ip nat local-service icmp enable //打开路由器在NAT时的icmp服务 ip nat local-service udp enable //打开路由器在NAT时的tcp服务 ip nat local-service tcp enable //打开路由器在NAT时的udp服务 ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 //指定内网口地址(局域网关) no ip directed-broadcast ip access-group firewall in //调用软件防火墙 ip nat inside //指定该端口在nat转换中的位置 ! interface Async0/0 no ip address no ip directed-broadcast ! ip route default 1.1.1.2 //默认路由,指向电信的网关; ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list standard NAT //定义访问列表 permit 192.168.1.0 255.255.255.0 //允许可以NAT上网的局域网范围 ! ! ip access-list extended firewall //定义软件防火墙 deny tcp any any eq 135 //封掉常见的病毒共计的端口 deny tcp any any eq 139 //同上 deny tcp any any eq 445 deny tcp any any eq 3333 deny tcp any any eq 593 deny udp any any eq 135 deny udp any any eq tftp deny udp any any eq 4444 deny udp any any eq 137 deny udp any any eq 138 permit ip any any //正常的数据允许通过 ! ! ivr-cfg ! ip nat translation max-links all 300 //增强路由器抗打击/病毒冲击能力 ip nat inside source list NAT interface FastEthernet0/0 //执行NAT转换成公网地址!
4、ip nat translation max-links all 300是增强路由器的防病毒能力的,一般中小型网吧配置200/300即可,较大的网吧可以考虑适当增加到500!!
lexon
2005-07-18, 19:10
配置说明2: 如果是路由外网口接入是ADSL;那配置应当为: 外网口改成: interface Dialer0 //建立拨号端口 ip address negotiated //ip地址自动协商 ip mtu 1492 no ip directed-broadcast ppp pap sent-username 1111111 22222 //设置PPPoE/ADSL的用户名和密码 ip nat outside ip nat mss //自动调整PPPoe数据包的大小! ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet0/0 no ip address no ip directed-broadcast pppoe-client Dialer 0 //物理端口下调用虚拟的拨号端口配置!
相应的,nat的命令要改成: ip nat inside source list NAT interface Dialer0
默认路由的命令改成: ip route default Dialer0
lexon
2005-07-18, 19:11
静态端口映射和特殊NAT: Router_config#show run Building configuration...
Current configuration: ! !version 1.3.1Q service timestamps log date service timestamps debug date no service password-encryption ! username bdcom password 0 bdcom ! interface Dialer0 ip address negotiated ip mtu 1492 no ip directed-broadcast ppp pap sent-username 1111111 22222 ip nat outside ip nat mss ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet0/0 no ip address no ip directed-broadcast pppoe-client Dialer 0 ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ip access-group firewall in ip nat inside ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route default Dialer0 ! ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list standard NAT permit 192.168.1.0 255.255.255.0 ! ip access-list extended firewall deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 3333 deny tcp any any eq 593 deny udp any any eq 135 deny udp any any eq tftp deny udp any any eq 4444 deny udp any any eq 137 deny udp any any eq 138 permit ip any any ! ! ! ! ! ivr-cfg ! ! ! ! ! ip nat service privateservice //特殊NAT使能开关; ip nat translation max-links all 300 ip nat outside destination static interface Dialer0 192.168.1.100 //开启局域网内某PC/ip地址的特殊NAT服务; ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80 ip nat inside source static tcp 192.168.1.100 20 interface Dialer0 20 ip nat inside source static tcp 192.168.1.100 21 interface Dialer0 21 //将局域网内某PC的80/20/21端口映射到公网上! ip nat inside source list NAT interface FastEthernet0/0 ! ! 说明:1、如果公网ip想(通过公网ip/路由器外网口ip)连接到局域网的私网ip上,只需要在正常NAT的基础上加上静态端口映射即可! 如,开放http服务是: ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80 2、如果局域网PC/ip想通过公网ip地址连接到内网的服务器/ip地址上,就需要路由器打开特殊NAT功能;依次打开ip nat service privateservice和ip nat outside destina****即可,请参阅上面的配置举例!! 3、 3、特殊NAT在很多网吧都是很有应用前景的! 4、特殊NAT需要特殊版本支持,或者需要将版本升至131Q full!
