模块化路由器常用配置.doc

模块化路由器常用配置（2621为例）2007-02-14 17:32 模块化路由器在网吧的常用配置（2621为例） Router_config#show runBuilding configuration.Current configuration:!version 1.3.1Qservice timestamps log dateservice timestamps debug dateno service password-encryption!enable password 0 123456789 level 15 /定义路由器登陆的密码！!interface FastEthernet0/0 /外网口，一般是固定光纤接入，有固定ipip address 52 /指定外网口ip地址no ip directed-broadcastip nat outside /指定该端口在nat转换中的位置ip nat local-service icmp enable /打开路由器在NAT时的icmp服务ip nat local-service udp enable /打开路由器在NAT时的tcp服务ip nat local-service tcp enable /打开路由器在NAT时的udp服务!interface FastEthernet0/1ip address /指定内网口地址（局域网关）no ip directed-broadcastip access-group firewall in /调用软件防火墙ip nat inside /指定该端口在nat转换中的位置!interface Async0/0no ip addressno ip directed-broadcast!ip route default /默认路由，指向电信的网关；!gateway-cfgGateway keepAlive 60shutdown!ip access-list standard NAT /定义访问列表permit /允许可以NAT上网的局域网范围!ip access-list extended firewall /定义软件防火墙deny tcp any any eq 135 /封掉常见的病毒共计的端口deny tcp any any eq 139 /同上deny tcp any any eq 445deny tcp any any eq 3333deny tcp any any eq 593deny udp any any eq 135deny udp any any eq tftpdeny udp any any eq 4444deny udp any any eq 137deny udp any any eq 138permit ip any any /正常的数据允许通过!ivr-cfg!ip nat translation max-links all 300 /增强路由器抗打击/病毒冲击能力ip nat inside source list NAT interface FastEthernet0/0 /执行NAT转换成公网地址！-lexon2005-07-18, 19:10配置说明：1、enable password 0 123456789 level 15 只会提示输入密码；如果要提示输入用户名和密码，则要在config#下配置：username bdcom password 0 bdcom /名字和密码自定义aaa authentication login default local ena /aaa认证2、ip nat outside 端口的icmp、tcp、udp服务是可选的，如果不想让外界的icmp和tcp、udp连接进入；可以不用配置上述的三命命令！3、软件防火墙一般在局域网口调用即可，如果有必要也可在外网口调用！且firewall的端口可以自己增加，以防止更多病毒的冲击；4、ip nat translation max-links all 300是增强路由器的防病毒能力的，一般中小型网吧配置200/300即可，较大的网吧可以考虑适当增加到500！-lexon2005-07-18, 19:10配置说明2：如果是路由外网口接入是ADSL；那配置应当为：外网口改成：interface Dialer0 /建立拨号端口ip address negotiated /ip地址自动协商ip mtu 1492no ip directed-broadcastppp pap sent-username 1111111 22222 /设置PPPoE/ADSL的用户名和密码ip nat outsideip nat mss /自动调整PPPoe数据包的大小！ip nat local-service icmp enableip nat local-service udp enableip nat local-service tcp enable!interface FastEthernet0/0no ip addressno ip directed-broadcastpppoe-client Dialer 0 /物理端口下调用虚拟的拨号端口配置！相应的，nat的命令要改成：ip nat inside source list NAT interface Dialer0 默认路由的命令改成：ip route default Dialer0-lexon2005-07-18, 19:11静态端口映射和特殊NAT：Router_config#show runBuilding configuration.Current configuration:!version 1.3.1Qservice timestamps log dateservice timestamps debug dateno service password-encryption!username bdcom password 0 bdcom!interface Dialer0ip address negotiatedip mtu 1492no ip directed-broadcastppp pap sent-username 1111111 22222ip nat outsideip nat mssip nat local-service icmp enableip nat local-service udp enableip nat local-service tcp enable!interface FastEthernet0/0no ip addressno ip directed-broadcastpppoe-client Dialer 0!interface FastEthernet0/1ip address no ip directed-broadcastip access-group firewall inip nat inside!interface Async0/0no ip addressno ip directed-broadcast!ip route default Dialer0!gateway-cfgGateway keepAlive 60shutdown!ip access-list standard NATpermit !ip access-list extended firewalldeny tcp any any eq 135deny tcp any any eq 139deny tcp any any eq 445deny tcp any any eq 3333deny tcp any any eq 593deny udp any any eq 135deny udp any any eq tftpdeny udp any any eq 4444deny udp any any eq 137deny udp any any eq 138permit ip any any!ivr-cfg!ip nat service privateservice /特殊NAT使能开关；ip nat translation max-links all 300ip nat outside destination static interface Dialer0 00 /开启局域网内某PC/ip地址的特殊NAT服务；ip nat inside source static tcp 00 80 interface Dialer0 80 ip nat inside source static tcp 00 20 interface Dialer0 20ip nat inside source static tcp 00 21 interface Dialer0 21/将局域网内某PC的80/20/21端口映射到公网上！