在Cisco1700系列上实现PPPOE+NAT

合集下载

在CISCO路由器上配置NAT功能（1）

在CISCO路由器上配置NA T功能随着internet的网络迅速发展，IP地址短缺已成为一个十分突出的问题。

为了解决这个问题，出现了多种解决方案。

下面几绍一种在目前网络环境中比较有效的方法即地址转换(NA T)功能。

一、NA T简介NA T(Network Address Translation)的功能，就是指在一个网络内部，根据需要可以随意自定义的IP地址，而不需要经过申请。

在网络内部，各计算机间通过内部的IP地址进行通讯。

而当内部的计算机要与外部internet网络进行通讯时，具有NA T功能的设备（比如：路由器）负责将其内部的IP地址转换为合法的I P地址（即经过申请的IP地址）进行通信。

二、NA T的应用环境情况1：一个企业不想让外部网络用户知道自己的网络内部结构，可以通过NA T将内部网络与外部Internet隔离开，则外部用户根本不知道通过NA T设置的内部I P地址。

情况2：一个企业申请的合法Internet IP地址很少，而内部网络用户很多。

可以通过NA T功能实现多个用户同时公用一个合法IP与外部Internet 进行通信。

三、设置NA T所需路由器的硬件配置和软件配置：设置NA T功能的路由器至少要有一个内部端口（Inside），一个外部端口（Outside）。

内部端口连接的网络用户使用的是内部IP地址。

一般来说内、外部端口可以为任意指定。

设置NA T功能的路由器的IOS应支持NA T功能(本文示例所用路由器为Ｃisco2811)。

四、关于NA T的几个概念：内部本地地址（Inside local address）：分配给内部网络中的计算机的内部IP地址。

内部合法地址（Inside global address）：对外进入IP通信时，代表一个或多个内部本地地址的合法IP地址。

需要申请才可取得的IP地址。

五、CISC O路由器NA T的设置方法：CISCO各种型号路由器NA T设置方法及命令基本相同。

Cisco系列路由器NAT配置详解-电脑资料

Cisco系列路由器NAT配置详解-电脑资料INTERNET共享资源的方式越来越多，就大多数而言，DDN专线以其性能稳定、扩充性好的优势成为普遍采用的方式，DDN方式的连接在硬件的需求上是简单的，仅需要一台路由器（router）、代理服务器(proxyserver)即可，但在系统的配置上对许多的网络管理人员来讲是一个比较棘手的问题，。

下面以CISCO路由器为例，笔者就几种比较成功的配置方法作以介绍，以供同行借鉴：一、直接通过路由器访问INTERNET资源的配置1.总体思路和设备连接方法一般情况下，单位内部的局域网都使用INTERNET上的保留地址：10.0.0.0/8：10.0.0.0～10.255.255.255172.16.0.0/12：172.16.0.0～172.31.255.255192.168.0.0/16：192.168.0.0～192.168.255.255在常规情况下，单位内部的工作站在直接利用路由对外访问时，会因工作站使用的是互联网上的保留地址，而被路由器过滤掉，从而导致无法访问互联网资源。

解决这一问题的办法是利用路由操作系统提供的NAT （Network AddressTranslation）地址转换功能，将内部网的私有地址转换成互联网上的合法地址，使得不具有合法IP地址的用户可以通过NAT访问到外部Internet。

这样做的好处是无需配备代理服务器，减少投资，还可以节约合法IP地址，并提高了内部网络的安全性。

NAT有两种类型：Single模式和global模式。

使用NAT的single模式，就像它的名字一样，可以将众多的本地局域网主机映射为一个Internet地址，电脑资料《Cisco系列路由器NAT配置详解》(https://www.)。

