cisco 路由器：如何让内网用公网 IP 地址访问内网服务器

型号： cisco2800 路由器

目前情况是有台服务器，映射公网 IP 为： 120.*.*.14 端口 86 ，本地 IP ： 10.37.10.14

经过映射，外网通过公网 IP ： 120.*.*.14:86 直接访问到服务器，但是内网只能通过本地 IP:10.37.10.14:86 访问，

请问要怎么设置才能让内网用户可以直接用公网 IP 去访问，而不是用本地 IP 访问呢？？

换句话说: 10.37.15.100 可以直接访问 10.37.10.14:86 ，但 10.37.15.100 无法访问 120.*.*.14:86 。

目前路由配置情况如下：

2821-Router#show run
Building configuration...

Current configuration : 5021 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2821-Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$Chf0$4khQCf6Pxpd9WP2RNFiKf1
!
no aaa new-model
clock timezone bjt 8
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.37.15.253
ip dhcp excluded-address 10.37.15.254
!
ip dhcp pool septwolves
network 10.37.15.0 255.255.255.0
dns-server 218.85.157.99
default-router 10.37.15.253
!
!
no ip bootp server
no ip domain lookup
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
username chinaado privilege 15 secret 5 $1$aOkE$SkAsmmuE7Gx7yG.ijLdV/1
username vpn privilege 7 password 7 051D19017D554002
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key septwolves666 address 59.61.84.254
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set 100 esp-3des esp-md5-hmac
!
crypto map toxiamen 100 ipsec-isakmp
! Incomplete
set peer 59.61.84.254
set transform-set 100
match address 101
!
!
!
interface GigabitEthernet0/0
description Link Lan$FW_INSIDE$
ip address 10.37.10.254 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Link Internet$FW_OUTSIDE$
ip address 120.*.*.10 255.255.255.248 secondary
ip address 120.*.*.2 255.255.255.248
no ip redirects
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map toxiamen
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
peer default ip address pool vpnpool
keepalive 1800
ppp encrypt mppe auto
ppp authentication chap ms-chap
!
ip local pool vpnpool 172.16.100.2 172.16.100.200
ip route 0.0.0.0 0.0.0.0 120.*.*.1
ip route 10.37.0.0 255.255.0.0 10.37.10.253
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.37.10.14 86 120.*.*.14 86 extendable
!
ip access-list extended internet
deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
permit ip 10.37.0.0 0.0.255.255 any
!
access-list 120 deny ip 10.37.0.0 0.0.255.255 10.7.0.0 0.0.255.255
access-list 120 permit ip 10.37.0.0 0.0.255.255 any
route-map nonat permit 10
!
!
!
control-plane
!
!
!
line con 0
password 7 151B1F1F557A79760832512D5D04190E
line aux 0
line vty 0 4
password 7 030D4F18575F731A1E081D0A56110401
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp clock-period 17179763
ntp server 192.5.41.41
!
end

2821-Router#