学员提问:
公司从外部淘来一台PIX 520和一台Cisco 2621xm,pix正在使用中
想把2621也使用起来,初次配置,从网上找的配置资料,但是失败,无法上网
配置如下
0/0做外网口,连接pix 520
静态IP:192.168.88.202 255.255.255.0
网关:192.168.88.1
0/1做内网口,开了DHCP
静态IP:192.168.28.1 255.255.255.0
网关:192.168.28.1
现在情况是从pix 520上可以ping通192.168.88.202,并且telnet上
但从2621XM内网可以ping通192.168.88.202,但ping不通192.168.88.1
现求助各位大哥,帮我解决这个问题,非常感谢!指点一下我的迷津!
configuration如下:
代码:
Current configuration : 2559 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhv
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KlK4$3l5Lavj6yYY5jD2woDrv50
enable password winipcfg
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip routing
no ip cef
!
!
ip name-server 202.106.196.105
ip dhcp excluded-address 192.168.28.1 192.168.28.10
!
ip dhcp pool inetnet188
network 192.168.28.0 255.255.255.0
dns-server 202.106.196.105
default-router 192.168.28.1
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.88.202 255.255.255.0
ip access-group 101 in
ip access-group 101 out
no ip unreachables
ip nat outside
no ip route-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address 192.168.28.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
no ip route-cache
duplex auto
speed auto
!
no ip http server
ip classless
!
!
!
ip access-list extended natip
permit ip 192.168.28.0 0.0.0.255 any
access-list 10 permit 192.168.28.0 0.0.0.255
access-list 101 deny tcp any any eq echo
access-list 101 deny tcp any any eq chargen
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 389
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 4444
access-list 101 deny tcp any any eq 5554
access-list 101 deny tcp any any eq 9995
access-list 101 deny tcp any any eq 9996
access-list 101 deny tcp any any eq 6666
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 136
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq 389
access-list 101 deny udp any any eq 445
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1068
access-list 101 deny udp any any eq 9995
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 593
access-list 101 permit ip any any
!
line con 0
line aux 0
line vty 0 4
password winipcfg
login
!
!
end
重新修改,telnet上2621,可以ping通外网,内网还是上不了
代码:
Building configuration...
Current configuration : 2597 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hhv
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KlK4$3l5Lavj6yYY5jD2woDrv50
enable password winipcfg
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.28.1 192.168.28.10
!
ip dhcp pool inetnet188
network 192.168.28.0 255.255.255.0
dns-server 202.106.196.105
default-router 192.168.28.1
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.88.202 255.255.255.0
ip access-group 101 in
ip access-group 101 out
no ip unreachables
ip nat outside
speed auto
half-duplex
!
interface FastEthernet0/1
ip address 192.168.28.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
duplex auto
speed auto
!
ip nat pool internet 192.168.88.203 192.168.88.210 netmask 255.255.255.0
ip nat inside source list 1 pool internet overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.88.1
!
!
!
ip access-list extended natip
access-list 10 permit 192.168.28.0 0.0.0.255
access-list 101 deny tcp any any eq echo
access-list 101 deny tcp any any eq chargen
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 389
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 4444
access-list 101 deny tcp any any eq 5554
access-list 101 deny tcp any any eq 9995
access-list 101 deny tcp any any eq 9996
access-list 101 deny tcp any any eq 6666
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 136
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq 389
access-list 101 deny udp any any eq 445
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1068
access-list 101 deny udp any any eq 9995
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 593
access-list 101 permit ip any any
!
line con 0
line aux 0
line vty 0 4
password winipcfg
login
!
!
end
捷盈讲师及学员解答:
首先:刚开始的时候你在内网ping不通88.1这个IP地址,主要是pix那边没有返回28.0这个网段的路由,所以数据包只能从内网到pix,pix没办法将数据包返回。导致那个的主要原因是你的2621的nat根本没有配置,所以后面你配置之后就能ping也就OK了。