局域网内的所有主机对外部Internet网络而言，都被看做一个Internet用户。

本地局域网内的主机继续使用本地地址。

使用NAT的global模式，路由器的接口将众多的本地局域网主机映射为一定的Internet地址范围（IP地址池）。

CiscoPPPoE配置实例

CiscoPPPoE配置实例实验配置：1、ADSL PPPoE Client 配置第一种方法：用PC上创建PPPOE客户端。

第二种方法：用CISCO路由器的以太口进行PPPOE拨号：非固定IP配置模板：enconfit tvpdn enablevpdn-group pppoerequest-dialinprotocol pppoeexitexitinterface ethernet 0/0no ip addresspppoe enablepppoe-client dial-pool-number 1no shutdown //把接口打开exitinterface Dialer1ip address negotiatedip mtu 1492encapsulation pppppp pap sent-username walkbird password walkbird dialer pool 1ip router 0.0.0.0 0.0.0.0 dialer12、用cisco路由器做PPPoE Server端配置enconf thostname Adsl_walkbirdusername walkbird password walkbird vpdn enablevpdn-group pppoeaccept-dialinprotocol pppoevirtual-template 1exitexitinterface ethernet 0/0pppoe enableno shutdowninterface virtual-template 1mtu 1492 //PPP头部最大传输单元ip unnumbered loopback //借用地址peer default ip address pool pppoe_ip_pool encapsulation pppppp authentication papexitip local pool pppoe_ip_pool 11.11.11.10 11.11.11.100 interface lookback0ip address 1.1.1.1 255.255.255.0no shutdownexit三、实验测试sh ip routesh ip int briefdebug pppoe eventsh ip int dialer 1Cisco1841路由器连接ADSL modem的PPPoE配置案例一vpdn enableno vpdn logging!!interface Ethernet0/0ip address 192.168.0.1 255.255.255.0ip nat insideno ip mroute-cache!!!!interface Ethernet0/1no ip addresspppoe enablepppoe-client dial-pool-number 1!interface Dialer1ip address negotiatedip nat outsideip mtu 1492encapsulation pppno ip mroute-cachedialer pool 1dialer-group 1ppp authentication papppp pap sent-username *****************passwordxxxxxxxx!ip classlessno ip http server!dialer-list 1 protocol ip permitip nat inside source list 1 interface Dialer1 overloadip route 0.0.0.0 0.0.0.0 dialer1access-list 1 permit 192.168.0.0 0.0.0.255!line con 0exec-timeout 0 0transport input noneline vty 0 4login!end案例二经典思科1841ADSL的成功设置+DHCP的问题~！急~~！路由器下面的客户端全是XP。

思科路由器PPPOE+NAT设置

电信最近力推的 ADSL 是一种性能价格比较好的 Internet 接入方式，适用于只需访问 Internet，不需要对外提供服务(如 WWW, Mail 等)的场合。
ADSL 最常见的应用方式是用一台安装了 PPPoE 客户端软件的 PC 来拔号作代理服务器，让多台主机同时访问 Internet。有的时候该 PC 的任务也可以用路由器来完成，最低档的 2514 路由器就能胜任，只要路由器有两个以太端网口即可。当然，还需要有适当的 IOS 软件，同时支持 PPPoE Client 和 NAT 两个特性、需求最低的 IOS 是“REMOTE ACCESS SERVER”特性集。以 2621 为例,运行该 IOS 只需 32M 内存、8M Flash，文件名为：c2600-c-mz.122-4.T1.bin ，这就是下面配置的运行环境。
no cdp enable ppp authentication pap callin ppp pap sent-username abc123@163 password 7 ********** ! ip nat inside source list 1 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 permanent no ip http server ip pim bidir-enable ! access-list 1 permit any dialer-list 1 protocol ip permit ! line con 0 line aux 0 line vty 0 4 password ***** login ! end 在下行速度为 2M 的 ADSL 线路上，F0/0 上接只一台 PC，用蚂蚁下载测试时，峰值速度竟超过 300K，不知道是不是蚂蚁有点夸大了。:-) 值得注意的是有的地区需要用 chap 认证方式，这时相应的指令为：

思科如何设置PPPOE

思科如何设置PPPOE思科如何设置PPPOEcisco公司制造的路由器、交换机和其他设备承载了全球80%的互联网通信，成为硅谷中新经济的传奇，那么你知道思科如何设置PPPOE吗?下面是店铺整理的一些关于思科如何设置PPPOE的相关资料，供你参考。

