cisco 路由器:如何让内网用公网 IP 地址访问内网服务器

2016-01-04 11:39:50 +08:00
 trying
型号: cisco2800 路由器

目前情况是有台服务器,映射公网 IP 为: 120.*.*.14 端口 86 ,本地 IP : 10.37.10.14

经过映射,外网通过公网 IP : 120.*.*.14:86 直接访问到服务器,但是内网只能通过本地 IP:10.37.10.14:86 访问,

请问要怎么设置才能让内网用户可以直接用公网 IP 去访问,而不是用本地 IP 访问呢??

换句话说: 10.37.15.100 可以直接访问 10.37.10.14:86 ,但 10.37.15.100 无法访问 120.*.*.14:86 。

目前路由配置情况如下:

2821-Router#show run
Building configuration...

Current configuration : 5021 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2821-Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$Chf0$4khQCf6Pxpd9WP2RNFiKf1
!
no aaa new-model
clock timezone bjt 8
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.37.15.253
ip dhcp excluded-address 10.37.15.254
!
ip dhcp pool septwolves
network 10.37.15.0 255.255.255.0
dns-server 218.85.157.99
default-router 10.37.15.253
!
!
no ip bootp server
no ip domain lookup
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
username chinaado privilege 15 secret 5 $1$aOkE$SkAsmmuE7Gx7yG.ijLdV/1
username vpn privilege 7 password 7 051D19017D554002
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key septwolves666 address 59.61.84.254
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set 100 esp-3des esp-md5-hmac
!
crypto map toxiamen 100 ipsec-isakmp
! Incomplete
set peer 59.61.84.254
set transform-set 100
match address 101
!
!
!
interface GigabitEthernet0/0
description Link Lan$FW_INSIDE$
ip address 10.37.10.254 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Link Internet$FW_OUTSIDE$
ip address 120.*.*.10 255.255.255.248 secondary
ip address 120.*.*.2 255.255.255.248
no ip redirects
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map toxiamen
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
peer default ip address pool vpnpool
keepalive 1800
ppp encrypt mppe auto
ppp authentication chap ms-chap
!
ip local pool vpnpool 172.16.100.2 172.16.100.200
ip route 0.0.0.0 0.0.0.0 120.*.*.1
ip route 10.37.0.0 255.255.0.0 10.37.10.253
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.37.10.14 86 120.*.*.14 86 extendable
!
ip access-list extended internet
deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
permit ip 10.37.0.0 0.0.255.255 any
!
access-list 120 deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 120 permit ip 10.37.0.0 0.0.255.255 any
route-map nonat permit 10
!
!
!
control-plane
!
!
!
line con 0
password 7 151B1F1F557A79760832512D5D04190E
line aux 0
line vty 0 4
password 7 030D4F18575F731A1E081D0A56110401
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp clock-period 17179763
ntp server 192.5.41.41
!
end

2821-Router#
6392 次点击
所在节点    问与答
5 条回复
jasontse
2016-01-04 11:42:29 +08:00
NAT Loopback
trying
2016-01-04 11:59:14 +08:00
嗯,我之前也是判断为 NAT 回流,但命令如何写呢?已经试过很多种方式了。。。
smallfount
2016-01-04 12:11:51 +08:00
trying
2016-01-04 12:59:04 +08:00
@smallfount 这个看过了,但是设置之后还是不行,导致内部掉线。。
wdom
2018-05-08 22:28:47 +08:00
感觉配置有点复杂,网上找了一个开源的 Holer,只需要配置一个 AccessKey 就搞定了

https://github.com/Wisdom-Projects/holer

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/248134

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX