Cisco2600路由器的ACL和NAT配置

Cisco2600路由器的ACL和NAT配置共享网络技术 2008-06-28 10:04:36 阅读40 评论0 字号：大中小订阅

1、配置接口：

Cisco2600>enable
Cisco2600#configure terminal
Cisco2600(config)#interface fastEthernet 0/0
Cisco2600(config-if)#ip address 192.168.1.254 255.255.255.0
Cisco2600(config-if)#ip nat inside
Cisco2600(config-if)#no shutdown
Cisco2600(config-if)#exit
Cisco2600(config)#interface fastEthernet 0/1
Cisco2600(config-if)#ip address 60.10.5.1 255.255.255.240
Cisco2600(config-if)#ip nat outside
Cisco2600(config-if)#no shutdown
Cisco2600(config-if)#exit

2、配置正向静态NAT：
Cisco2600(config)#ip nat inside source static 192.168.0.254 60.10.5.1

3、配置正向动态NAT：

Cisco2600(config)#ip nat pool net 60.10.5.3 60.10.5.14 netmask 255.255.255.240 （外网地址pool: net）
Cisco2600(config)#access-list 1 permit 192.168.1.0 0.0.0.255 （内部允许的访问地址列表access-list 1）
Cisco2600(config)#ip nat inside source list 1 pool net （NAT：多对多）
或Cisco2600(config)#ip nat inside source list 1 interface FastEthernet0/1 overload（NAT：多对一PAT）

4、配置反向端口映射NAT：

Cisco2600(config)#ip nat inside source static tcp 192.168.1.1 25 60.10.5.3 25
Cisco2600(config)#ip nat inside source static tcp 192.168.1.1 110 60.10.5.4 110
Cisco2600(config)#ip nat inside source static tcp 192.168.1.1 1000 60.10.5.5 1000
Cisco2600(config)#ip nat inside source static tcp 192.168.1.1 3000 60.10.5.6 3000
Cisco2600(config)#ip nat inside source static tcp 192.168.1.2 21 60.10.5.7 21
Cisco2600(config)#ip nat inside source static tcp 192.168.1.2 20 60.10.5.8 20
Cisco2600(config)#ip nat inside source static tcp 192.168.1.2 3389 60.10.5.9 3389

5、配置ACL：
Cisco2600(config)#interface fastEthernet 0/0
Cisco2600(config-if)#ip access-group 114 in
Cisco2600(config-if)#exit
Cisco2600(config)#access-list 114 permit ip host 192.168.1.2 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.90 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.56 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.236 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.131 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.114 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.144 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.48 any
Cisco2600(config)#access-list 114 permit ip host 192.168.1.194 any
Cisco2600(config)#access-list 114 permit tcp any any eq 1012
Cisco2600(config)#access-list 114 permit tcp any any eq 1013
Cisco2600(config)#access-list 114 permit tcp any any eq 1140
Cisco2600(config)#access-list 114 permit tcp any any eq 8080
Cisco2600(config)#access-list 114 permit udp any any eq 53
Cisco2600(config)#access-list 114 permit tcp any any eq 80
Cisco2600(config)#access-list 114 permit tcp any any eq 443
Cisco2600(config)#access-list 114 permit tcp any any eq 21
C

isco2600(config)#access-list 114 permit tcp any any eq 20
Cisco2600(config)#access-list 114 permit tcp any any eq 22
Cisco2600(config)#access-list 114 permit tcp any any eq 23
Cisco2600(config)#access-list 114 permit tcp any any eq 25
Cisco2600(config)#access-list 114 permit tcp any any eq 110
Cisco2600(config)#access-list 114 permit tcp any any eq 3389
Cisco2600(config)#access-list 114 permit icmp any any
Cisco2600(config)#access-list 114 deny ip any any

6、配置默认路由：
ip route 0.0.0.0 0.0.0.0 60.10.5.2

7、DHCP和单臂路由
单臂路由（主接口不配地址并no shutdown，子接口配地址）

ip dhcp pool dz8
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
dns-server 202.106.196.115 202.106.0.20

ip dhcp pool dz3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 202.106.196.115 202.106.0.20

interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.8
encapsulation dot1Q 8
ip address 192.168.8.1 255.255.255.0
ip nat inside

ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 8 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 60.10.5.2
ip http server

access-list 3 permit 192.168.3.0 0.0.0.255
access-list 8 permit 192.168.8.0 0.0.0.255

注：
有了ip dhcp snooping只要用ip arp inspection就可以禁止手动配置IP不能上网.