静态端口将 1194 转发到 Cisco 路由器后面的 VPN 服务器

网络工程 虚拟专用网 纳特 转发端口
2022-02-09 16:43:58

我正在尝试在我的主要互联网网关 Cisco 路由器后面设置一个 VPN 服务器。我已经按照附图所示进行了设置。我观察到的问题是目标端口为 1194 的零数据包到达 10.10.10.2 接口上的 VPN 服务器。所以我质疑我的 NAT 配置在 Cisco 路由器上是否正确。我已经包含了我在图片中定义的 nat 规则。

如果我从远程网络对我的公共 IP 执行在线 UDP 端口扫描,则表明端口 1194/UDP 已打开。任何帮助,将不胜感激。

在此处输入图像描述

思科路由器配置:

Current configuration : 14472 bytes
!
! Last configuration change at 18:21:59 UTC Sun Mar 29 2020 by <name redacted>
! NVRAM config last updated at 23:15:12 UTC Tue Mar 17 2020 by <name redacted>
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash0:c3900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable password 7 <PASSWORD REDACTED>
!
aaa new-model
!
!         
aaa authentication login default group tacacs+ local enable
aaa authentication enable default enable
aaa authorization exec default group tacacs+ local if-authenticated 
aaa authorization commands 1 default group tacacs+ local if-authenticated 
aaa authorization commands 7 default local 
aaa authorization commands 15 default group tacacs+ local if-authenticated 
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1899486086
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1899486086
 revocation-check none
 rsakeypair TP-self-signed-1899486086
!
crypto pki certificate chain TP-self-signed-1899486086
 certificate self-signed 01
  <KEY REDACTED>
    quit
!
!
no ip domain lookup
ip domain name yourdomain.com
ip multicast-routing 
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
vxml logging-tag
license udi pid C3900-SPE100/K9 sn FOC164450P4
hw-module sm 1
!
username <name redacted> privilege 15 secret 5 <password redacted>
!
redundancy
!
interface Loopback0
 ip address 192.168.1.192 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1374
 ip pim sparse-mode
 no ip route-cache
 ip ospf 1 area 0
!
interface Tunnel55
 ip address 6.78.4.230 255.255.255.252
 shutdown
 tunnel source GigabitEthernet0/1.55
 tunnel destination 6.78.4.226
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description UNUSED PORT
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description connection to 5548
 no ip address
 media-type sfp
!
interface GigabitEthernet0/1.5
 description Test VLAN for VRRP (VLAN 5)
 encapsulation dot1Q 5
 ip address 6.78.2.225 255.255.255.252
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 <KEY REDACTED>
 ip ospf 1 area 0
!
interface GigabitEthernet0/1.9
 description vlan 9 <unused>
 encapsulation dot1Q 9
 ip address 180.180.180.161 255.255.255.224
 shutdown
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.128
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.14
 description Test VLAN interface for VRRP
 encapsulation dot1Q 14
 ip address 6.78.1.225 255.255.255.252
 ip pim sparse-mode
 shutdown
!
interface GigabitEthernet0/1.55
 description Test VLAN for VRRP to CSR 1000v
 encapsulation dot1Q 55
 ip address 6.78.4.225 255.255.255.252
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 <KEY REDACTED>
 ip ospf 1 area 0
 shutdown
!         
interface GigabitEthernet0/1.200
 description Connection to PFSense VM
 encapsulation dot1Q 200
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2
 description Connection to the Internet
 mac-address 0005.eb00.2ba0
 ip address aaa.bbb.ccc.158 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
 media-type sfp
!
interface GigabitEthernet0/0/0.305
 description VLAN 5 Uplink for vNIA4
 encapsulation dot1Q 305
 ip address 5.67.1.225 255.255.255.252
 ip pim sparse-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 <KEY REDACTED>
 ip ospf 1 area 0.0.0.1
!
interface GigabitEthernet0/0/0.310
 description VLAN 10 for New Lab
 encapsulation dot1Q 310
 ip address 5.67.1.1 255.255.255.128
!
interface GigabitEthernet0/0/0.340
 description Overlay Transport (TEP)
 encapsulation dot1Q 340
 ip address 5.67.40.1 255.255.255.128
!
interface GigabitEthernet0/0/0.360
 description VLAN Uplink for Edge T0
 encapsulation dot1Q 360
 ip address 5.67.60.1 255.255.255.128
!
interface GigabitEthernet0/0/0.370
 description VLAN Uplink for Edge T0
 encapsulation dot1Q 370
 ip address 5.67.70.1 255.255.255.128
!
interface SM1/0
 no ip address
 shutdown
 !Application: Restarted at Wed Jul 24 21:34:04 2019
!
interface SM1/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
router ospf 1
 router-id 6.78.1.225
 network 5.67.1.0 0.0.0.127 area 0
 network 5.67.40.0 0.0.0.127 area 0
 network 5.67.60.0 0.0.0.127 area 0
 network 5.67.70.0 0.0.0.127 area 0
 network 6.78.1.224 0.0.0.3 area 0
 network 192.168.1.0 0.0.0.127 area 0
 network 192.168.3.224 0.0.0.3 area 0
 network 192.168.12.0 0.0.0.255 area 0
!
router rip
 network 192.168.1.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip pim bsr-candidate Loopback0 24 197
ip pim rp-candidate Loopback0 group-list 2
ip nat inside source list 4 interface GigabitEthernet0/2 overload
ip nat inside source static udp 10.10.10.2 1194 interface GigabitEthernet0/2 1194
ip nat inside source static udp 10.10.10.2 22 interface GigabitEthernet0/2 22
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.157
ip route 10.0.8.0 255.255.255.248 192.168.1.15
ip ssh version 2
!
ipv6 ioam timestamp
!
nls resp-timeout 1
cpd cr-id 1
!
snmp-server group network-admin v3 priv 
!
access-list 2 permit 224.9.10.59
access-list 2 permit 224.9.10.58
access-list 2 permit 224.191.107.0 0.0.0.255
access-list 2 permit 224.194.21.0 0.0.0.255
access-list 2 permit 224.193.21.0 0.0.0.255
access-list 2 permit 224.193.25.0 0.0.0.255
access-list 2 permit 224.191.108.0 0.0.0.255
access-list 2 permit 224.191.109.0 0.0.0.255
access-list 2 permit 224.191.110.0 0.0.0.255
access-list 2 permit 224.199.0.0 0.0.255.255
access-list 2 permit 224.192.11.0 0.0.0.255
access-list 2 permit 224.193.24.0 0.0.0.255
access-list 2 permit 224.190.14.0 0.0.0.255
access-list 2 permit 224.1.2.0 0.0.0.255
access-list 2 permit 224.192.14.0 0.0.0.255
access-list 2 permit 224.192.15.0 0.0.0.255
access-list 2 permit 224.192.16.0 0.0.0.255
access-list 2 permit 224.192.17.0 0.0.0.255
access-list 2 permit 224.192.18.0 0.0.0.255
access-list 2 permit 224.192.13.0 0.0.0.255
access-list 2 permit 224.190.12.0 0.0.0.255
access-list 2 permit 239.0.55.0 0.0.0.255
access-list 3 permit 224.191.20.0 0.0.0.255
access-list 3 permit 224.192.20.0 0.0.0.255
access-list 4 permit 192.168.1.111
access-list 4 permit 10.10.10.2
access-list 4 permit 192.168.1.121
access-list 4 permit 192.168.1.120
access-list 4 permit 192.168.1.123
access-list 4 permit 192.168.1.122
access-list 4 permit 192.168.1.125
access-list 4 permit 192.168.1.124
access-list 4 permit 192.168.1.126
access-list 4 permit 192.168.1.79
access-list 4 permit 192.168.1.78
access-list 4 permit 192.168.1.64
access-list 4 permit 192.168.1.68
access-list 4 permit 192.168.1.92
access-list 4 permit 192.168.1.80
access-list 4 permit 192.168.1.57
access-list 4 permit 192.168.1.59
access-list 4 permit 192.168.1.58
access-list 4 permit 192.168.1.61
access-list 4 permit 192.168.1.60
access-list 4 permit 192.168.1.63
access-list 4 permit 192.168.1.62
access-list 4 permit 192.168.1.2
access-list 4 deny   any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
 shutdown
!
 vstack
alias exec c conf t
alias exec w copy system:running-config nvram:startup-config
alias exec sii sho ip int brief
!
banner exec ^C
<BANNER REDACTED>
^C
banner login ^C
<BANNER REDACTED>
^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 67
 no activation-character
 no exec
 transport preferred none
 transport input ssh
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 privilege level 15
 transport input ssh
line vty 5 15
 access-class 1 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp authentication-key 1 md5 <KEY REDACTED> 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp master 5
ntp update-calendar
!
end

