您现在的位置: 天下网吧 >> 网吧焦点 >> 网吧技术 >> 网吧路由 >> 正文

Two-interface Router With NAT

[作者:中国IT实验室收集整… 来源:不详 时间:2012-11-15我来说两句

  
  2514 Router
  Current configuration:
  !
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  !
  hostname horton
  !
  enable secret 5 $1$GwRz$YS/82LXSYcgD1d5Nua9Ob1
  enable password ww
  !
  ip subnet-zero
  !
  ip inspect name ethernetin cuseeme timeout 3600
  ip inspect name ethernetin ftp timeout 3600
  ip inspect name ethernetin h323 timeout 3600
  ip inspect name ethernetin http timeout 3600
  ip inspect name ethernetin rcmd timeout 3600
  ip inspect name ethernetin realaudio timeout 3600
  ip inspect name ethernetin smtp timeout 3600
  ip inspect name ethernetin sqlnet timeout 3600
  ip inspect name ethernetin streamworks timeout 3600
  ip inspect name ethernetin tcp timeout 3600
  ip inspect name ethernetin tftp timeout 30
  ip inspect name ethernetin udp timeout 15
  ip inspect name ethernetin vdolive timeout 3600
  
  !
  interface Ethernet0
  ip address 20.20.20.2 255.255.255.0
  ip access-group 101 in
  no ip directed-broadcast
  ip nat inside
  ip inspect ethernetin in
  !
  interface Ethernet1
  no ip address
  no ip directed-broadcast
  shutdown
  !
  interface Serial0
  ip address 150.150.150.1 255.255.255.0
  ip access-group 112 in
  no ip directed-broadcast
  ip nat outside
  clockrate 4000000
  !
  interface Serial1
  no ip address
  no ip directed-broadcast
  shutdown
  !
  ip nat pool serialzero 150.150.150.3 150.150.150.255 netmask 255.255.255.0
  ip nat inside source list 1 pool serialzero
  ip classless
  ip route 0.0.0.0 0.0.0.0 150.150.150.2
  ip route 20.30.30.0 255.255.255.0 20.20.20.1
  !
  access-list 1 permit 20.0.0.0 0.255.255.255
  access-list 101 permit tcp 20.0.0.0 0.255.255.255 any
  access-list 101 permit udp 20.0.0.0 0.255.255.255 any
  access-list 101 permit icmp 20.0.0.0 0.255.255.255 any
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 administratively-prohibited
  access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
  access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq telnet
  access-list 112 deny ip 127.0.0.0 0.255.255.255 any
  access-list 112 deny ip any any
  !
  line con 0
  transport input none
  line aux 0
  line vty 0 4
  password ww
  login
  !
  end
  
  
  关于ip inspect name
  if you deny SMTP mail on the external ACL, no external SMTP servers will EVEr be able to make a connection to the internal SMTP server.
  
  CBAC is totally independent of access lists - CBAC is associated with ACLs because one function of CBAC is to ensure return traffic of a
  session is permitted back to the source - however don't confuse CBAC by thinking ACLs are required. If you apply an inspect list to an interface, inspection takes place, no matter what ACLs are or are not in place. HowEVEr, remember that ACLs are processed first, so the ACL must allow through the appropriate traffic to be passed thru to the inspection list.
  
  I'm guessing your config would look something like this:
  
  ! Internal Interface
  Interface e0 ip inspect WEB inbound
  
  ! External Interface
  Interface e1 ip access-group 100 in
  ip inspect SMTP inbound
  
  access-list 100 permit tcp any host x.x.x.x eq smtp
  access-list 100 deny ip any any
  
  ip inspect name WEB http
  ip inspect name WEB ftp
  ip inspect name WEB smtp
  ip inspect name WEB tcp
  ip inspect name WEB udp
  
  ip inspect name SMTP smtp
  
  On your external ACL, you must have an opening to allow SMTP in - there is no way CBAC can automatically do this for you as traffic is first processed by the ACL and must pass. So once the SMTP traffic is allowed
  in, it is passed to the inspection list SMTP, which applys SMTP protocol-based inspection (and opens up any ACLs if necessary - in this
  example this function is not required).
  
  Note that in this example you could place the SMTP inspection list on the internal interface in the outbound direction as well. This is a better placement option if you had say a DMZ interface that was also
  receiving SMTP mail for the internal SMTP server, as you would only require a single inspection point (outbound on the internal interface)
  rather than inbound on the external and DMZ interfaces.
  
  
  
  
我来说两句(请遵守法律法规)
 网吧精品   网络布线   热门专题   推荐配置   网络安全   路由专题   网吧游戏更新   网吧QQ关   网吧注册表   网管初学   网吧优化   网吧无盘优化   网吧系统优化   迅闪2008   网吧三层更新   无盘服务器   MaxDos   Win2008   网吧虚拟磁盘   星际争霸II   锐起无盘   网维大师   网吧游戏菜单   网吧活动   迅闪2009   网吧母盘   万象   网吧真实生活   迅闪2010   信佑2010   Windows8   信佑   迅闪   易游   顺网无盘   连锁网吧   黑网吧   2011网吧新闻   网吧闲聊   网吧游戏   互联网类软件   增值联盟   网吧广告联盟   有道搜索联盟   淘123联盟   网吧广告   深度无盘   信佑无盘   网众无盘   MZD无盘   网吧软件故障解决   网吧硬件故障大全   海蜘蛛   ROS   磁盘缓存   网吧GHOST   快吧无盘   快吧教程   网吧防盗   2011网吧政策   绿色网吧   网吧禁烟   万象2004   雪花病毒   网吧电影   网吧达人   QQ网吧   SuperCache|SuperSpeed   CCDISK   网吧远程控制   2011网吧配置   万象密码   迅闪无盘   网吧系统下载   网吧管理系统   网吧键盘   网吧鼠标   win8,Windows 8教程,Windows 8下载   网吧最新新闻   网吧路由   锐起无盘补丁   WayOs   网吧显示器   液晶   万能包   网吧消防   显卡   SSD   网卡   网吧源码   主板   云海   I8无盘   网卡汇聚   网吧DDOS

更多专题

声明
本文来源地址:http://cisco.chinaitlab.com/List_137.html
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系邮箱:support@txwb.com.
天下网吧·网吧天下
  • 本周热门
  • 本月热门
  • 阅读排行
网吧,网吧系统,网吧资讯,网吧软件,网吧技术,网吧无盘,网吧经营,网吧管理,网吧联盟。