2023年7月4日发(作者:)
博达路由器常用配置(2621为例)
--------------------------------------------------------------------------------
Router_config#show run
Current configuration:
!
!version 1.3.1Q
service timestamps log date
service timestamps debug date
no service password-encryption
!
enable password 0 123456789 level 15 //定义路由器登陆的密码!
!
interface FastEthernet0/0 //外网口,一般是固定光纤接入,有固定ip
ip address 1.1.1.1 255.255.255.252 //指定外网口ip地址
no ip directed-broadcast
ip nat outside //指定该端口在nat转换中的位置
ip nat local-service icmp enable //打开路由器在NAT时的icmp服务
ip nat local-service udp enable //打开路由器在NAT时的tcp服务
ip nat local-service tcp enable //打开路由器在NAT时的udp服务
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0 //指定内网口地址(局域网关)
no ip directed-broadcast
ip access-group firewall in //调用软件防火墙
ip nat inside //指定该端口在nat转换中的位置
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route default 1.1.1.2 //默认路由,指向电信的网关;
!
gateway-cfg
Gateway keepAlive 60
shutdown
!
!
ip access-list standard NAT //定义访问列表
permit 192.168.1.0 255.255.255.0 //允许可以NAT上网的局域网范围
!
! ip access-list extended firewall //定义软件防火墙
deny tcp any any eq 135 //封掉常见的病毒共计的端口
deny tcp any any eq 139 //同上
deny tcp any any eq 445
deny tcp any any eq 3333
deny tcp any any eq 593
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 4444
deny udp any any eq 137
deny udp any any eq 138
permit ip any any //正常的数据允许通过
!
!
ivr-cfg
!
ip nat translation max-links all 300 //增强路由器抗打击/病毒冲击能力
ip nat inside source list NAT interface FastEthernet0/0 //执行NAT转换成公网地址!
===========================================================================
配置说明:
1、enable password 0 123456789 level 15 只会提示输入密码;
如果要提示输入用户名和密码,则要在config#下配置:
username bdcom password 0 bdcom //名字和密码自定义
aaa authentication login default local ena //aaa认证
2、ip nat outside 端口的icmp、tcp、udp服务是可选的,如果不想让外界的icmp和tcp、udp连接进入;可以不用配置上述的三命命令!
3、软件防火墙一般在局域网口调用即可,如果有必要也可在外网口调用!且firewall的端口可以自己增加,以防止更多病毒的冲击;
4、ip nat translation max-links all 300是增强路由器的防病毒能力的,一般中小型网吧配置200/300即可,较大的网吧可以考虑适当增加到500!!
===========================================================================
配置说明2:
如果是路由外网口接入是ADSL;那配置应当为:
外网口改成:
interface Dialer0 //建立拨号端口
ip address negotiated //ip地址自动协商
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222 //设置PPPoE/ADSL的用户名和密码
ip nat outside
ip nat mss //自动调整PPPoe数据包的大小!
ip nat local-service icmp enable ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0 //物理端口下调用虚拟的拨号端口配置!
相应的,nat的命令要改成:
ip nat inside source list NAT interface Dialer0
默认路由的命令改成:
ip route default Dialer0
===========================================================================
静态端口映射和特殊NAT:
Router_config#show run
Current configuration:
!
!version 1.3.1Q
service timestamps log date
service timestamps debug date
no service password-encryption
!
username bdcom password 0 bdcom
!
interface Dialer0
ip address negotiated
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222
ip nat outside
ip nat mss
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast ip access-group firewall in
ip nat inside
!
interface Async0/0
no ip address
no ip directed-broadcast
!
!
ip route default Dialer0
!
!
gateway-cfg
Gateway keepAlive 60
shutdown
!
!
ip access-list standard NAT
permit 192.168.1.0 255.255.255.0
!
ip access-list extended firewall
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 3333
deny tcp any any eq 593
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 4444
deny udp any any eq 137
deny udp any any eq 138
permit ip any any
!
!
!
!
!
ivr-cfg
!
!
!
!
!
ip nat service privateservice //特殊NAT使能开关;
ip nat translation max-links all 300 ip nat outside destination static interface Dialer0 192.168.1.100
//开启局域网内某PC/ip地址的特殊NAT服务;
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.100 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.100 21 interface Dialer0 21
//将局域网内某PC的80/20/21端口映射到公网上!
ip nat inside source list NAT interface FastEthernet0/0
!
!
说明:1、如果公网ip想(通过公网ip/路由器外网口ip)连接到局域网的私网ip上,只需要在正常NAT的基础上加上静态端口映射即可! 如,开放http服务是:
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
2、如果局域网PC/ip想通过公网ip地址连接到内网的服务器/ip地址上,就需要路由器打开特殊NAT功能;依次打开ip nat service privateservice和ip nat outside destina****即可,请参阅上面的配置举例!!
