博达路由器常用配置(2621为例)
--------------------------------------------------------------------------------
Router_config#show run
Current configuration:
!
!version 1.3.1Q
service timestamps log date
service timestamps debug date
no service password-encryption
!
enable password 0 123456789 level 15 //定义路由器登陆的密码!
!
interface FastEthernet0/0 //外网口,一般是固定光纤接入,有固定ip
ip address 1.1.1.1 255.255.255.252 //指定外网口ip地址
no ip directed-broadcast
ip nat outside //指定该端口在nat转换中的位置
ip nat local-service icmp enable //打开路由器在NAT时的icmp服务
网吧的防火墙怎么关ip nat local-service udp enable //打开路由器在NAT时的tcp服务
ip nat local-service tcp enable //打开路由器在NAT时的udp服务
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0 //指定内网口地址(局域网关)
no ip directed-broadcast
ip access-group firewall in //调用软件防火墙
ip nat inside //指定该端口在nat转换中的位置
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route default 1.1.1.2 //默认路由,指向电信的网关;
!
gateway-cfg
Gateway keepAlive 60
shutdown
!
!
ip access-list standard NAT //定义访问列表
permit 192.168.1.0 255.255.255.0 //允许可以NAT上网的局域网范围
!
!
ip access-list extended firewall //定义软件防火墙
deny tcp any any eq 135 //封掉常见的病毒共计的端口
deny tcp any any eq 139 //同上
deny tcp any any eq 445
deny tcp any any eq 3333
deny tcp any any eq 593
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 4444
deny udp any any eq 137
deny udp any any eq 138
permit ip any any //正常的数据允许通过
!
!
ivr-cfg
!
ip nat translation max-links all 300 //增强路由器抗打击/病毒冲击能力
ip nat inside source list NAT interface FastEthernet0/0 //执行NAT转换成公网地址!
===========================================================================
配置说明:
1、enable password 0 123456789 level 15 只会提示输入密码;
如果要提示输入用户名和密码,则要在config#下配置:
username bdcom password 0 bdcom //名字和密码自定义
aaa authentication login default local ena //aaa认证
2、ip nat outside 端口的icmp、tcp、udp服务是可选的,如果不想让外界的icmp和tcp、udp连接进入;可以不用配置上述的三命命令!
3、软件防火墙一般在局域网口调用即可,如果有必要也可在外网口调用!且firewall的端口可以自己增加,以防止更多病毒的冲击;
4、ip nat translation max-links all 300是增强路由器的防病毒能力的,一般中小型网吧配置200/300即可,较大的网吧可以考虑适当增加到500!!
===========================================================================
配置说明2:
如果是路由外网口接入是ADSL;那配置应当为:
外网口改成:
interface Dialer0 //建立拨号端口
ip address negotiated //ip地址自动协商
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222 //设置PPPoE/ADSL的用户名和密码
ip nat outside
ip nat mss //自动调整PPPoe数据包的大小!
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0 //物理端口下调用虚拟的拨号端口配置!
相应的,nat的命令要改成:
ip nat inside source list NAT interface Dialer0
默认路由的命令改成:
ip route default Dialer0
===========================================================================
静态端口映射和特殊NAT:
Router_config#show run
Current configuration:
!
!version 1.3.1Q
service timestamps log date
service timestamps debug date
no service password-encryption
!
username bdcom password 0 bdcom
!
interface Dialer0
ip address negotiated
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222
ip nat outside
ip nat mss
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip access-group firewall in
ip nat inside
!
interface Async0/0
no ip address
no ip directed-broadcast
!
!
ip route default Dialer0
!
!
gateway-cfg
Gateway keepAlive 60
shutdown
!
!
ip access-list standard NAT
permit 192.168.1.0 255.255.255.0
!
ip access-list extended firewall
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 3333
deny tcp any any eq 593
deny udp any any eq 135
deny udp any any eq tftp
deny udp any any eq 4444
deny udp any any eq 137
deny udp any any eq 138
permit ip any any
!
!
!
!
!
ivr-cfg
!
!
!
!
!
ip nat service privateservice //特殊NAT使能开关;
ip nat translation max-links all 300
ip nat outside destination static interface Dialer0 192.168.1.100
//开启局域网内某PC/ip地址的特殊NAT服务;
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.100 20 interface Dialer0 20
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论