带有 DHCP 外部接口的 Cisco 静态 NAT

网络工程 dhcp cisco-ios-12 鼻涕虫
2022-02-27 18:46:41

我正在使用 Cisco 2800,试图将其 NAT 到 WAN 的内部 RFC1918。WAN (ISP) 地址来自 DHCP。我以前从未在 Cisco 上使用过 NAT。思科的技术页面还列出了 2800 中不存在的一些命令。请参阅sh run下面的输出。希望有人能看到我遗漏的内容。我可以从每个接口 ping 到其连接的网络,但不能通过路由器。

=~=~=~=~=~=~=~=~=~=~=~= PuTTY 日志 2015.11.27 21:00:50 =~=~=~=~=~=~=~=~= ~=~=~=

Cisco_Edge#sh run  
Building configuration...  

Current configuration : 2888 bytes 
!
version 12.4  
no service pad  
service timestamps debug datetime msec  
service timestamps log datetime msec  
service password-encryption  
!  
hostname Cisco_Edge  
!  
boot-start-marker  
boot-end-marker  
!  
no aaa new-model  
!  
resource policy  
!  
mmi polling-interval 60  
no mmi auto-configure  
no mmi pvc  
mmi snmp-timeout 180  
ip subnet-zero  
ip cef  
!  
ip domain name [redacted]  
ip ssh version 2  
!  
crypto pki certificate chain   
  [redacted]  
!  
interface FastEthernet0/0  
 description WAN - Outside - Untrusted  
 ip dhcp client client-id FastEthernet0/0  
 ip dhcp client class-id Cisco  
 ip dhcp client hostname Cisco-Edge  
 ip dhcp client lease 3 0 0  
 ip address dhcp  
 ip nat outside  
 ip nat enable  
 ip virtual-reassembly  
 duplex auto  
 speed auto  
!  
interface FastEthernet0/1  
 description LAN - Inside - Trusted  
 ip address 172.16.16.1 255.255.255.0  
 ip nat inside  
 ip nat enable  
 ip virtual-reassembly  
 speed auto  
 full-duplex  
 no mop enabled  
!  
ip classless  
ip route 0.0.0.0 0.0.0.0 dhcp  
!  
!  
no ip http server  
no ip http secure-server  
!  
control-plane  
!  
line con 0  
line aux 0  
line vty 0 4  
 login local  
!  
end  

Cisco_Edge#  sh ip int bri  
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.1.245      YES DHCP   up                    up        
FastEthernet0/1            172.16.16.1     YES manual up                    up        
NVI0                       unassigned      YES unset  up                    up        
Cisco_Edge#sh ip route  
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.1.1 to network 0.0.0.0  

    172.16.0.0/24 is subnetted, 1 subnets  
C       172.16.16.0 is directly connected, FastEthernet0/1  
     10.0.0.0/24 is subnetted, 1 subnets  
C       10.0.1.0 is directly connected, FastEthernet0/0  
S*   0.0.0.0/0 [1/0] via 10.0.1.1  
Cisco_Edge#ping 10.0.1.1  

Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:  
!!!!!  
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms  
Cisco_Edge#ping 10.0.1.1 source fa0/1  

Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:  
Packet sent with a source address of 172.16.16.1   
.....  
Success rate is 0 percent (0/5)  
Cisco_Edge#exit
1个回答

首先,我强烈建议您在路由器中安装防火墙,您可以在其上进行 NAT。您将接口描述为“受信任”和“不受信任”,但这些是防火墙术语。没有防火墙,任何东西都不应该被认为是可信的。

如果您愿意在没有防火墙的情况下冒险使用您的网络,这样的事情应该可以工作(您没有指定 IOS 版本,因此您可能需要针对命令中的差异进行调整):

interface FastEthernet0/0
 description WAN - Outside
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 no shutdown
!
interface FastEthernet0/1
 description LAN - Inside
 ip address 172.16.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no shutdown
!  
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 172.16.16.1 0.0.0.255
!
其它你可能感兴趣的问题
上一篇为什么 SFD 值为 171? 下一篇Li-Fi、硬件和软件限制