思科路由器端口转发适用于外部网络,但不适用于本地网络

思科路由器端口转发适用于外部网络,但不适用于本地网络

我有一台 Cisco Professional Express 路由器。这是它的当前配置:

#show run
Building configuration...

Current configuration : 6550 bytes
!
! Last configuration change at 10:56:18 PCTime Wed Jan 15 2020 by admin
!
version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname <private>
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime 2 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-<private>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<private>
 revocation-check none
 rsakeypair TP-self-signed-<private>
!
!
crypto pki certificate chain TP-self-signed-<private>
 certificate self-signed 01
<private>
        quit
license udi pid <private> sn <private>
!
!
username <private>
username <private>
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description <private>
 ip address 1.1.1.221 255.255.255.254
 no ip proxy-arp
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 2.2.2.1 255.255.255.0 secondary
 ip address 3.3.3.1 255.255.224.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router bgp 65008
 bgp log-neighbor-changes
 network 2.2.2.96 mask 255.255.255.224
 timers bgp 30 90
 neighbor 1.1.1.220 remote-as 5408
 neighbor 1.1.1.220 send-community
 neighbor 1.1.1.220 remove-private-as
 neighbor 1.1.1.220 soft-reconfiguration inbound
 neighbor 1.1.1.220 route-map bgp-grnet-in in
 neighbor 1.1.1.220 route-map bgp-grnet-out out
!
ip forward-protocol nd
!
ip bgp-community new-format
ip as-path access-list 3 permit ^$
ip as-path access-list 4 permit ^5408.* 3333$
ip as-path access-list 4 permit ^5408$
ip as-path access-list 4 permit ^5408 2546$
ip as-path access-list 4 permit ^5408 3268$
ip as-path access-list 4 permit ^5408 3323.*
ip as-path access-list 4 permit ^5408 5470$
ip as-path access-list 4 permit ^5408 5489$
ip as-path access-list 4 permit ^5408 6744$
ip as-path access-list 4 permit ^5408 6867$
ip as-path access-list 4 permit ^5408 8248$
ip as-path access-list 4 permit ^5408 8253$
ip as-path access-list 4 permit ^5408 8278$
ip as-path access-list 4 permit ^5408 8522$
ip as-path access-list 4 permit ^5408 8530$
ip as-path access-list 4 permit ^5408 8581$
ip as-path access-list 4 permit ^5408 8611.*
ip as-path access-list 4 permit ^5408 8617$
ip as-path access-list 4 permit ^5408 8618$
ip as-path access-list 4 permit ^5408 8643.*
ip as-path access-list 4 permit ^5408 8700$
ip as-path access-list 4 permit ^5408 8762$
ip as-path access-list 4 permit ^5408 8991$
ip as-path access-list 4 permit ^5408 9069$
ip as-path access-list 4 permit ^5408 12364$
ip as-path access-list 4 permit ^5408 12402$
ip as-path access-list 4 permit ^5408 1241$
ip as-path access-list 4 permit ^5408 2686$
ip as-path access-list 4 permit ^5408 3329$
ip as-path access-list 4 permit ^5408 6844$
ip as-path access-list 4 permit ^5408 6799$
ip as-path access-list 4 permit ^5408 8212$
ip as-path access-list 4 permit ^5408 8313$
ip as-path access-list 4 permit ^5408 8335$
ip as-path access-list 4 permit ^5408 8951$
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool NAT-POOL 2.2.2.97 2.2.2.125 netmask 255.255.255.224
ip nat inside source static tcp 3.3.3.1 80 interface GigabitEthernet0/0 1970
ip nat inside source route-map nat pool NAT-POOL overload
ip nat inside source static 3.3.3.15 2.2.2.110
ip default-network 2.2.2.0
ip route 2.2.2.96 255.255.255.224 Null0 254
!
!
route-map bgp-grnet-in permit 10
 match as-path 4
 set local-preference 120
!
route-map bgp-grnet-out permit 10
 match as-path 3
 set community 5408:120
!
route-map nat permit 10
 match ip address 101
!
!
access-list 1 permit 4.4.4.112
access-list 1 permit 5.5.5.4
access-list 1 permit 2.2.2.14
access-list 1 permit 6.6.6.0 0.0.0.255
access-list 101 remark === PAT ===
access-list 101 permit ip 3.3.3.0 0.0.255.255 any
access-list 101 permit ip 6.6.6.0 0.0.0.255 any
!
control-plane
!
!
banner motd ^CCC
<private>
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

我将所有 IP 都改为了虚拟 IP。我在本地网络中运行了一个 NGINX 服务器,地址为 3.3.3.1,监听端口 80。我设置了一个端口转发规则,如配置文件中所示:

ip nat inside source static tcp 3.3.3.1 80 interface GigabitEthernet0/0 1970

当我通过 4G 连接从智能手机输入 1.1.1.221:1970 时,它可以正常工作,我可以看到 NGINX 的“它正常工作了!”页面。如果我从本地网络输入它,它不起作用。在 Chrome 中它显示ERR_CONNECTION_REFUSED。配置中有什么问题吗?

答案1

您正在尝试创建环回连接,如下所示:

local -> router -> internet > router > local

路由器实现了请求-应答算法,但并未设计处理这种应答实际上是另一个请求的情况。这意味着它实现了“请求-应答”而不是“请求-请求-应答-应答”。

相关内容