思科设置PPPOE的方法XXX#show runBuilding configuration…Current configuration : 6200 bytes!! Last configuration change at 15:13:00 UTC Tue Jan 21 2014 by anchnetversion 15.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname XXXX!boot-start-markerboot-end-marker!!logging buffered 51200 warnings!no aaa new-model!crypto pki trustpoint TP-self-signed-1543760446enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1543760446 revocation-check nonersakeypair TP-self-signed-1543760446!ip cef!!!!!ip dhcp excluded-address 192.168.20.1!ip dhcp pool ccp-poolimport allnetwork 192.168.20.0 255.255.255.0default-router 192.168.20.1dns-server 8.8.8.8 4.4.4.4lease 0 2!!!no ip domain lookupip domain name no ipv6 cef!!!!!multilink bundle-name authenticated!!!!!!license udi pid CISCO891-K9 sn FGL172624VJ!!username XXX privilege 15 secret 4 XXXusername XXX privilege 15 secret 4 XXX!redundancy!!!!!!!!crypto ipsec transform-set ccie esp-3des esp-sha-hmac mode tunnel!!!crypto map 121 1 ipsec-isakmp! Incomplete!!!!!interface FastEthernet0 no ip address!interface FastEthernet1 no ip address!interface FastEthernet2 no ip address!interface FastEthernet3 no ip address!interface FastEthernet4 no ip address!interface FastEthernet5 no ip address!interface FastEthernet6 no ip address!interface FastEthernet7 no ip address!interface FastEthernet8 no ip addressduplex autospeed auto!interface GigabitEthernet0 description To_Linkno ip addressip nat outsideip virtual-reassembly induplex autospeed autopppoe enablepppoe-client dial-pool-number 1 crypto map 121!interface Vlan1description $ETH_LAN$ip address 192.168.20.1 255.255.255.0 ip nat insideip virtual-reassembly inip tcp adjust-mss 1452!interface Async1no ip addressencapsulation slip!interface Dialer1ip address negotiatedip mtu 1492ip nat outsideip virtual-reassembly inencapsulation pppdialer pool 1ppp pap sent-username XXX password 0 XXXno cdp enablecrypto map 121!ip forward-protocol ndip http serverip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!!ip nat inside source list 101 interface Dialer1 overloadip route 0.0.0.0 0.0.0.0 Dialer1!ip sla auto discoveryaccess-list 100 permit ip 192.168.20.0 0.0.0.255 10.8.8.0 0.0.0.255access-list 101 deny ip 192.168.20.0 0.0.0.255 10.8.8.0 0.0.0.255access-list 101 permit ip 192.168.20.0 0.0.0.255 anyno cdp run!!!control-plane!!!!mgcp profile default!!!!!!line con 0login localline 1modem InOutspeed 115200 flowcontrol hardware line aux 0line vty 0 4privilege level 15login localtransport input telnet ssh line vty 5 15privilege level 15login localtransport input telnet ssh !!end。

双线路Cisco路由器配置pppoe拨号上网

环境描述：
公司原有的20M城域网光纤不能满足现在的需求了，公司决定购买中国电信的ADSL 100M光纤线路，所以路由器变成了，双线连接互联，有某些业务需要使用20M线路固定公网IP，公司内部员工默认使用100M光纤上网。
此配置适合两条ADSL线路上网，只需要把固定IP的换成ADSL配置
ip nat inside
exit
#固定IP地址
interface GigabitEthernet0/1
ip address 113.106.x.x 255.255.255.240 secondary
ip address 113.106.x.y 255.255.255.240 secondary
match interface g0/1
exit
#NAT上网（PAT配置）
ip nat inside source route-map LANTo100Nat int dia 1 overload
ip nat inside source route-map LANTo20Nat int g0/1 overload
route-map lantointernetacl permit 10
match ip address lanto100adsl-acl
set ip next-hop verify-availability #因为不是固定IP，所以用这个参数
exit
route-map lantointernetacl permit 20
match ip add adsl100-nat-acl
match interface dia 1
exit
no route-map LANTo20Nat permit 20