lexon
2005-07-18, 19:11
如果网吧有两条外线接入(需要配置额外的以太口模块),那么可以使用策略路由来实现!下面这个是两条固定ip接入的例子: Current configuration: ! !version 1.3.1Q service timestamps log date service timestamps debug date no service password-encryption ! username bdcom password 0 bdcom ! interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.252 no ip directed-broadcast ip nat outside ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet0/0 ip address 2.2.2.1 255.255.255.252 no ip directed-broadcast ip nat outside ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet1/1 //额外增加的以太口,局域网口 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ip access-group firewall in ip policy route-map celue //路由器内网口启用策略路由 ip nat inside ! interface Async0/0 no ip address no ip directed-broadcast ! ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list standard NAT1 //两个NAT访问列表相同,但是必须要2个 permit 192.168.1.0 255.255.255.0 ! ip access-list standard NAT2 //两个NAT访问列表相同,但是必须要2个 permit 192.168.1.0 255.255.255.0 ! ip access-list standard CL1 //将局域网分成两组,1 permit 192.168.1.0 255.255.255.128 ! ip access-list standard CL2 //将局域网分成两组,2 permit 192.168.1.128 255.255.255.128 ! ip access-list extended firewall deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 3333 deny tcp any any eq 593 deny udp any any eq 135 deny udp any any eq tftp deny udp any any eq 4444 deny udp any any eq 137 deny udp any any eq 138 permit ip any any ! ! route-map celue 1 permit //定义策略组 match ip address CL1 //调用第一个网段 set ip next-hop 1.1.1.2 2.2.2.2 //设置下一跳网关,后者作为前者的备份 ! route-map celue 1 permit //定义策略组 match ip address CL2 //调用第二个网段 set ip next-hop 2.2.2.2 1.1.1.2 //设置下一跳网关,后者作为前者的备份 ! ivr-cfg ! ! ip nat translation max-links all 300 ip nat inside source list NAT1 interface FastEthernet0/0 ip nat inside source list NAT2 interface FastEthernet0/1
这里再补充一个两条ADSL(非固定ip)的例子: 注释就免了: Current configuration: ! !version 1.3.1S service timestamps log date service timestamps debug date no service password-encryption ! username AD0000690628 password 0 123456 username AD0751115075 password 0 654321 ! interface Dialer0 ip address negotiated ip mtu 1492 no ip directed-broadcast ppp chap hostname AD0000690628 ppp chap password 123456 ip nat outside ip nat mss ip nat local-service icmp enable ip nat local-service udp enable ip nat local-ser ! interface Dialer1 ip address negotiated ip mtu 1492 no ip directed-broadcast ppp chap hostname AD0751115075 ppp chap password 654321 ip nat outside ip nat mss ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet0/0 no ip address no ip directed-broadcast pppoe-client Dialer 0 ! interface FastEthernet0/1 no ip address no ip directed-broadcast pppoe-client Dialer 1 ! interface Ethernet1/0 ip address 192.168.0.251 255.255.255.0 no ip directed-broadcast duplex full ip policy route-map celue ip nat inside ! interface Serial0/2 no ip address no ip directed-broadcast ! interface Serial0/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route default Dialer1 ip route default Dialer0 ! ! gateway-cfg Gateway keepAlive 60 shutdown ! ip access-list standard cl1 permit 192.168.0.0 255.255.255.128 ! ip access-list standard cl2 permit 192.168.0.128 255.255.255.128 ! ip access-list standard nat0 permit 192.168.0.0 255.255.255.0 ! ip access-list standard nat1 permit 192.168.0.0 255.255.255.0 ! ! route-map celue 1 permit match ip address cl1 set default interface Dialer0 Dialer1 ! route-map celue 2 permit match ip address cl2 set default interface Dialer1 Dialer0 ! ! ivr-cfg ! ip nat translation max-links all 300 ip nat inside source list nat0 interface Dialer0 ip nat inside source list nat1 interface Dialer1 !
本文详细介绍了路由器的基本配置步骤,包括设置密码、定义内外网接口、配置NAT服务等,并提供了ADSL接入和双固定IP接入的具体配置示例。此外,还介绍了如何通过策略路由实现负载均衡及备份线路的设置。
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
