Я настраиваю cisco 881 (это мое первое устройство на ios)
У меня все работает так, как я хочу, кроме переадресации портов
Я пытаюсь перенаправить весь входящий трафик порта 80 на 10.10.10.60, и я не вижу этой опции нигде в профессионале по настройке cisco. поэтому я предполагаю, что мне нужно добавить его стиль командной строки
Пожалуйста, не стесняйтесь указывать на любые другие проблемы, которые, по вашему мнению, могут вызвать у меня проблемы. (пароль был изменен для защиты невиновных)
Using 16191 out of 262136 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname MARKONHQ ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 warnings enable secret 5 #password was here# ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! --More-- ! aaa session-id common clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! crypto pki trustpoint TP-self-signed-3499699271 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3499699271 revocation-check none rsakeypair TP-self-signed-3499699271 ! ! crypto pki certificate chain TP-self-signed-3499699271 certificate self-signed 01 nvram:IOS-Self-Sig#D.cer ip source-route ip dhcp excluded-address 10.10.10.1 10.10.10.74 ! ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server #dns servers were here# lease infinite --More-- ! ! ip cef ip domain name markonsolutions.com ip name-server ip name-server ip port-map user-protocol--2 port udp 53322 ip port-map user-protocol--3 port udp 80 ip port-map user-protocol--1 port tcp 53322 ! ! parameter-map type regex ccp-regex-nonascii pattern [^\x00-\x80] parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com --More-- parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com --More-- server name csc.yahoo.com ! ! username admin privilege 15 secret 5 #password was here# username xxxx privilege 15 secret 5 #password was here# ! ! ! archive log config hidekeys ! ! ! class-map type inspect match-all sdm-nat-http-4 match access-group 112 match protocol http class-map type inspect match-all sdm-nat-user-protocol--2-4 match access-group 114 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-user-protocol--2-5 match access-group 116 --More-- match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-5 match access-group 117 match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-5 match access-group 115 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--1-4 match access-group 113 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--3-1 match access-group 107 match protocol user-protocol--3 class-map type inspect match-all sdm-nat-user-protocol--1-3 match access-group 108 match protocol user-protocol--1 class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-all sdm-nat-user-protocol--2-1 match access-group 103 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-1 match access-group 102 --More-- match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-2 match access-group 104 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--1-1 match access-group 101 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--2-2 match access-group 106 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-2 match access-group 105 match protocol http class-map type inspect match-all sdm-nat-user-protocol--3-2 match access-group 111 match protocol user-protocol--3 class-map type inspect match-all sdm-nat-user-protocol--2-3 match access-group 110 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-3 match access-group 109 match protocol http class-map type inspect match-any CCP-Voice-permit --More-- match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp --More-- class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices match service any class-map type inspect msnmsgr match-any ccp-app-msn-otherservices match service any class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect aol match-any ccp-app-aol-otherservices match service any class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map type inspect msnmsgr match-any ccp-app-msn match service text-chat class-map type inspect ymsgr match-any ccp-app-yahoo --More-- match service text-chat class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol --More-- match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect http match-any ccp-http-blockparam --More-- match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect aol match-any ccp-app-aol match service text-chat class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect http match-any ccp-http-allowparam match request port-misuse tunneling ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-user-protocol--1-1 inspect class type inspect sdm-nat-http-1 inspect --More-- class type inspect sdm-nat-user-protocol--2-1 inspect class type inspect sdm-nat-user-protocol--1-2 inspect class type inspect sdm-nat-http-2 inspect class type inspect sdm-nat-user-protocol--2-2 inspect class type inspect sdm-nat-user-protocol--3-1 inspect class type inspect sdm-nat-user-protocol--1-3 inspect class type inspect sdm-nat-http-3 inspect class type inspect sdm-nat-user-protocol--2-3 inspect class type inspect sdm-nat-user-protocol--3-2 inspect class type inspect sdm-nat-http-4 inspect class type inspect sdm-nat-user-protocol--1-4 inspect class type inspect sdm-nat-user-protocol--2-4 --More-- inspect class type inspect sdm-nat-user-protocol--1-5 inspect class type inspect sdm-nat-user-protocol--2-5 inspect class type inspect sdm-nat-http-5 inspect class class-default drop policy-map type inspect im ccp-action-app-im class type inspect aol ccp-app-aol log allow class type inspect msnmsgr ccp-app-msn log allow class type inspect ymsgr ccp-app-yahoo log allow class type inspect aol ccp-app-aol-otherservices log reset class type inspect msnmsgr ccp-app-msn-otherservices --More-- log reset class type inspect ymsgr ccp-app-yahoo-otherservices