如何在cisco路由器上设置pppoe

一、配置VPDNRouter(config)#vpdn enable 启用路由器的虚拟专用拨号网络VPDNRouter(config)#vpdn-group {自定义组名} 建立一个VPDN组Router(config-vpdn)#request-dialin 定义呼叫Router(config-vpdn-req-in)#protocol L2TP 设置拨号协议为L2TP二、配置路由器连接ADSL Modem的接口Router(config)#interface fa0/1Router(config-if)#pppoe enable 允许以太接口运行PPPOE三、配置逻辑拨号接口Router(config)#interface dialer 1 建立一个虚拟拨号端口Router(config-if)#ip address negotiated 从ADSL服务商动态协商得到IP 地址Router(config-if)#ip nat outside 为该接口启用NAT转换Router(config-if)#encapsulation ppp 为该接口封装PPP协议Router(config-if)#dialer pool 1 为该接口使用1号拨号池进行拨号Router(config-if)#ppp authentication pap 启用PPP的PAP验证方式Router(config-if)#ppp pap sent-username XXX password YYY 使用已经申请的用户名和密码（ADSL帐号）四、配置内部网络接口Router(config)#interface fa0/0Router(config-if)#ip address 192.168.1.1 255.255.255.0Router(config-if)#ip nat inside 为该接口启用NAT转换五、配置路由器为内部网络主机提供DHCP服务Router(config)#ip dhcp pool {自定义池名} 创建DHCP地址池Router(dhcp-config)#dns-server A.B.C.D 指定DNS服务器或者Router(dhcp-config)#import all 或者从运营商获取DNS等信息Router(dhcp-config)#network 192.168.1.0 255.255.255.0Router(dhcp-config)#default-router 192.168.1.1六、配置NATRouter(config)#access-list 10 permit 192.168.1.0 0.0.0.255设置访问控制列表供NAT转换时过滤Router(config)#ip nat inside source list 10 interface dialer 1 overload 设置了NAT的转换方式七、配置缺省路由Router(config)#ip route 0.0.0.0 0.0.0.0 dialer 1。

cisco+pppoe拨号配置教程

CISCO上配置 PPPOE拨号r1(config)#vpdn enable 开启虚拟拨号VPDNr1(config)#vpdn-group pppoe 定义组名(pppoe)r1(config-vpdn)#request-dialin 这里是请求拨入r1(config-vpdn-req-in)#protocol pppoe 设置拨号协议为PPPOEr1(config)#in ethernet 0 进入E0端口r1(config-if)#half-duplex 半双工r1(config-if)#pppoe enable 使用PPPOEr1(config-if)#pppoe-client dial-pool-number 1 把该物理端口加入到拨号池1中r1(config-if)#bandwidth 640 宽带640r1(config-if)#no cdp enable 关闭CDP协议r1(config-if)#no shr1(config)#interface dialer 1 建立一个虚拟拨号端口r1(config-if)#bandwidth 640 宽带640r1(config-if)#ip address negotiated 由于局端提供动态地址r1(config-if)#ip mtu 1492 修改MTU值适用于ADSL网络，默认为1500，我们要修改为1452 r1(config-if)#ip tcp adjust-mss 1452 IP 的TCP调整r1(config-if)#ip nat outside 启用NAT转换，设置外网端口为外部网r1(config-if)#dialer pool 1 使用拨号池，因为ETH0加入到拨号池，实际使用ETH0 r1(config-if)#dialer idle-timeout 0 拨号闲置-超时0（保持连接）r1(config-if)#dialer hold-queue 100 断线了可以保持100个封包r1(config-if)#dialer persistent 拨号持久（上不了网就连线）r1(config-if)#dialer-group 1r1(config-if)#encapsulation PPp 使用PPP的帧格式r1(config-if)#PPp authentication pap chap callin 设置拨号的验证方式为PAP 和CHAPr1(config-if)#ppp pap sent-username sz123@163gd password 123 用户帐号和密码r1(config-if)#no cdp enable 不走CDPr1(config-if)#no ip mroute-cache 是关闭快速交换。

思科PPPOE方式上网怎么配置

思科PPPOE方式上网怎么配置cisco思科公司制造的路由器、交换机和其他设备承载了全球80%的互联网通信，成为了网络应用的成功实践者之一,那么你知道思科PPPOE方式上网怎么配置吗?下面是店铺整理的一些关于思科PPPOE 方式上网怎么配置的相关资料，供你参考。

思科PPPOE方式上网配置的方法现有客户需要使用思科的2600路由器上网，用户为10M光纤，申请了16个固定IP，ip为61.161.xxx.2-61.161.xxx.14,默认网关是61.161.xxx.1.内网ip段192.168.1.0,客户要实现192.168.1.50-192.168.1.60之间的ip可以上网，其余的不可以。