3、 3、特殊NAT在很多网吧都是很有应用前景的!
4、特殊NAT需要特殊版本支持,或者需要将版本升至131Q full!
===========================================================================
如果网吧有两条外线接入(需要配置额外的以太口模块),那么可以使用策略路由来实现!下面这个是两条固定ip接入的例子:
Current configuration:
!
!version 1.3.1Q
service timestamps log date
service timestamps debug date
no service password-encryption
!
username bdcom password 0 bdcom
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
no ip directed-broadcast
ip nat outside
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
ip address 2.2.2.1 255.255.255.252
no ip directed-broadcast
ip nat outside
ip nat local-service icmp enable
ip nat local-service udp enable ip nat local-service tcp enable
!
interface FastEthernet1/1 //额外增加的以太口,局域网口
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip access-group firewall in
ip policy route-map celue //路由器内网口启用策略路由
ip nat inside
!
interface Async0/0
no ip address
no ip directed-broadcast
!
!
gateway-cfg
Gateway keepAlive 60
shutdown
!
!
ip access-list standard NAT1 //两个NAT访问列表相同,但是必须要2个
permit 192.168.1.0 255.255.255.0
!
ip access-list standard NAT2 //两个NAT访问列表相同,但是必须要2个
permit 192.168.1.0 255.255.255.0
!
ip access-list standard CL1 //将局域网分成两组,1
permit 192.168.1.0 255.255.255.128
!
ip access-list standard CL2 //将局域网分成两组,2
permit 192.168.1.128 255.255.255.128
!
ip access-list extended firewall
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 3333
deny tcp any any eq 593
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 4444
deny udp any any eq 137
deny udp any any eq 138
permit ip any any
! !
route-map celue 1 permit //定义策略组
match ip address CL1 //调用第一个网段
set ip next-hop 1.1.1.2 2.2.2.2 //设置下一跳网关,后者作为前者的备份
!
route-map celue 1 permit //定义策略组
match ip address CL2 //调用第二个网段
set ip next-hop 2.2.2.2 1.1.1.2 //设置下一跳网关,后者作为前者的备份
!
ivr-cfg
!
!
ip nat translation max-links all 300
ip nat inside source list NAT1 interface FastEthernet0/0
ip nat inside source list NAT2 interface FastEthernet0/1
说明配置完成之后,局域网的前后两个网段分别优先走第一和第二条外线,在其中一条线出现故障时,能够自动启用另外一条线路作备份!
这里再补充一个两条ADSL(非固定ip)的例子:
注释就免了:
Current configuration:
!
!version 1.3.1S
service timestamps log date
service timestamps debug date
no service password-encryption
!
username AD password 0 123456
username AD password 0 654321
!
interface Dialer0
ip address negotiated
ip mtu 1492
no ip directed-broadcast
ppp chap hostname AD
ppp chap password 123456
ip nat outside
ip nat mss
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-ser
!
interface Dialer1
ip address negotiated ip mtu 1492
no ip directed-broadcast
ppp chap hostname AD
ppp chap password 654321
ip nat outside
ip nat mss
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0
!
interface FastEthernet0/1
no ip address
no ip directed-broadcast
pppoe-client Dialer 1
!
interface Ethernet1/0
ip address 192.168.0.251 255.255.255.0
no ip directed-broadcast
duplex full
ip policy route-map celue
ip nat inside
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Serial0/3
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
!
ip route default Dialer1
ip route default Dialer0
!
! gateway-cfg
Gateway keepAlive 60
shutdown
!
ip access-list standard cl1
permit 192.168.0.0 255.255.255.128
!
ip access-list standard cl2
permit 192.168.0.128 255.255.255.128
!
ip access-list standard nat0
permit 192.168.0.0 255.255.255.0
!
ip access-list standard nat1
permit 192.168.0.0 255.255.255.0
!
!
route-map celue 1 permit
match ip address cl1
set default interface Dialer0 Dialer1
!
route-map celue 2 permit
match ip address cl2
set default interface Dialer1 Dialer0
!
!
ivr-cfg
!
ip nat translation max-links all 300
ip nat inside source list nat0 interface Dialer0
ip nat inside source list nat1 interface Dialer1
!
注意:由于固定ip接入和ADSL线路接入本身的问题,暂时还无法有效实现一个固定ip接入和一个ADSL接入的混合策略!!
发布者:admin,转转请注明出处:http://www.yc00.com/news/1688419866a135681.html
评论列表(0条)