Cisco
使用 Cisco SR520 IOS 進行埠轉發
我的任務是設置埠轉發以訪問伺服器上的遠端桌面。我很難讓它工作。
伺服器 IP 192.168.1.20,埠 3389
路由器是 Cisco SR520。它位於我們 ISP 的調製解調器後面,其 IP 為 192.168.5.1。他們的調製解調器的 NAT 應該將傳入連接發送到 192.168.5.100(這是該介面的路由器 IP,FastEthernet4)。
我們確實有幾個 VLAN,伺服器在 VLAN 1 上。
我不是網路專家,只是涉足。我相信 NAT 已配置為正確轉發埠,並且我添加了訪問列表規則以允許它。還有一些區域安全性,但是我不確定。這看起來正確嗎?我錯過了什麼?
ip source-route ! ! ip dhcp excluded-address 192.168.75.1 192.168.75.10 ip dhcp excluded-address 192.168.1.1 192.168.1.64 ip dhcp excluded-address 192.168.10.1 192.168.10.64 ip dhcp excluded-address 192.168.20.1 192.168.20.64 ! ip dhcp pool inside import all network 192.168.75.0 255.255.255.0 default-router 192.168.75.1 ! ip dhcp pool dpool1 import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name midwaybc.org dns-server 38.65.70.4 38.65.70.5 ! ip dhcp pool dpool10 import all network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 domain-name midwaybc.org dns-server 38.65.70.4 38.65.70.5 ! ip dhcp pool dpool20 import all network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 domain-name midwaybc.org dns-server 38.65.70.4 38.65.70.5 ! ! ip cef no ip domain lookup ip domain name Midwaybc.org ip name-server 38.65.70.4 ip name-server 38.65.70.5 ! no ipv6 cef multilink bundle-name authenticated ! ! username cisco privilege 15 secret 5 {REMOVED} ! ! ! archive log config logging enable logging size 600 hidekeys ! ! ! class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-cls-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-cls-insp-traffic inspect class type inspect sdm-protocol-http inspect class type inspect SDM-Voice-permit pass class class-default pass policy-map type inspect sdm-inspect-voip-in class type inspect SDM-Voice-permit pass class class-default drop policy-map type inspect sdm-permit class class-default drop ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect zone-pair security sdm-zp-out-in source out-zone destination in-zone service-policy type inspect sdm-inspect-voip-in ! ! ! interface Loopback0 ip address 10.108.1.1 255.255.255.0 ! interface FastEthernet0 switchport mode trunk ! interface FastEthernet1 switchport access vlan 10 ! interface FastEthernet2 switchport access vlan 10 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$ ip address 192.168.5.100 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan10 description $FW_INSIDE$ ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan20 description $FW_INSIDE$ ip address 192.168.20.1 255.255.255.0 ip access-group 130 in ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan75 description $FW_INSIDE$ ip address 192.168.75.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! router rip version 2 network 192.168.1.0 network 192.168.10.0 network 192.168.20.0 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.5.1 ip route 192.168.1.0 255.255.255.0 172.17.14.1 ip route 192.168.10.0 255.255.255.0 172.17.14.1 ip route 192.168.20.0 255.255.255.0 172.17.14.1 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 192.168.10.2 5060 interface FastEthernet4 5060 ip nat inside source static udp 192.168.10.2 5060 interface FastEthernet4 5060 ip nat inside source static tcp 192.168.10.2 1720 interface FastEthernet4 1720 ip nat inside source static tcp 192.168.1.20 3389 38.65.74.164 3389 extendable ip nat inside source static tcp 192.168.1.20 3389 192.168.5.100 3389 extendable ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.75.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 100 permit udp any host 192.168.1.20 eq 3389 access-list 100 permit tcp any host 192.168.1.20 eq 3389 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 130 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 130 permit ip any any ! ! ! ! ! control-plane ! banner login ^C{REMOVED}^C ! line con 0 password 7 {REMOVED} no modem enable line aux 0 line vty 0 4 password 7 {REMOVED} transport input telnet ssh ! scheduler max-task-time 5000 ntp server 132.163.4.101 prefer end
我想通了,問題出在基於區域的防火牆上。
我所需要的只是 NAT 規則,以及修改防火牆以允許特定的傳入埠。
我發現這篇文章非常有用,並解釋了基於區域的埠轉發所需的一切。