路由器e0/0接口为外网接口，e0/1为内网接口interface e0/0ip address 61.161.xxx.2 255.255.255.240 //这里可以使用61.161.xxx.2-14个地址中的任意一个，这里就用2ip nat outsidefull-duplexinterface e0/1ip address 192.168.1.1 255.255.255.0ip nat insidefull-duplexaccess-list 1 permit host 192.168.1.50access-list 1 permit host 192.168.1.51access-list 1 permit host 192.168.1.52access-list 1 permit host 192.168.1.53access-list 1 permit host 192.168.1.54access-list 1 permit host 192.168.1.55access-list 1 permit host 192.168.1.56access-list 1 permit host 192.168.1.57access-list 1 permit host 192.168.1.58access-list 1 permit host 192.168.1.59access-list 1 permit host 192.168.1.60ip nat pool intoout 61.161.xxx.2 61.161.xxx.2 netmask 255.255.255.240 //这里复用61.161.xxx.2的地址，也可以这样写：ip nat pool intoout 61.161.xxx.2 61.161.xxx.14 netmask 255.255.255.252 这样写之后，从地址池里选择任意可用的外网ip 转换。

CISCO 1700 系列说明书

·适应客户长期网络发展需要的安全的数据访问解决方案 ·支持 VPN 和宽带访问服务等数据应用 ·支持广泛的广域网服务，包括帧中继、专线、ADSL、G.SHDSL、ISDN BRI、
X.25、SMDS 等 ·以全 T1/E1 速度进行的硬件辅助 3DES VPN 加密 ·IEEE 802.1Q VLAN 支持
上海上海市淮海中路222号力宝广场32～33层邮编：200021 电话：(8621)33104777 传真：(8621)53966750
广州广州市天河北路233号中信广场43楼邮编：510620 电话：(8620)87007000 传真：(8620)38770077
成都成都市顺城大街308号冠城广场23层邮编：610017 电话：(8628)86758000 传真：(8628)86528999
·以全 T1/E1 速度进行的硬件辅助 3DES VPN 加密
Cisco 1711 Cisco 1712
·在利用宽带调制解调器连接到互联网时，将先进的路由和安全功能集成到一个设备中
·宽带连接的 ISDN 或模拟调制解调器备份 ·以全 T1/E1 速度进行的硬件辅助 3DES VPN 加密
Cisco 1721
特性
Cisco 1701
Cisco1710
Cisco1711
固定 LAN 端口（连接）
1 端口自检测 10/100Mbps
以太网
1 端口自检测 10/100Mbps
以太网
4 端口 10/100BaseT
交换机
固定 WAN
ADSL over POTS 端口
1 个用于宽带调制解调器的
10Base-T
32MB(缺省 / 最大）（缺省）：64MB（最大）

配置cisco1700路由器简易步骤

今天帮客户配置了一款cisco1700系列的路由器, 尽管路由器的档次比较低,但基本的配置与cisco2600cisco3600等差不多,只是它的处理能力比较弱,该路由器准备为70台电脑服务,并且外端没有任何像硬件防火墙的设备，客户还要求在路由器上做了NAT、DHCP、ACL等功能，我想这台路由器恐怕承受不了多久。

不过，我还是帮客户先做了，如果后期出现死机等问题，再想法解决。

下面我把我写的配置列出来，大家一块看一下：一、配置外网端口（100M）：（该口直接与一100M交换机相连）router(config)#int fa0router(config-if)#ip address X.X.X.X 255.255.255.224router(config-if)#no shutrouter(config-if)#exit二、配置内网端口(10M)：router(config)#int e0router(config-if)#ip address 192.168.1.1 255.255.255.0router(config-if)#no shutrouter(config-if)#exit三、配置默认路由:router(config)#ip route 0.0.0.0 0.0.0.0 X.X.X.X四、配置NAT：router(config)#ip nat pool NATP X.X.X.X X.X.X.X netmask 255.255.255.224router(config)#ip nat inside source list 7 pool NATP overloadrouter(config)#access-list 7 permit anyrouter(config)#int fa0router(config-if)#ip nat outsiderouter(config-if)#int e0router(config-if)#ip nat inside五、配置ACL:router(config)#access-list 103 deny tcp any any eq 6667router(config)#access-list 103 deny tcp any any eq 1434router(config)#access-list 103 deny tcp any any eq 135router(config)#access-list 103 deny udp any any eq 135router(config)#access-list 103 deny udp any any eq netbios-nsrouter(config)#access-list 103 deny udp any any eq netbios-dgmrouter(config)#access-list 103 deny tcp any any eq 139router(config)#access-list 103 deny udp any any eq netbios-ssrouter(config)#access-list 103 deny tcp any any eq 445router(config)#access-list 103 deny tcp any any eq 593router(config)#access-list 103 deny tcp any any eq 4444router(config)#access-list 103 deny tcp any any eq 707router(config)#access-list 103 deny 255 any anyrouter(config)#int fa0router(config-if)#ip access-group 103 inrouter(config-if)#exit六、配置DHCP：ip dhcp pool DHNnetwork 192.168.1.0 255.255.255.0 dns-server X.X.X.X X.X.X.Xdefault-router 192.168.1.1七、安全信息：router(config)#line vtp 0 4router(config-line)#loginrouter(config-line)#password ******** router(config-line)#exitrouter(config)#line console 0router(config-line)#loginrouter(config-line)#password ******** router(config-line)#exit大体上配置了这些吧，网络正常运行。

