Cisco 路由器 1841 上的端口转发失败

网络工程 思科
2022-02-03 20:03:50

我已经在我的路由器上配置了 PNAT。一切似乎都很好。我为 NAT 路由器后面的服务器的端口转发设置了静态 NAT。

我已经设置 ACL 来打开在 Ext 上转发的端口。界面

但是当我进行端口扫描时,只有 ssh 是打开的,其余的端口都是关闭的。

有没有人知道为什么会这样?谢谢

会议:

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname OME-GW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name *******
ip name-server [x.x.x.x]
ip name-server [x.x.x.x]
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO1841 sn XXXXXXX

!
redundancy
!
!
ip ssh port 22 rotary 1
!
class-map match-all win_kasp_updates_allow
 match protocol http url "/.geo.kaspersky.com"
 match protocol http url "/.windowsupdate.com"
 match protocol http url "/update.windows.com"
 match protocol http url "/windowsupdate.microsoft.com"
 match protocol http url "/downloads4.kaspersky-labs.com"
 match access-group 10
class-map match-all everything_else
 match any
!
!
policy-map win_kasp_updates_allow_policy
 class win_kasp_updates_allow
   drop
 class everything_else
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.21 255.255.255.0
 ip access-group 103 in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
 service-policy input win_kasp_updates_allow_policy
!
interface FastEthernet0/1
 ip address [Public_IP] 255.255.255.252
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface Serial0/1/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
 !
!
interface Serial0/1/1
 no ip address
 shutdown
 clock rate 2000000
 !
!
ip default-gateway [ISP_P2P_IP]
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export version 5
ip flow-export destination 192.168.1.151 9991
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip dns server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.20 25 [Public_IP] 25 extendable
ip nat inside source static tcp 192.168.1.20 25 [Public_IP] 26 extendable
ip nat inside source static tcp 192.168.1.20 53 [Public_IP] 53 extendable
ip nat inside source static udp 192.168.1.20 53 [Public_IP] 53 extendable
ip nat inside source static tcp 192.168.1.20 110 [Public_IP] 110 extendable
ip nat inside source static udp 192.168.1.20 1194 [Public_IP] 1194 extendable
ip route 0.0.0.0 0.0.0.0 [ISP_P2P_IP]
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 deny   192.168.1.22
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 1194
access-list 102 permit udp any any
access-list 102 permit tcp any any
access-list 102 permit icmp any [ISP_P2P_IP] 0.0.0.3 echo
access-list 102 permit icmp any [ISP_P2P_IP] 0.0.0.3 echo-reply
access-list 102 deny   ip host 195.154.109.72 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 255.0.0.0 0.255.255.255 any
access-list 102 deny   ip 224.0.0.0 31.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 103 deny   ip host 192.168.1.9 any
access-list 103 deny   ip host 192.168.1.35 any
access-list 103 permit ip any any
access-list 103 permit tcp 192.168.1.0 0.0.0.255 any
access-list 103 permit udp host 192.168.1.26 eq domain any
access-list 103 permit tcp host 192.168.1.26 eq domain any
access-list 103 permit udp 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
snmp-server community secret RO 90
!
!
control-plane
 !
!

!
line con 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 login local
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
end

显示 ip nat 翻译

Pro Inside global         Inside local          Outside local         Outside global
udp [Public_IP]:137    192.168.1.16:137      192.168.255.255:137   192.168.255.255:137
udp [Public_IP]:138    192.168.1.16:138      192.168.255.255:138   192.168.255.255:138
tcp [Public_IP]:25     192.168.1.20:25       ---                   ---
tcp [Public_IP]:53     192.168.1.20:53       ---                   ---
udp [Public_IP]:53     192.168.1.20:53       ---                   ---
tcp [Public_IP]:110    192.168.1.20:110      ---                   ---
udp [Public_IP]:1194   192.168.1.20:1194     ---                   ---
tcp [Public_IP]:38682  192.168.1.52:38682    196.0.3.118:80        196.0.3.118:80
1个回答

@里奇梁。男人你这样通过问题来解决。我看不到这一点,因为我认为主机和网关在同一个 LAN 上就可以了。在我解决端口转发问题之前,我的邮件服务器仍然连接到旧的 ISP。谢谢你和任何花时间研究我的问题的人。我很感激。解决方案是让我的服务器指向 192.168.1.21 作为其网关。问题解决了

其它你可能感兴趣的问题
上一篇Linux中的DSCP到p位映射 下一篇使用没有生成树的 GRE 覆盖网络