2620路由器加2950交换机代替防火墙

jeremy1028

公司用的是ip350fw防火墙，老板不肯买备用的，只好用2620路由器加2950交换机代替实现地址翻译功能，以防坏了影响业务(安全性就暂时不考虑了)，防火墙有3个以太口，地址分别是：61.129.123.3(外网) 10.100.100.12(内网) 172.29.0.12(内网),因为2620路由器只有一个以太口，所以需要配合2950交换机，划分3个vlan来实现地址翻译，以下是配置

cisco2620

interface FastEthernet0/0
no ip address
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 2
ip address 61.129.123.3 255.255.255.0
ip nat outside
!
interface FastEthernet0/0.2
encapsulation dot1Q 3
ip address 10.100.100.12 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.3
encapsulation dot1Q 4
ip address 172.29.0.12 255.255.255.0
ip nat inside
!
interface Serial0/0
bandwidth 2000
ip address 197.100.5.214 255.255.255.252
encapsulation ppp
no ip mroute-cache
shutdown
!
ip nat inside source static 10.100.100.11 61.129.123.51
ip nat inside source static 172.29.0.8 61.129.123.11
ip nat inside source static 10.100.100.1 61.129.123.31
ip nat inside source static 10.100.100.2 61.129.123.32
ip nat inside source static 10.100.100.3 61.129.123.33
ip nat inside source static 10.100.100.4 61.129.123.34
ip nat inside source static 10.100.100.9 61.129.123.49
ip nat inside source static 172.29.0.16 61.129.123.232
ip nat inside source static 10.100.100.13 61.129.123.53
ip nat inside source static 10.100.100.15 61.129.123.55
ip nat inside source static 172.29.0.50 61.129.123.5
ip nat inside source static 172.29.0.51 61.129.123.7
ip nat inside source static 172.29.0.52 61.129.123.17
ip nat inside source static 172.29.0.56 61.129.123.21
ip nat inside source static 172.29.0.53 61.129.123.18
ip nat inside source static 172.29.0.54 61.129.123.19
ip nat inside source static 172.29.0.20 61.129.123.10
ip classless
ip route 0.0.0.0 0.0.0.0 197.100.5.213
no ip http server

cisco2950

interface FastEthernet0/1
switchport mode trunk
no ip address
speed 100
!
interface FastEthernet0/2
no ip address
speed 100
!
interface FastEthernet0/3
no ip address
speed 100
!
interface FastEthernet0/4
no ip address
!
interface FastEthernet0/5
no ip address
!
interface FastEthernet0/6
no ip address
!
interface FastEthernet0/7
no ip address
!
interface FastEthernet0/8
no ip address
!
interface FastEthernet0/9
no ip address
!
interface FastEthernet0/10
no ip address
!
interface FastEthernet0/11
no ip address
!
interface FastEthernet0/12
no ip address
!
interface FastEthernet0/13
switchport access vlan 2
no ip address
!
interface FastEthernet0/14
switchport access vlan 2
no ip address
!
interface FastEthernet0/15
switchport access vlan 2
no ip address
!
interface FastEthernet0/16
switchport access vlan 2
no ip address
!
interface FastEthernet0/17
switchport access vlan 2
no ip address
!
interface FastEthernet0/18
switchport access vlan 2
no ip address
!
interface FastEthernet0/19
switchport access vlan 3
!
interface FastEthernet0/20
switchport access vlan 3
no ip address
!
interface FastEthernet0/21
switchport access vlan 3
no ip address
!
interface FastEthernet0/22
switchport access vlan 3
no ip address
!
interface FastEthernet0/23
switchport access vlan 3
no ip address
!
interface FastEthernet0/24
switchport access vlan 3
no ip address
!
interface Vlan1
ip address 61.129.123.254 255.255.255.0

我分别用1台pc接入e15(vlan2)和e22(vlan3),可以互ping到网关10.100.100.12 172.29.0.12和主机；
用1台pc取vlan2里的地址10.100.100.11，因为有翻译所以可以ping通vlan1的网关61.129.123.3；
但把1台pc接到vlan1，随便取个没用到的地址61.129.123.128，用vlan2里10.100.100.11的去ping61.129.123.128不通，为什么啊；
用61.129.123.128的pc ping61.129.123.3不通，为什么啊？；
用2台pc接到vlan1里随便设2个没用到的地址61.129.123.128和61.129.123.66可互ping。

小阿飞

整防火墙,不就是为了让内网和外网不能通信吗?你怎么想整通呀?都能通了,还分内外干吗

jeremy1028

内网和外网不能通信，防火墙还要来干吗？防火墙是通过地址翻译功能+安全策略来实现内外网通信的设备，我是想用路由器来实现防火墙的地址翻译功能。

nononhm

功能上实现了但是性能一定不如防火墙

jeremy1028

能ping通了，原来是我把vlan号对应错了，以下上一配置：

interface FastEthernet0/0.1
encapsulation dot1Q 2
ip address 61.129.123.3 255.255.255.0
ip access-group 103 in
ip nat outside
!
interface FastEthernet0/0.2
encapsulation dot1Q 3
ip address 10.100.100.12 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.3
encapsulation dot1Q 4
ip address 172.29.0.12 255.255.255.0
ip nat inside

ip nat inside source list 10 interface FastEthernet0/0.1 overload-----pnat用到
ip nat inside source static 172.29.0.20 61.129.123.10------静态nat用到
ip nat inside source static 172.29.0.54 61.129.123.19
ip nat inside source static 172.29.0.53 61.129.123.18
ip nat inside source static 172.29.0.56 61.129.123.21
ip nat inside source static 172.29.0.52 61.129.123.17
ip nat inside source static 172.29.0.51 61.129.123.7
ip nat inside source static 172.29.0.50 61.129.123.5
ip nat inside source static 10.100.100.15 61.129.123.55
ip nat inside source static 10.100.100.13 61.129.123.53
ip nat inside source static 172.29.0.16 61.129.123.232
ip nat inside source static 10.100.100.9 61.129.123.49
ip nat inside source static 10.100.100.4 61.129.123.34
ip nat inside source static 10.100.100.3 61.129.123.33
ip nat inside source static 10.100.100.2 61.129.123.32
ip nat inside source static 10.100.100.1 61.129.123.31
ip nat inside source static 172.29.0.8 61.129.123.11
ip nat inside source static 10.100.100.11 61.129.123.51

access-list 10 permit 10.100.100.0 0.0.0.63------64个地址除了静态用到的外全部用pnat
access-list 103 deny   ip any 172.29.0.0 0.0.0.255--------拒绝外部访问内网地址
access-list 103 deny   ip any 10.100.100.0 0.0.0.255--------拒绝外部访问内网地址
access-list 103 permit ip any any--------允许经过翻译的内网地址出去后回来

现在有个问题：我想实现10.100.100.0网段除了静态和pnat外的地址禁止从f0/0.1出去（也就是未经过翻译的不允许出去）该加什么accest-list,我试过加access-list 104 permit ip 10.100.100.64 0.0.0.63 结果10.100.100.120出去了，但以前翻译的出不去了，感觉10和104有冲突，有何好的解决办法？