网工必知：（1）Cisco路由器PPPOE拨号配置与NAT简单上网配置

⽹⼯必知：（1）Cisco路由器PPPOE拨号配置与NAT简单上⽹配置1 实验拓扑与⽬标在⼯作中，很有可能遇到的外⽹接⼊⽅式就是ADSL拨号了，虽然看着简单，但是这⾥讲讲Cisco路由器上⾯的⼀些注意事项与配置。

2 配置与思路1、接⼝下调⽤PPPOE-clientRouter-pppoe_client(config)#interface e0/0//接外⽹接⼝Router-pppoe_client(config-if)#pppoe-client dial-pool-number 1Router-pppoe_client(config-if)#no shutdown2、PPPOE-client接⼝的配置1 Router-pppoe_client(config)#interface dialer 12 Router-pppoe_client(config-if)#encapsulation ppp3 Router-pppoe_client(config-if)#ip address negotiated在实际环境中，不清楚运营商那边使⽤的是PAP还是CHAP认证，如果只配置了⼀种可能导致拨号失败，这⾥给出⼀种⽅法，可以完美解决这个问题。

1 Router-pppoe_client(config-if)#ppp pap sent-username pppoe password 2 Router-pppoe_client(config-if)#ppp chap hostname pppoe3 Router-pppoe_client(config-if)#ppp chap password 然后输⼊pap跟chap两种⽅式，这样⽆论运营商是哪种都可以成功。

1 Router-pppoe_client(config-if)#ip mtu 14922 Router-pppoe_client(config-if)#ip tcp adjust-mss 14203 Router-pppoe_client(config-if)#dialer pool 1【跟接⼝输⼊的nmuber号⼀致】⾄此，ADSL的配置完毕了，如果帐号密码与接⼝没错的话，就可以获取到IP了。

NAT详解及CISCO路由器上的实现方法

NAT详解及CISCO路由器上的实现方法NAT（Network Address Translation）是一种网络协议，用于将私有IP地址转换为公共IP地址，以实现内部网络与外部网络的互联。

NAT的原理是通过在路由器或防火墙中进行IP地址转换，将内部网络的私有IP地址与公共IP地址进行映射。

这样，内部网络的用户可以通过公共IP地址访问互联网，而对外部网络来说，只能看到路由器的公共IP地址，无法直接访问内部网络的私有IP地址，从而提高了网络的安全性。

在CISCO路由器上，可以通过以下步骤实现NAT：1.确定内部网络和外部网络的接口：在CISCO路由器上，需要为内部和外部网络分配两个不同的接口。

内部网络通常是一个局域网，外部网络通常是连接到互联网的广域网接口。

2. 创建ACL（Access Control List）：创建一个ACL，用于定义需要进行NAT转换的内部网络地址范围。

3.创建NAT池：创建一个NAT池，用于分配公共IP地址给内部网络的私有IP地址。

4.创建NAT转换规则：设置NAT转换规则，将内部网络的私有IP地址映射到NAT池中的公共IP地址。

5.将ACL与NAT转换规则绑定：将ACL与NAT转换规则进行绑定，以确保只有满足ACL条件的数据包才会进行NAT转换。

6.应用配置：最后，将配置应用到路由器上，使其生效。

下面是一个详细的例子，展示如何在CISCO路由器上配置NAT：```interface GigabitEthernet0/0ip address 192.168.10.1 255.255.255.0ip nat insideinterface GigabitEthernet0/1ip address 203.0.113.1 255.255.255.0ip nat outsideaccess-list 1 permit 192.168.10.0 0.0.0.255ip nat pool NATPOOL 203.0.113.5 203.0.113.10 netmask255.255.255.0ip nat inside source list 1 pool NATPOOL overload```在上述配置中，GigabitEthernet0/0接口为内部网络接口，GigabitEthernet0/1接口为外部网络接口。