另外,我添加了一个静态 nat 规则来将端口 22 转发到 pfsense 路由器,但这也不起作用。

我已经更新了图纸以提供更接近实际设置的近似值。显然,根据您在上面链接的路由器配置中可以看到的内容,还有很多事情要做。但我不相信任何额外的东西与问题或我的问题的原因有关。

由于我没有看到端口 1194 上的任何流量被转发到 pfsense 路由器,我想知道是否有办法确定该端口上的任何流量甚至都到达了 gi0/2 接口。看来我无法在 Cisco 路由器上设置 SPAN 端口。

在此处输入图像描述

1个回答

我发现我的配置实际上并没有错。问题是我没有清楚地了解我们的互联网服务是如何提供给我们的。这是在实验室环境中工作。互联网服务由我们公司的 IT 部门提供给实验室。我原本以为我们可以直接连接到互联网。这是因为 Cisco 3925 上面向 Internet 的端口上的 IP 地址不在私有 IP 地址空间中。但是,鉴于 IP 地址是在 /30 子网中静态分配的,很明显 IT 已经购买了一个静态公共 IP 块,并为此目的进一步对该块进行了子网划分。为了证明这一点,我断开了 Cisco 3925 的互联网连接并插入了一台 Linux 笔记本电脑(在欺骗了 3925 的 MAC 地址之后,以免触发端口安全性)。从那里我使用 tcpdump 查看笔记本电脑的入站流量。

这是网络的更好表示: 在此处输入图像描述

其它你可能感兴趣的问题
上一篇在支持大量用户的无线路由器中,我应该注意什么? 下一篇Cisco ACI 中的“/mgmt/usr/bin/loginshell”是什么?