log reset policy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log reset class type inspect http ccp-app-httpmethods log reset class type inspect http ccp-http-allowparam log allow policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap log policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log policy-map type inspect ccp-inspect class type inspect ccp-invalid-src --More-- drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-im inspect service-policy im ccp-action-app-im class type inspect ccp-insp-traffic inspect class type inspect CCP-Voice-permit inspect class class-default pass policy-map type inspect ccp-permit class class-default drop ! --More-- zone security out-zone zone security in-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 --More-- description $ETH-WAN$$ES_WAN$$FW_OUTSIDE$ ip address #external IP was here# 255.255.255.224 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452 --More-- ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet4 ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat pool websrv 10.10.10.60 10.10.10.60 netmask 255.255.255.0 ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 10.10.10.40 53322 interface FastEthernet4 53322 ip nat inside source static udp 10.10.10.40 53322 interface FastEthernet4 53322 ip nat inside source static tcp 10.10.10.60 80 interface FastEthernet4 80 ip nat inside source static tcp #external IP was here# 80 10.10.10.60 80 extendable ! ip access-list extended web remark webservr remark CCP_ACL Category=2 permit ip any host 10.10.10.60 ! access-list 1 remark INSIDE_IF=Vlan1 --More-- access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 23 permit 10.10.10.0 0.0.0.7 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 0.0.0.31 any access-list 101 remark CCP_ACL Category=0 access-list 101 permit ip any host 10.10.10.40 access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 10.10.10.60 access-list 103 remark CCP_ACL Category=0 access-list 103 permit ip any host 10.10.10.40 access-list 104 remark CCP_ACL Category=0 access-list 104 permit ip any host 10.10.10.40 access-list 105 remark CCP_ACL Category=0 access-list 105 permit ip any host 10.10.10.60 access-list 106 remark CCP_ACL Category=0 access-list 106 permit ip any host 10.10.10.40 access-list 107 remark CCP_ACL Category=0 access-list 107 permit ip any host 10.10.10.60 access-list 108 remark CCP_ACL Category=0 access-list 108 permit ip any host 10.10.10.40 --More-- access-list 109 remark CCP_ACL Category=0 access-list 109 permit ip any host 10.10.10.60 access-list 110 remark CCP_ACL Category=0 access-list 110 permit ip any host 10.10.10.40 access-list 111 remark CCP_ACL Category=0 access-list 111 permit ip any host 10.10.10.60 access-list 112 remark CCP_ACL Category=0 access-list 112 permit ip any host 10.10.10.60 access-list 113 remark CCP_ACL Category=0 access-list 113 permit ip any host 10.10.10.40 access-list 114 remark CCP_ACL Category=0 access-list 114 permit ip any host 10.10.10.40 access-list 115 remark CCP_ACL Category=0 access-list 115 permit ip any host 10.10.10.40 access-list 116 remark CCP_ACL Category=0 access-list 116 permit ip any host 10.10.10.40 access-list 117 remark CCP_ACL Category=0 access-list 117 permit ip any host 10.10.10.60 no cdp run ! ! ! --More-- ! control-plane ! banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username privilege 15 secret 0 Replace and with the username and password you want to use. ----------------------------------------------------------------------- --More-- ^C banner login ^C Any use of the MARKONHQ consents to monitorring and logging by MARKON IT Administrators. YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN CREDENTIALS IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF. For more information about Cisco CP please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp ----------------------------------------------------------------------- ^C ! line con 0 no modem enable line aux 0 line 2 --More-- no activation-character no exec transport preferred none transport input all line vty 0 4 access-class 23 in transport input telnet ssh ! scheduler max-task-time 5000 end
Во-первых, похоже, вы не знаете, как настроить конфигурацию tftp. Я бы предложил сделать резервную копию вашей конфигурации с помощью Tftp-сервер Solar Windws (бесплатно, как в пиве).
Во-вторых, похоже, что вы оставили много информации в своем файле конфигурации. Я удалил пароли, внешние IP-адреса и еще несколько бит.
Выполните на своем маршрутизаторе следующую команду:
скопировать рабочую конфигурацию tftp
Теперь остановите tftp-сервер на вашем компьютере.
Подробнее о конфигурациях tftp и ios.
Кроме того, поскольку вы только начинаете. Обязательно взгляните на Руководства по настройке маршрутизатора NSA. Они также бесплатны (как и налоги) и помогут вам безопасно настроить маршрутизатор.
Я не совсем уверен, что вы хотите, но если вы просто хотите сопоставить порт 80 внешнего IP-адреса с внутренним IP-портом 80. Я думаю, что он у вас в значительной степени есть, но я думаю, вам просто нужно изменить:
ip nat inside source static tcp 80 10.10.10.60 80 extendable
к
ip nat inside source static tcp 98.123.123.94 80 10.10.10.60 80 extendable
Но помимо этого, если это продакшн, как только вы заставите его работать так, как вы думаете, что хотите. Возможно, вы захотите заплатить консультанту, чтобы тот пришел и проверил вашу работу, это не намного важнее, чем маршрутизатор.
У вас уже есть правильный оператор для перенаправления TCP-порта 80, а именно:
ip nat inside source static tcp 10.10.10.60 80 interface FastEthernet4 80
Возможно, вас заблокируют правила брандмауэра. Я не знаком с безопасностью зоны (я использую списки доступа), но вы можете попробовать использовать внешний IP-адрес вместо внутреннего IP-адреса в ACL, связанных с входящим http.