1. "Cisco Доступ из вне к WEB серверу за NAT (cisco nat)" |
Сообщение от Mavrichev Roman on 14-Июн-05, 14:29 |
!множественная трансляция адресов +проброс порта (80) на веб-сервер внутри.
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXX
!
enable secret 5 XXX
!
ip subnet-zero
no ip rcmd domain-lookup
no ip finger
ip name-server 212.44.131.6
ip name-server 212.44.130.6
ip accounting-threshold 4294967295
clock timezone SPb 3
clock summer-time SPb recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
controller E1 0
framing NO-CRC4
channel-group 0 timeslots 1-31
description E1-1-31-Sovintel
!
!
interface Ethernet0
ip address 192.168.1.33 255.255.255.0 secondary
ip address 192.168.0.33 255.255.255.0
ip access-group 110 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip route-cache flow
media-type 10BaseT
no cdp enable
!
interface Ethernet1
ip address 192.168.2.33 255.255.255.0
ip access-group 120 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip route-cache flow
media-type 10BaseT
no cdp enable
!
interface Serial0
bandwidth 128
ip address X.X.X.X 255.255.255.252
ip access-group 101 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip mroute-cache
no fair-queue
no cdp enable
!
interface Serial0:0
no ip address
no ip directed-broadcast
no cdp enable
!
ip nat pool REAL-IP 195.195.195.1 195.195.195.1 netmask 255.255.255.252
ip nat inside source list 2 pool REAL-IP overload
ip nat inside source static tcp 192.168.0.90 80 195.195.195.1 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip flow-export destination 192.168.0.201 9991
!
access-list 2 permit 192.168.1.90
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 99 permit 192.168.0.201
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny tcp any 192.168.0.0 0.0.0.255 eq telnet
access-list 101 deny udp any eq netbios-dgm any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny tcp any eq 137 any
access-list 101 deny tcp any eq 138 any
access-list 101 deny tcp any eq 139 any
access-list 101 permit ip any any
access-list 110 permit ip host 192.168.0.201 any
access-list 110 permit ip host 192.168.1.90 any
access-list 110 permit tcp host 192.168.0.25 any eq ftp
access-list 110 deny tcp 192.168.0.0 0.0.0.255 any eq www
access-list 110 deny tcp 192.168.0.0 0.0.0.255 any eq ftp
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny tcp 192.168.2.0 0.0.0.255 any eq www
access-list 120 deny tcp 192.168.2.0 0.0.0.255 any eq ftp
access-list 120 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip host 192.168.0.201 any
no cdp run
snmp-server community public RO
snmp-server host 192.168.0.201 traps version 2c public
banner motd ^C No unautorized acess allowed.^C
!
line con 0
password cisco
login local
transport input none
stopbits 1
line aux 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
timeout login response 0
password cisco
login
!
ntp clock-period 17180012
ntp server 194.137.39.67
end
|
Cообщить модератору | Наверх | ^ |