ip nat inside source list NAT interface FastEthernet0/0!说明：1、如果公网ip想（通过公网ip/路由器外网口ip）连接到局域网的私网ip上，只需要在正常NAT的基础上加上静态端口映射即可！ 如，开放http服务是：ip nat inside source static tcp 00 80 interface Dialer0 80 2、如果局域网PC/ip想通过公网ip地址连接到内网的服务器/ip地址上，就需要路由器打开特殊NAT功能；依次打开ip nat service privateservice和ip nat outside destina*即可，请参阅上面的配置举例！3、 3、特殊NAT在很多网吧都是很有应用前景的！4、特殊NAT需要特殊版本支持，或者需要将版本升至131Q full！-lexon2005-07-18, 19:11如果网吧有两条外线接入（需要配置额外的以太口模块），那么可以使用策略路由来实现！下面这个是两条固定ip接入的例子：Current configuration:!version 1.3.1Qservice timestamps log dateservice timestamps debug dateno service password-encryption!username bdcom password 0 bdcom!interface FastEthernet0/0ip address 52no ip directed-broadcastip nat outsideip nat local-service icmp enableip nat local-service udp enableip nat local-service tcp enable!interface FastEthernet0/0ip address 52no ip directed-broadcastip nat outsideip nat local-service icmp enableip nat local-service udp enableip nat local-service tcp enable!interface FastEthernet1/1 /额外增加的以太口，局域网口ip address no ip directed-broadcastip access-group firewall inip policy route-map celue /路由器内网口启用策略路由ip nat inside!interface Async0/0no ip addressno ip directed-broadcast!gateway-cfgGateway keepAlive 60shutdown!ip access-list standard NAT1 /两个NAT访问列表相同，但是必须要2个permit !ip access-list standard NAT2 /两个NAT访问列表相同，但是必须要2个permit !ip access-list standard CL1 /将局域网分成两组，1permit 28!ip access-list standard CL2 /将局域网分成两组，2permit 28 28!ip access-list extended firewalldeny tcp any any eq 135deny tcp any any eq 139deny tcp any any eq 445deny tcp any any eq 3333deny tcp any any eq 593deny udp any any eq 135deny udp any any eq tftpdeny udp any any eq 4444deny udp any any eq 137deny udp any any eq 138permit ip any any!route-map celue 1 permit /定义策略组match ip address CL1 /调用第一个网段 set ip next-hop /设置下一跳网关，后者作为前者的备份!route-map celue 1 permit /定义策略组match ip address CL2 /调用第二个网段set ip next-hop /设置下一跳网关，后者作为前者的备份!ivr-cfg!ip nat translation max-links all 300ip nat inside source list NAT1 interface FastEthernet0/0ip nat inside source list NAT2 interface FastEthernet0/1说明配置完成之后，局域网的前后两个网段分别优先走第一和第二条外线，在其中一条线出现故障时，能够自动启用另外一条线路作备份！这里再补充一个两条ADSL（非固定ip）的例子：注释就免了：Current configuration: ! !version 1.3.1S service timestamps log date service timestamps debug date no service password-encryption ! username AD0000690628 password 0 123456 username AD0751115075 password 0 654321 ! interface Dialer0 ip address negotiated ip mtu 1492 no ip directed-broadcast ppp chap hostname AD0000690628 ppp chap password 123456 ip nat outside ip nat mss ip nat local-service icmp enable ip nat local-service udp enable ip nat local-ser ! interface Dialer1 ip address negotiated ip mtu 1492 no ip directed-broadcast ppp chap hostname AD0751115075 ppp chap password 654321 ip nat outside ip nat mss ip nat local-service icmp enable ip nat local-service udp enable ip nat local-service tcp enable ! interface FastEthernet0/0 no ip address no ip directed-broadcast pppoe-client Dialer 0 ! interface FastEthernet0/1 no ip address no ip directed-broadcast pppoe-client Dialer 1 ! interface Ethernet1/0 ip address 51 no ip directed-broadcast duplex full ip policy route-map celue ip nat inside ! interface Serial0/2 no ip address no ip directed-broadcast ! interface Serial0/3 no ip