网络工程 - 了解思科出站 NAT - 吾爱随笔录

我们有以下配置：

 interface Dialer0
 ip nat outside
 ip access-group 101 in
 exit

 interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip access-group 104 out
 exit

 ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80

192.168.2.15 是一个 www 服务器，我们的客户可以从外部访问它。问题是，从网络内部出去没有互联网。请求进来了，路由器可以ping通外面的世界。只是没有来自网络内的互联网。

有没有办法让特定数量的机器访问互联网，即： ip nat external source static tcp 192.168.2.5 interface Dialer0 80 ip nat outside source static tcp 192.168.2.10 interface Dialer0 80

更新

波纹管是完整的配置：

write erase
reload
!
enable
!
conf t
!
ntp server 192.168.2.15
ip name-server 192.168.2.5
ip name-server 8.8.8.8
!
hostname rymax
ip domain-name example.com
no ip domain lookup
! no logging console
!         
! crypto key generate rsa
! username root priv 15 secret <password>
! aaa new-model
service password-encryption
enable secret 0 <password>
line vty 0 4
transport input ssh
exit
line con 0
password <password>
exit
line aux 0
password <password>
exit
!
access-list 10 permit 192.168.2.100 log
line vty 0 4
access-class 10 in
exit
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip tcp adjust-mss 1452
ip flow ingress
ip route-cache policy
encapsulation ppp
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
ip nat outside
ip access-group 101 in
!ip access-group 102 out
dialer pool 1
dialer-group 1
no cdp enable
no shut
exit
!
interface GigabitEthernet0/0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
no shut
no ip redirects
exit
!         
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
! ip access-group 103 in
ip access-group 104 out
no cdp enable
no ip redirects
no shut
exit
!
do clear ip nat trans *
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip nat service sip udp port 5060
no ip nat service sip udp port 5080
!
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static udp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 587 interface Dialer0 587
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.2.20 5080 interface Dialer0 5080
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
ip access-list extended 101
deny icmp any any echo
deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any information-request
deny icmp any any mask-request
permit ip any any
exit
!
ip access-list extended 102
permit ip any any
exit
!
ip access-list extended 103
permit ip any any
exit
!

ip access-list extended 104
permit tcp any host 192.168.2.5 eq 53
permit udp any host 192.168.2.5 eq 53
permit tcp any host 192.168.2.10 eq 25
permit tcp any host 192.168.2.10 eq 587
permit tcp any host 192.168.2.10 eq 993
permit tcp any host 192.168.2.10 eq 995
permit tcp any host 192.168.2.15 eq 80
permit tcp any host 192.168.2.15 eq 443
permit udp host 205.205.22.186 host 192.168.2.5 eq 5060
permit udp host 205.205.74.186 host 192.168.2.5 eq 5060
permit udp host 70.83.45.11 host 192.168.2.5 eq 5060
permit udp any host 192.168.2.20 eq 5080
permit udp any host 192.168.2.5 range 8000 65535
permit tcp any eq 25 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.20 range 1024 65535 established
permit udp any eq 53 host 192.168.2.5 range 1024 65535
permit udp any eq 53 host 192.168.2.10 range 1024 65535
permit udp any eq 53 host 192.168.2.15 range 1024 65535
permit udp any eq 53 host 192.168.2.20 range 1024 65535
permit tcp any eq 80 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.20 range 1024 65535 established
deny ip any host 192.168.2.5 log
deny ip any host 192.168.2.10 log
deny ip any host 192.168.2.15 log
deny ip any host 192.168.2.20 log
permit ip any any
exit
! Stops pinging but needed for RTP relay
ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp extendable
!
! dialer-list 1 protocol ip permit
! route-map voip-rtp permit 1
! match ip address 104
! exit
!
!
! QOS
class-map voice
match protocol rtp audio
exit
!
policy-map wan-qos
class voice
bandwidth percent 60
exit
exit
!
policy-map parent
class class-default
shape average 10000000
service-policy wan-qos
exit
exit
!
interface GigabitEthernet0/0
bandwidth 10000
service-policy output wan-qos
exit
!
!
! Securing Cisco
ip tcp synwait-time 30
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp


no service dhcp
no ip bootp server
no service finger
no ip http server
no ip http secure-server
no snmp-server
no service config
no ip gratuitous-arps 
no ip source-route
ip options drop
!
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime 
!         

do write mem

配置按预期工作（即允许和阻止）。但是有部分

这两行并没有真正做任何事情。我真的需要它们吗？ip route 0.0.0.0 0.0.0.0 Dialer0 ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp 可扩展

ii) 更重要的是，我正在尝试删除动态路由：

 ip nat inside source list 1 interface Dialer0 overload

我怀疑动态路由是路由器崩溃的原因，但是，如果我删除这条线，服务器仍然提供双向服务（即 SMTP HTTP、SIP），但是网络中的其他计算机没有互联网。

我尝试了很多方法来排除动态路线图，一切都失败了。

提前致谢，

缺口。