Cisco:重启后某些 NAT 和防火墙规则无法加载

tag-icon tag-icon firewall cisco nat
Cisco:重启后某些 NAT 和防火墙规则无法加载

我对 Cisco 路由器还比较陌生,但设法成功配置了大部分东西。但是,有一个问题我就是找不到解决方案。我在 Dialer0 接口上设置了 VDSL 连接,并配置了一些基本的转发和防火墙规则。这些规则不会在启动时重新加载,每次我都需要手动重新启用它们:

ip nat source static tcp 192.168.0.2 25 interface Dialer0 25
ip nat source static tcp 192.168.0.2 587 interface Dialer0 587
ip nat source static tcp 192.168.0.2 993 interface Dialer0 993

ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp

ip access-list extended FIREWALL
permit tcp any any eq 587
permit tcp any any eq 993
permit tcp any any eq 25

完整配置:

ip dhcp excluded-address 192.168.0.1
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1 
dns-server 192.168.0.1 

controller VDSL 0
operating mode auto
sra

interface Dialer0
no shut
ip address negotiated
ip nat enable
no ip redirects
ip inspect INSPECT_OUT out
ip access-group FIREWALL in
ip mtu 1492
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
dialer idle-timeout 0
dialer persistent
encapsulation ppp
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
ppp ipcp dns request
ppp ipcp route default

interface Ethernet0
no ip address
no shut
pppoe enable group global
pppoe-client dial-pool-number 1

interface ATM0
no ip address
no shut
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1

interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat enable
no ip redirects

access-list 1 permit 192.168.0.0 0.0.0.255
ip nat source list 1 interface Dialer0 overload

ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp

ip access-list extended FIREWALL
permit tcp any any eq 587
permit tcp any any eq 993
permit tcp any any eq 25

ip nat source static tcp 192.168.0.2 25 interface Dialer0 25
ip nat source static tcp 192.168.0.2 587 interface Dialer0 587
ip nat source static tcp 192.168.0.2 993 interface Dialer0 993

我究竟做错了什么?

相关内容