說明:這是NA的LAB,與Coolking共同研究
條件:1.PC3(192.168.10.192)、PC0(192.168.10.210)這兩台不能對外連線
2.除了Server與PC3、PC0,其餘皆由DHCP配送IP,並能連到WWW
3.只有PC3(192.168.10.192)可以Telnet到 Ro_A
4.連到WWW,要打tw.yahoo.com就可以連,不可打IP連網頁
5.因模擬InterNet,故RO_ISP沒有設定路由,Ro_A、Ro_B需設定PAT
6.Ro_A 與 Ro_B 建立GRE Tunnel,IP自行定義
Ro_A Show Run:
Building configuration...
Current configuration : 1173 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_A
!
各介面設定
!
interface Tunnel10
ip address 100.100.100.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 10.0.1.2
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.20.0
ip access-group 100 in
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.0.0.2 255.255.255.0
ip nat outside
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
PAT設定
ip nat inside source list 2 interface Serial0/0/0 overload
ip classless
路由設定
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 192.168.20.0 255.255.255.0 100.100.100.2
!
!
ACL設定
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 100 permit tcp host 192.168.10.192 any eq telnet
access-list 100 deny ip 192.168.10.192 0.0.0.18 any
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
第一行:允許192可以Telnet到RO_A
第二行:不允許192、210對外
第三行:無法讓其它PC Telnet
第四行:全部流量都允許,ACL最後隱藏一條deny any any
ACL是看順序,所以判斷很重要!
!
end
Ro_B Show Run:
Building configuration...
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_B
!
各介面之區域
interface Tunnel10
ip address 100.100.100.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 10.0.0.2
!
interface FastEthernet0/0
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.252
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.1.2 255.255.255.0
ip nat outside
!
PAT之區域
ip nat inside source list 2 interface Serial0/0/0 overload
ip classless
!
路由之區域
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 192.168.10.0 255.255.255.0 100.100.100.1
!
ACL之區域
access-list 2 permit 192.168.20.0 0.0.0.255
!
End
Ro_ISP Show Run:
Building configuration...
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Ro_ISP
!
各介面之區域
interface FastEthernet0/0
ip address 192.168.30.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
clock rate 128000
!
interface Serial0/0/1
ip address 10.0.1.1 255.255.255.0
ip nat outside
clock rate 128000
!
End
留言列表
