Cisco

使用 Cisco SR520 IOS 進行埠轉發

  • June 17, 2015

我的任務是設置埠轉發以訪問伺服器上的遠端桌面。我很難讓它工作。

伺服器 IP 192.168.1.20,埠 3389

路由器是 Cisco SR520。它位於我們 ISP 的調製解調器後面,其 IP 為 192.168.5.1。他們的調製解調器的 NAT 應該將傳入連接發送到 192.168.5.100(這是該介面的路由器 IP,FastEthernet4)。

我們確實有幾個 VLAN,伺服器在 VLAN 1 上。

我不是網路專家,只是涉足。我相信 NAT 已配置為正確轉發埠,並且我添加了訪問列表規則以允許它。還有一些區域安全性,但是我不確定。這看起來正確嗎?我錯過了什麼?

ip source-route
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
ip dhcp excluded-address 192.168.1.1 192.168.1.64
ip dhcp excluded-address 192.168.10.1 192.168.10.64
ip dhcp excluded-address 192.168.20.1 192.168.20.64
!
ip dhcp pool inside
  import all
  network 192.168.75.0 255.255.255.0
  default-router 192.168.75.1
!
ip dhcp pool dpool1
  import all
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.1
  domain-name midwaybc.org
  dns-server 38.65.70.4 38.65.70.5
!
ip dhcp pool dpool10
  import all
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.1
  domain-name midwaybc.org
  dns-server 38.65.70.4 38.65.70.5
!
ip dhcp pool dpool20
  import all
  network 192.168.20.0 255.255.255.0
  default-router 192.168.20.1
  domain-name midwaybc.org
  dns-server 38.65.70.4 38.65.70.5
!
!
ip cef
no ip domain lookup
ip domain name Midwaybc.org
ip name-server 38.65.70.4
ip name-server 38.65.70.5
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 {REMOVED}
!
!
!
archive
log config
 logging enable
 logging size 600
 hidekeys
!
!
!
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-cls-icmp-access
 inspect
class class-default
 pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
 drop log
class type inspect sdm-cls-insp-traffic
 inspect
class type inspect sdm-protocol-http
 inspect
class type inspect SDM-Voice-permit
 pass
class class-default
 pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
 pass
class class-default
 drop
policy-map type inspect sdm-permit
class class-default
 drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
!
!
!
interface Loopback0
ip address 10.108.1.1 255.255.255.0
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 192.168.5.100 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
ip access-group 130 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
router rip
version 2
network 192.168.1.0
network 192.168.10.0
network 192.168.20.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route 192.168.1.0 255.255.255.0 172.17.14.1
ip route 192.168.10.0 255.255.255.0 172.17.14.1
ip route 192.168.20.0 255.255.255.0 172.17.14.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.2 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.10.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.10.2 1720 interface FastEthernet4 1720
ip nat inside source static tcp 192.168.1.20 3389 38.65.74.164 3389 extendable
ip nat inside source static tcp 192.168.1.20 3389 192.168.5.100 3389 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 permit udp any host 192.168.1.20 eq 3389
access-list 100 permit tcp any host 192.168.1.20 eq 3389
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 130 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 permit ip any any
!
!
!
!
!
control-plane
!
banner login ^C{REMOVED}^C
!
line con 0
password 7 {REMOVED}
no modem enable
line aux 0
line vty 0 4
password 7 {REMOVED}
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 132.163.4.101 prefer
end

我想通了,問題出在基於區域的防火牆上。

我所需要的只是 NAT 規則,以及修改防火牆以允許特定的傳入埠。

我發現這篇文章非常有用,並解釋了基於區域的埠轉發所需的一切。

引用自:https://serverfault.com/questions/698029