思科路由器端口映射问题

作者：思科培训来源：来自捷盈思科论坛发布时间：10-01-31

学员提问：

现在正在配置一台思科路由器，现在上网没有问题，但当将单位的web服务器和ftp服务器做端口映射时，单位网站还是打不开，下面是路由器的配置清单，其中web服务器是192.168.0.4(80),ftp服务器是192.168.0.4(21)，麻烦高手看看，在线等。

!This is the running config of the router: 192.168.0.30
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname administrator
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$IMYN$V.YcWe2XLYpFJUVJMLMpB/
enable password 7 1447465A5F537C7D74716460
!
* new-model
!
!
* authentication login default local
* authentication login sdm_vpn_xauth_ml_1 local
* authentication login sdm_vpn_xauth_ml_2 local
* authorization exec default local
* authorization network sdm_vpn_group_ml_1 local
* authorization network sdm_vpn_group_ml_2 local
!
* session-id common
clock timezone Beijing 8
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.30
ip dhcp excluded-address 192.168.0.0 192.168.0.24
ip dhcp excluded-address 192.168.0.81 192.168.0.254
!
ip dhcp pool dhcp-ser
network 192.168.0.0 255.255.255.0
default-router 192.168.0.30
dns-server 219.150.32.132
!
!
ip name-server 219.150.32.132
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
username administrator privilege 15 password 0 ***
username aministrator privilege 15 password 0 ***
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sinocapacity
key 7660975
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$$ES_LAN$
ip address 192.168.0.30 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 59.45.*.* 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.0.100 192.168.0.110
ip route 0.0.0.0 0.0.0.0 59.45.*.1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.4 21 59.45.148.24 21 extendable
ip nat inside source static tcp 192.168.0.4 80 59.45.148.24 80 extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 remark SDM_ACL Category=16
access-list 10 permit any
access-list 100 remark SDM_ACL Category=3
access-list 100 deny ip 59.45.148.0 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any host 192.168.0.100
access-list 100 deny ip any host 192.168.0.101
access-list 100 deny ip any host 192.168.0.102
access-list 100 deny ip any host 192.168.0.103
access-list 100 deny ip any host 192.168.0.104
access-list 100 deny ip any host 192.168.0.105
access-list 100 deny ip any host 192.168.0.106
access-list 100 deny ip any host 192.168.0.107
access-list 100 deny ip any host 192.168.0.108
access-list 100 deny ip any host 192.168.0.109
access-list 100 deny ip any host 192.168.0.110
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=0
access-list 101 permit tcp any host 59.45.148.24 eq www
access-list 101 permit ahp any host 59.45.148.24
access-list 101 permit esp any host 59.45.148.24
access-list 101 permit udp any host 59.45.148.24 eq isakmp
access-list 101 permit udp any host 59.45.148.24 eq non500-isakmp
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 59.45.148.24 echo-reply
access-list 101 permit icmp any host 59.45.148.24 time-exceeded
access-list 101 permit icmp any host 59.45.148.24 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip host 192.168.0.4 host 192.168.0.110
access-list 102 deny ip host 192.168.0.4 host 192.168.0.109
access-list 102 deny ip host 192.168.0.4 host 192.168.0.108
access-list 102 deny ip host 192.168.0.4 host 192.168.0.107
access-list 102 deny ip host 192.168.0.4 host 192.168.0.106
access-list 102 deny ip host 192.168.0.4 host 192.168.0.105
access-list 102 deny ip host 192.168.0.4 host 192.168.0.104
access-list 102 deny ip host 192.168.0.4 host 192.168.0.103
access-list 102 deny ip host 192.168.0.4 host 192.168.0.102
access-list 102 deny ip host 192.168.0.4 host 192.168.0.101
access-list 102 deny ip host 192.168.0.4 host 192.168.0.100
access-list 102 permit tcp host 192.168.0.4 eq ftp any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip host 192.168.0.4 host 192.168.0.110
access-list 103 deny ip host 192.168.0.4 host 192.168.0.109
access-list 103 deny ip host 192.168.0.4 host 192.168.0.108
access-list 103 deny ip host 192.168.0.4 host 192.168.0.107
access-list 103 deny ip host 192.168.0.4 host 192.168.0.106
access-list 103 deny ip host 192.168.0.4 host 192.168.0.105
access-list 103 deny ip host 192.168.0.4 host 192.168.0.104
access-list 103 deny ip host 192.168.0.4 host 192.168.0.103
access-list 103 deny ip host 192.168.0.4 host 192.168.0.102
access-list 103 deny ip host 192.168.0.4 host 192.168.0.101
access-list 103 deny ip host 192.168.0.4 host 192.168.0.100
access-list 103 permit ip host 192.168.0.4 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip host 192.168.0.4 host 192.168.0.110
access-list 104 deny ip host 192.168.0.4 host 192.168.0.109
access-list 104 deny ip host 192.168.0.4 host 192.168.0.108
access-list 104 deny ip host 192.168.0.4 host 192.168.0.107
access-list 104 deny ip host 192.168.0.4 host 192.168.0.106
access-list 104 deny ip host 192.168.0.4 host 192.168.0.105
access-list 104 deny ip host 192.168.0.4 host 192.168.0.104
access-list 104 deny ip host 192.168.0.4 host 192.168.0.103
access-list 104 deny ip host 192.168.0.4 host 192.168.0.102
access-list 104 deny ip host 192.168.0.4 host 192.168.0.101
access-list 104 deny ip host 192.168.0.4 host 192.168.0.100
access-list 104 permit tcp host 192.168.0.4 eq www any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip host 192.168.0.4 host 192.168.0.110
access-list 105 deny ip host 192.168.0.4 host 192.168.0.109
access-list 105 deny ip host 192.168.0.4 host 192.168.0.108
access-list 105 deny ip host 192.168.0.4 host 192.168.0.107
access-list 105 deny ip host 192.168.0.4 host 192.168.0.106
access-list 105 deny ip host 192.168.0.4 host 192.168.0.105
access-list 105 deny ip host 192.168.0.4 host 192.168.0.104
access-list 105 deny ip host 192.168.0.4 host 192.168.0.103
access-list 105 deny ip host 192.168.0.4 host 192.168.0.102
access-list 105 deny ip host 192.168.0.4 host 192.168.0.101
access-list 105 deny ip host 192.168.0.4 host 192.168.0.100
access-list 105 permit tcp host 192.168.0.4 eq ftp any
!
route-map SDM_RMAP_4 permit 1
match ip address 104
!
route-map SDM_RMAP_5 permit 1
match ip address 105
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_3 permit 1
match ip address 103
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

捷盈讲师及学员解答：

看你的配置，是FTP的端口没有放行，理论上WWW的流量应该通过了，路由器的配置都是由SDM完成的，看起来比较费劲，

首先建议先检查下Web服务器那台机器访问内外网的情况。如果没问题，尝试先去掉Outside接口IOS防火墙和列表的配置，再进行测试。

Tags：思科路由思科
·上一篇：CCNA证书邮寄丢失
·下一篇：交换机配置问题

关于捷盈 | 联系我们 | 网站地图 | 加入收藏 | 设为首页

思科培训在线咨询

思科路由器端口映射问题

我要提问相关文章