Cisco Aironet 1700 系列接入点

产品手册Cisco Aironet 1700 系列接入点产品概述如果您运营的是小型或中型企业网络，您可以以极具吸引力的价格部署 Cisco ® Aironet ® 1700 接入点，享受最新的 802.11ac Wi-Fi 技术。

通过提供比 802.11n 更出色的性能和关键射频管理功能以提高无线体验，Aironet 1700 系列可满足无线网络日益增多的要求。

1700 系列支持 802.11ac Wave 1 标准功能。

这包括理论上高达 867 Mbps 的连接速度。

增加的吞吐量可让您始终领先于各种不断增长的带宽要求，自如应对以下趋势：● 有更多无线客户端与网络关联 ● 用户开始使用带宽密集型多媒体应用 ●移动员工使用多个 Wi-Fi 设备的情况越来越多功能和优势1700 系列接入点继承了 Cisco Aironet 一贯的出色射频性能，将专门设计的创新芯片集与业内最佳的射频架构集于一身。

1700 系列是思科支持 802.11ac 的 Aironet 系列旗舰接入点中的一员，该系列能提供强大的移动体验。

表 1 列出了一些 1700 AP 的功能和优势。

表 1.主要功能，以及对您有何好处产品规格表 2 列出了 Cisco Aironet 1700 系列无线接入点的规格。

表 2.产品规格1 MCS 指数：调制和编码方案 (MCS) 指数确定空间流的数量、调制、编码率以及数据速率值。

2 GI：信号之间的保护间隔 (GI) 帮助接收器克服多路径延迟的影响。

3 MCS 指数：调制和编码方案 (MCS) 指数确定空间流的数量、调制、编码率以及数据速率值。

4 GI：信号之间的保护间隔 (GI) 帮助接收器克服多路径延迟的影响。

5 MCS 指数：调制和编码方案 (MCS) 指数确定空间流的数量、调制、编码率以及数据速率值。

有限终身硬件保修Cisco Aironet 1700 系列接入点享受有限终身保修，只要最初的终端用户一直拥有或使用本产品，即可享受全方位的硬件保修服务。

cisco路由器nat配置

NAT配置NA T配置在讨论NAT配置之前,来看一看目前我们介入Internet所遇到的地址分配问题.由于Internet 用户数目迅速膨胀,因此,地址分配越来越紧张,绝大多数需要接入Internet的企业网络往往会遇到这种情况:只申请到十几个或几十个合法IP地址,但是他们的网络用户却有几百个.为了解决Internet IP地址紧张的问题,出现了几种解决办法,NAT(Network Address Translation)即地址转换是其中的一种解决办法,而且已经被广泛使用.所谓的NAT是首先在RFC 1631中定义的,根据某种策略改变IP数据包报头及应用数据流中的源地址或目的地址的一种技术.一.采用NAT的好处•可以实现私用地址(即为进行过登记的IP地址)和合法IP地址之间的转换,不需要大量的合法IP地址•可以实现地址复用,即多个地址转换为同一个地址•通过NAT技术可以屏蔽网络内部的IP地址,增加网络的安全性二.NAT 应用NAT 有以下几种主要的应用1.连接公用IP网络,如Internet,通过NAT可以将转发到公用网络的IP数据包的本地私用IP源地址转换为合法的IP源地址,并且可以通过地址复用节省大量合法IP地址同时屏蔽私用网络2.在进行网络改造时,为了避免改变原有的IP地址分配,采用NAT技术,减少工作量3.通过一个全局IP地址与多个本地地址的对应,采用NAT 技术,实现TCP负载均衡三.关于Cisco 路由器上NAT的几个术语NAT内部端口(Inside Interface)连接内部网络的路由器物理或逻辑的启用了IP协议栈端口NAT外部端口(Outside Interface)连接外部网络,通常为公用IP网络如Internet,路由器的物理或逻辑的启用了IP协议栈端口内部本地地址(Inside local address)内部网络分配给特定用户计算机的内部私用IP地址,该地址很可能为没有在ISP或Internet 管理部门的IP地址.内部全局地址(Inside global address)在Internet管理部门或ISP登记的合法IP地址,该地址代表一个或多个内部本地地址,对于外部连接到同一个IP公用网络的用户来说,他们只能访问到该合法IP地址,即内部全局地址.