思科 IP Nat/端口转发

tag-icon tag-icon cisco routing router nat port-forwarding
思科 IP Nat/端口转发

我一直在尝试让端口转发与新安装的思科路由器配合使用。我似乎找不到问题所在,并且已经找了好久。

我的配置的相关部分:

interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 ip address 10.10.250.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
router eigrp 250
 passive-interface FastEthernet0/0
 network 10.10.250.0 0.0.0.255
 no auto-summary
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static udp 10.10.250.201 9987 interface FastEthernet0/0 9987
ip nat inside source static tcp 10.10.250.201 30033 interface FastEthernet0/0 30033
ip nat inside source static tcp 10.10.250.201 10011 interface FastEthernet0/0 10011
ip nat inside source static tcp 10.10.250.201 22 interface FastEthernet0/0 443
ip nat inside source static tcp 10.10.250.201 80 interface FastEthernet0/0 80
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
!
!
ip access-list extended NAT
 permit ip any any

我的配置肯定有问题?还是我遗漏了使端口转发正常工作所必需的某些东西?

这是当前的 NAT 表,仅显示我的规则:

cisco2621#show ip nat tran
Pro Inside global         Inside local          Outside local         Outside global
udp x.x.x.x:9987    10.10.250.201:9987    ---                   ---
tcp x.x.x.x:10011   10.10.250.201:10011   ---                   ---
tcp x.x.x.x:80      10.10.250.201:80      ---                   ---
tcp x.x.x.x:443     10.10.250.201:22      ---                   ---
tcp x.x.x.x:30033   10.10.250.201:30033   ---                   ---

答案1

您在端口转发中混淆了源和目标。

ip nat inside source static udp  interface FastEthernet0/0 9987 10.10.250.201 9987 extendable
ip nat inside source static tcp  interface FastEthernet0/0 30033 10.10.250.201 30033 extendable
ip nat inside source static tcp  interface FastEthernet0/0 10011 10.10.250.201 10011 extendable
ip nat inside source static tcp  interface FastEthernet0/0 443 10.10.250.201 22 extendable
ip nat inside source static tcp  interface FastEthernet0/0 80 10.10.250.201 80 extendable

还使用标准访问列表仅允许本地网络通过 NAT。

ip access-list standard NAT
 permit ip 10.10.250.0 0.0.0.255

答案2

我已经很久没有做过 NAT 了,但是在你的“ip nat inside ...”行中,你能在末尾放一个接口吗?我认为它应该是接口的适当 IP 地址。但是,在你的配置中,它可能由于 DHCP 而工作。

尝试以下命令来帮助缩小问题范围:

show ip nat translations
debug ip nat (then try to generate traffic that should hit the NAT and see what hits the console)
show ip nat stat

此外,由于您目前没有过滤任何内容,请尝试不要使用扩展访问列表。应该没有什么区别,但值得花 3 秒钟尝试。

access-list 10 permit any

相关内容