V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
trying
V2EX  ›  问与答

cisco 路由器:如何让内网用公网 IP 地址访问内网服务器

  •  
  •   trying · 2016-01-04 11:39:50 +08:00 · 6372 次点击
    这是一个创建于 3249 天前的主题,其中的信息可能已经有所发展或是发生改变。
    型号: cisco2800 路由器

    目前情况是有台服务器,映射公网 IP 为: 120.*.*.14 端口 86 ,本地 IP : 10.37.10.14

    经过映射,外网通过公网 IP : 120.*.*.14:86 直接访问到服务器,但是内网只能通过本地 IP:10.37.10.14:86 访问,

    请问要怎么设置才能让内网用户可以直接用公网 IP 去访问,而不是用本地 IP 访问呢??

    换句话说: 10.37.15.100 可以直接访问 10.37.10.14:86 ,但 10.37.15.100 无法访问 120.*.*.14:86 。

    目前路由配置情况如下:

    2821-Router#show run
    Building configuration...

    Current configuration : 5021 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 2821-Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable secret 5 $1$Chf0$4khQCf6Pxpd9WP2RNFiKf1
    !
    no aaa new-model
    clock timezone bjt 8
    no ip source-route
    !
    !
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.37.15.253
    ip dhcp excluded-address 10.37.15.254
    !
    ip dhcp pool septwolves
    network 10.37.15.0 255.255.255.0
    dns-server 218.85.157.99
    default-router 10.37.15.253
    !
    !
    no ip bootp server
    no ip domain lookup
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    !
    username chinaado privilege 15 secret 5 $1$aOkE$SkAsmmuE7Gx7yG.ijLdV/1
    username vpn privilege 7 password 7 051D19017D554002
    !
    !
    !
    crypto isakmp policy 100
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key septwolves666 address 59.61.84.254
    !
    crypto ipsec security-association idle-time 3600
    !
    crypto ipsec transform-set 100 esp-3des esp-md5-hmac
    !
    crypto map toxiamen 100 ipsec-isakmp
    ! Incomplete
    set peer 59.61.84.254
    set transform-set 100
    match address 101
    !
    !
    !
    interface GigabitEthernet0/0
    description Link Lan$FW_INSIDE$
    ip address 10.37.10.254 255.255.255.0
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/1
    description Link Internet$FW_OUTSIDE$
    ip address 120.*.*.10 255.255.255.248 secondary
    ip address 120.*.*.2 255.255.255.248
    no ip redirects
    ip nat outside
    ip nat enable
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map toxiamen
    !
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0/1
    peer default ip address pool vpnpool
    keepalive 1800
    ppp encrypt mppe auto
    ppp authentication chap ms-chap
    !
    ip local pool vpnpool 172.16.100.2 172.16.100.200
    ip route 0.0.0.0 0.0.0.0 120.*.*.1
    ip route 10.37.0.0 255.255.0.0 10.37.10.253
    !
    no ip http server
    no ip http secure-server
    ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
    ip nat inside source static tcp 10.37.10.14 86 120.*.*.14 86 extendable
    !
    ip access-list extended internet
    deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
    permit ip 10.37.0.0 0.0.255.255 any
    !
    access-list 120 deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
    access-list 120 permit ip 10.37.0.0 0.0.255.255 any
    route-map nonat permit 10
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    password 7 151B1F1F557A79760832512D5D04190E
    line aux 0
    line vty 0 4
    password 7 030D4F18575F731A1E081D0A56110401
    logging synchronous
    login local
    !
    scheduler allocate 20000 1000
    ntp clock-period 17179763
    ntp server 192.5.41.41
    !
    end

    2821-Router#
    5 条回复    2018-05-08 22:28:47 +08:00
    jasontse
        1
    jasontse  
       2016-01-04 11:42:29 +08:00 via iPad   ❤️ 1
    NAT Loopback
    trying
        2
    trying  
    OP
       2016-01-04 11:59:14 +08:00
    嗯,我之前也是判断为 NAT 回流,但命令如何写呢?已经试过很多种方式了。。。
    smallfount
        3
    smallfount  
       2016-01-04 12:11:51 +08:00   ❤️ 1
    trying
        4
    trying  
    OP
       2016-01-04 12:59:04 +08:00
    @smallfount 这个看过了,但是设置之后还是不行,导致内部掉线。。
    wdom
        5
    wdom  
       2018-05-08 22:28:47 +08:00
    感觉配置有点复杂,网上找了一个开源的 Holer,只需要配置一个 AccessKey 就搞定了

    https://github.com/Wisdom-Projects/holer
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5365 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 40ms · UTC 01:19 · PVG 09:19 · LAX 17:19 · JFK 20:19
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.