URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 17432
[ Назад ]

Исходное сообщение
"Проблема с НАТ"

Отправлено Jetkins , 23-Окт-08 12:37 
Всем привет, помогите!!! Надо заказчику сделать видимым комп из подсети 10.8.0.77 через порт 8080 например, внешний 193.138.245.50. Вот конфиг, вроде прописал как умею, но не работает.
urrent configuration : 4357 bytes
!
! Last configuration change at 10:22:23 UTC Wed Oct 22 2008 by admin
! NVRAM config last updated at 11:11:00 UTC Tue Oct 21 2008 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Kh-c2620XM
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$UwPd$g8CONFn03ZopccFmI7JG81
!
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.8.0.1 10.8.0.50
!
ip dhcp pool Kharkiv
   network 10.8.0.0 255.255.255.0
   dns-server 192.168.2.10 193.138.244.36
   default-router 10.8.0.1
   domain-name softline.main
   netbios-name-server 192.168.2.10
   option 150 ip 192.168.2.181
!
ip domain name kharkiv.softline.main
ip audit po max-events 100
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host admin 10.3.0.127 root enable
ip rcmd remote-host differ 10.3.0.127 differ enable
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
username cisco secret 5 $1$ZsLe$6Fj/Zej/C0F3i5fsGLh3T0
username admin privilege 15 password 7 0822455D0A16
username konst privilege 15 secret 5 $1$ZMe1$CeaKUwX.F3Th7JaGNaKg7/
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ufjhbfgjofgjbfgbfgjbffig address 195.245.253.2
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
!
crypto map Kiev 10 ipsec-isakmp
set peer 195.245.253.2
set security-association lifetime seconds 86400
set transform-set avalanche
set pfs group2
match address Kiev_VPN
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Internet
encapsulation dot1Q 10
ip address 193.138.245.50 255.255.255.248
ip access-group Incoming in
ip nat outside
no snmp trap link-status
crypto map Kiev
!
interface FastEthernet0/0.2
description Local Lan
encapsulation dot1Q 1 native
ip address 10.8.0.1 255.255.255.0
ip accounting output-packets
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.7
!
interface FastEthernet0/0.9
!
ip nat inside source list ZZZ interface FastEthernet0/0.1 overload
ip nat inside source static tcp 10.8.0.63 8080 194.187.155.73 8080 extendable
ip nat inside source static tcp 10.8.0.19 25 194.187.155.73 25 extendable
ip nat inside source static tcp 10.8.0.60 3389 194.187.155.73 3389 extendable
ip nat inside source static tcp 10.8.0.77 8080 193.138.245.50 8080 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 193.138.245.49
ip route 193.138.244.0 255.255.252.0 193.138.245.52
!
no ip http server
no ip http secure-server
!
ip access-list standard ssh_access
permit 10.1.8.13
permit 10.3.0.127
permit 195.245.253.111
permit 10.1.8.248
permit 10.8.0.0 0.0.0.255
permit 10.1.0.0 0.0.255.255
ip access-list standard telnet_access
permit 10.3.0.127
!
ip access-list extended Incoming
permit tcp any any established
permit udp any any
permit icmp any any
permit gre any any
permit ip 195.245.253.0 0.0.0.255 194.187.155.64 0.0.0.15
permit ip 10.0.0.0 0.3.255.255 10.8.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 10.8.0.0 0.0.0.255
permit tcp any host 194.187.155.73 eq smtp
permit ip 195.245.253.0 0.0.0.255 193.138.245.48 0.0.0.7
permit ip 10.8.0.0 0.7.255.255 any
ip access-list extended Kiev_VPN
permit ip 10.8.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.8.0.0 0.0.0.255 10.0.0.0 0.7.255.255
permit ip 10.8.0.0 0.0.0.255 10.8.0.0 0.7.255.255
permit ip 10.8.0.0 0.0.0.255 195.245.253.0 0.0.0.7
ip access-list extended ZZZ
deny   ip 10.8.0.0 0.0.0.255 10.0.0.0 0.7.255.255
deny   ip 10.8.0.0 0.0.0.255 10.8.0.0 0.7.255.255
deny   ip 10.8.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
!
access-list 10 deny   10.0.0.0 0.7.255.255
access-list 10 deny   192.168.0.0 0.0.255.255
access-list 10 permit any
access-list 110 deny   ip host 193.138.245.50 host 195.245.253.2
access-list 110 permit ip any any
!
!
snmp-server community cisco-SNMP-pass RO
snmp-server enable traps tty
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class ssh_access in
login local
transport input ssh
line vty 5 7
access-class telnet_access in
login
transport input telnet
!
ntp clock-period 17180216
ntp server 62.149.2.1
!
end



Содержание

Сообщения в этом обсуждении
"Проблема с НАТ"
Отправлено GolDi , 23-Окт-08 13:26 
>[оверквотинг удален]
>!
>interface FastEthernet0/0.7
>!
>interface FastEthernet0/0.9
>!
>ip nat inside source list ZZZ interface FastEthernet0/0.1 overload
>ip nat inside source static tcp 10.8.0.63 8080 194.187.155.73 8080 extendable
>ip nat inside source static tcp 10.8.0.19 25 194.187.155.73 25 extendable
>ip nat inside source static tcp 10.8.0.60 3389 194.187.155.73 3389 extendable
>ip nat inside source static tcp 10.8.0.77 8080 193.138.245.50 8080 extendable

     А что остальные трансляции работают?
    
>[оверквотинг удален]
>transport input ssh
>line vty 5 7
>access-class telnet_access in
>login
>transport input telnet
>!
>ntp clock-period 17180216
>ntp server 62.149.2.1
>!
>end


"Проблема с НАТ"
Отправлено Jetkins , 23-Окт-08 13:37 
остальные не работают, их можно удалять, остались от старого провайдера

"Проблема с НАТ"
Отправлено GolDi , 23-Окт-08 16:16 
>[оверквотинг удален]
>interface FastEthernet0/0
>no ip address
>duplex auto
>speed auto
>!
>interface FastEthernet0/0.1
>description Internet
>encapsulation dot1Q 10
>ip address 193.138.245.50 255.255.255.248
>ip access-group Incoming in

Попробуйте убрать эту access-group

>[оверквотинг удален]
>transport input ssh
>line vty 5 7
>access-class telnet_access in
>login
>transport input telnet
>!
>ntp clock-period 17180216
>ntp server 62.149.2.1
>!
>end