屏幕截图 2021-08-04 154432.png

路由器R1的配置:

#
 sysname R1
#
interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.1.254 255.255.255.0 
 ip address 192.168.2.254 255.255.255.0 sub
#
interface GigabitEthernet0/0/2
 ip address 172.16.1.254 255.255.255.0

路由器R2的配置:

#
 sysname R2
#
interface GigabitEthernet0/0/0
 ip address 200.1.1.2 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
#

需求:

1、禁止内网192.168.1.0/24网段访问公网200.1.1.2
2、禁止内网192.168.1.0/24网段访问ftp服务器172.16.1.1
3、禁止内网192.168.2.0/24网段访问web服务器172.16.1.2
4、默认都允许访问,比如192.168.1.0/24网段可以访问web服务器172.16.1.2,192.168.2.0/24网段访问ftp服务器172.16.1.1

路由器R1

acl number 2000  
 rule 5 deny source 192.168.1.0 0.0.0.255 
 rule 10 permit 
#

interface GigabitEthernet0/0/0
 traffic-filter outbound acl 2000

acl number 3000  
 rule 1 deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.1.1 0 destination-port range ftp-data ftp 
 rule 2 deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.1.2 0 destination-port eq www 
 rule 5 permit ip 
#

interface GigabitEthernet0/0/2
 traffic-filter outbound acl 3000

需求:

4、内网192.168.1.0/24网段使用NAT技术访问公网200.1.1.2(静态、动态、EASY-IP)
5、通过公网R2ping访问内网服务器192.168.1.1/24(使用NAT技术,NAT-SERVER)
6、通过公网R2 ftp访问内网服务器172.16.1.1/24(使用NAT技术,NAT-SERVER)

静态NAT:

interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
 nat static global 200.1.1.3 inside 192.168.1.1
 nat static global 200.1.1.4 inside 192.168.1.2
#

禁用静态NAT

interface GigabitEthernet0/0/0

#undo nat static global 200.1.1.3 inside 192.168.1.1
#undo nat static global 200.1.1.4 inside 192.168.1.2

动态NAT:

路由器R1的配置

acl number 2001  
 rule 5 permit source 192.168.1.0 0.0.0.255 
#

nat address-group 1 200.1.1.3 200.1.1.5


interface GigabitEthernet0/0/0
nat outbound 2001 address-group 1 no-pat


#undo nat outbound 2001 address-group 1 no-pat

ESAY IP:

路由器R1的配置

interface GigabitEthernet0/0/0
nat outbound 2001

#undo nat outbound 2001

NAT-server:

路由器R1的配置

interface GigabitEthernet0/0/0
nat server global 200.1.1.3 inside 192.168.1.1

#undo nat server global 200.1.1.3 inside 192.168.1.1

interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
 nat server protocol tcp global 200.1.1.5 ftp inside 172.16.1.1 ftp
#


#undo nat server protocol tcp global 200.1.1.5 ftp inside 172.16.1.1 ftp

最后修改:2023 年 05 月 02 日
如果觉得我的文章对你有用,请随意赞赏