路由器R1的配置:
#
sysname R1
#
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.254 255.255.255.0
ip address 192.168.2.254 255.255.255.0 sub
#
interface GigabitEthernet0/0/2
ip address 172.16.1.254 255.255.255.0
路由器R2的配置:
#
sysname R2
#
interface GigabitEthernet0/0/0
ip address 200.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
#
需求:
1、禁止内网192.168.1.0/24网段访问公网200.1.1.2
2、禁止内网192.168.1.0/24网段访问ftp服务器172.16.1.1
3、禁止内网192.168.2.0/24网段访问web服务器172.16.1.2
4、默认都允许访问,比如192.168.1.0/24网段可以访问web服务器172.16.1.2,192.168.2.0/24网段访问ftp服务器172.16.1.1
路由器R1
acl number 2000
rule 5 deny source 192.168.1.0 0.0.0.255
rule 10 permit
#
interface GigabitEthernet0/0/0
traffic-filter outbound acl 2000
acl number 3000
rule 1 deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.1.1 0 destination-port range ftp-data ftp
rule 2 deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.1.2 0 destination-port eq www
rule 5 permit ip
#
interface GigabitEthernet0/0/2
traffic-filter outbound acl 3000
需求:
4、内网192.168.1.0/24网段使用NAT技术访问公网200.1.1.2(静态、动态、EASY-IP)
5、通过公网R2ping访问内网服务器192.168.1.1/24(使用NAT技术,NAT-SERVER)
6、通过公网R2 ftp访问内网服务器172.16.1.1/24(使用NAT技术,NAT-SERVER)
静态NAT:
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
nat static global 200.1.1.3 inside 192.168.1.1
nat static global 200.1.1.4 inside 192.168.1.2
#
禁用静态NAT
interface GigabitEthernet0/0/0
#undo nat static global 200.1.1.3 inside 192.168.1.1
#undo nat static global 200.1.1.4 inside 192.168.1.2
动态NAT:
路由器R1的配置
acl number 2001
rule 5 permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 200.1.1.3 200.1.1.5
interface GigabitEthernet0/0/0
nat outbound 2001 address-group 1 no-pat
#undo nat outbound 2001 address-group 1 no-pat
ESAY IP:
路由器R1的配置
interface GigabitEthernet0/0/0
nat outbound 2001
#undo nat outbound 2001
NAT-server:
路由器R1的配置
interface GigabitEthernet0/0/0
nat server global 200.1.1.3 inside 192.168.1.1
#undo nat server global 200.1.1.3 inside 192.168.1.1
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
nat server protocol tcp global 200.1.1.5 ftp inside 172.16.1.1 ftp
#
#undo nat server protocol tcp global 200.1.1.5 ftp inside 172.16.1.1 ftp