- 论坛徽章:
- 0
|
前几天网吧新增加几台机器,真IP不够,请一个朋友给做了个NAT
路由器为CISCO4700
配置清单如下:
4700#sh run
Building configuration...
Current configuration : 1553 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 4700
!
enable secret 5 $1$t1t0$672BXatdmOV56OfGuBHBu5
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 172.30.50.106 255.255.255.240
ip access-group deny out
ip accounting output-packets
ip nat outside
ip route-cache same-interface
no ip mroute-cache
no keepalive
media-type 10BaseT
no cdp enable
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0 secondary
ip address 219.227.55.129 255.255.255.128
ip access-group deny in
ip nat inside
media-type 10BaseT
no cdp enable
!
ip nat pool scnz 219.227.55.243 219.227.55.245 netmask 255.255.255.0
ip nat inside source list 1 pool gogo
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.50.97
no ip http server
!
!
ip access-list extended deny
permit icmp 219.227.55.0 0.0.0.255 host 219.227.55.129
permit icmp host 172.30.50.106 host 172.30.50.97
permit icmp host 172.30.50.97 host 172.30.50.106
deny icmp any any
deny tcp any eq 135 any
deny tcp any eq 137 any
deny tcp any eq 445 any
deny tcp any eq 4444 any
deny udp any eq 445 any
deny udp any any eq 29851
deny udp any any eq 1434
deny tcp any any eq 1434
deny udp any any eq 1433
deny tcp any eq 1433 any
deny udp any any eq 15584
deny tcp any eq 139 any
deny tcp any any eq 7626
permit ip any any
permit icmp 192.168.0.0 0.0.0.255 host 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password tianli
login
!
end
4700#
----------------
问题出现了:
219.227.55.243 219.227.55.245 为做NAT使用的合法IP
219.227.55.129是合法网关
使用192.168.0.1 做NAT网关
目前:
192.168.0.2-5 几个IP正常上网~
以后的如192.168.0.10等均不能正常上网,但可以TELNET到路由器~
比如把11号机器的IP本来是192.168.0.12 上不了网和QQ,
如果换成192.168.0.2等前几个IP马上就可以正常上网~
请高手指点一下~,配置哪里出问题了~
如何配置才能使虚拟IP段192.168.0.2-254所有的IP能正常上网~
欢迎联系我或回复~~
QQ:12341504 |
|