外部本地地址(Outside local address)在内部网络用户看来的进入到内部网络的外部网络用户的IP 地址.该地址不必为合法IP 地址外部全局地址(Outside global address)在Internet 或ISP 公用网络上所看到的外部网络用户的IP 地址这里我们举例来说明这几个术语这里,路由器的e0端口连接内部网络,为内部端口;S0连接外部的Internet,为外部端口.PC1为内部网络的一台计算机,它的内部本地地址为1.1.1.10,没有在Internet 管理部门登记,PC1与内部网络其他计算机进行通信时,使用10.1.1.10.在Internet 上有一个计算机PC2,它的IP 地址为合法IP 地址,即已经在Internet 管理部门登记了的IP 地址,该地址在内部网络用户PC1看来为PC2的外部全局地址.如果不采用NAT 技术,PC1如何与外界通信呢?通信是建立不起来的,一般情况下,PC1可以将数据包发往外部网络,但是,外部网络无法将数据包发送回1.1.1.10,因为,PC1采用非法IP 地址,外部网络将数据包发送到了合法的拥有1.1.1.10的计算机上,(如果它开机的话).这里,采用NAT 技术,当PC1与外部网络进行数据通信时,路由器R1将用合法IP 地址192.1.1.10替换数据包中的源地址1.1.1.10,然后将数据包转发出去,而外部网络只能看到192.1.1.10为PC1的合法IP 地址.这里192.1.1.10为PC1的内部全局地址.我们再看一下PC2如何与PC1通信,如果不采用NAT 技术,他们根本无法通信,因为,一般情况下,由于PC1的内部本地地址与PC2的外部全局地址在同一网段,因此,PC1不会将数据包转发到路由器R1上,因此,在路由器R1上采用NAT 技术,将进入到内部网的数据包的PC2的外部全局地址转换为10.1.1.100,则10.1.1.100为PC2的外部本地地址,由PC1返回到PC2的数据经过路由器R1时,R1会将10.1.1.100转换回1.1.1.100,再转发出去.四.以上例子向我们提出了一个问题,即地址冲突问题,原则上,内部网络可以用IP 协议中规定的任何有效的IP 地址,但是采用与合法IP 地址重复的IP 地址,将增加很多不必要的麻烦,因此,建议采用以下网段进行内部网络地址分配,这些网段已经在RFC 1981规定,在Internet 上无人使用的IP 网段A 类 10.0.0.0-10.255.255.255B 类172.16.0.0-172.31.255.255C类192.168.0.0-192.168.255.255 五.Cisco路由器NAT所支持的应用类型:六.支持NAT的IOS及Cisco产品情况七.NAT 的主要配置方法:1 静态地址转换将指定好的内部或外部本地地址与内部或外部全局地址进行一对一的明确转换.该种方法主要用在内部网络有对外提供服务的服务器,如邮件服务器.但是该种办法不会节省合法IP地址空间,如果某个合法IP地址已经被NAT静态地址转换定义,即使该地址没有被使用,也不能被用作其他的地址转换2 动态地址转换将内部本地地址动态地转换为在一段地址池的某一个未被用过的内部全局地址,该地址为由未被使用的地址组成的地址池中在定义时排在最前面的一个,在数据传输完毕,路由器将把使用完的内部全局地址放回地址池中,以供其他内部本地地址进行转换,但在该地址在使用时,不能使用该地址进行再一次转换3 端口地址转换(PAT)所谓的端口地址转换,从功能上说通过它可以实现多个不同本地地址或具有相同本地地址但具有不同应用端口号的通信进程同时使用一个地址进行转换进行同时通信.Cisco 路由器可以实现大约同时4000个PAT转换4 基于路由图(ROUTE-MAP)的NAT配置八.NAT具体配置步骤1 在端口配置状态下,定义内部端口ip nat inside2 在端口配置状态下,定义外部端口ip nat outside3 定义NAT策略哪些内部本地地址需要转换转换成哪些内部全局地址哪些外部全局地址需要转换转换成哪些外部本地地址所有NAT配置方法都有相同的步骤1和2,只有在定义NAT策略时不同.下面分别举例介绍几种NAT的配置方法:1 静态NAT地址转换配置如下图,其中在R3上有2个loopback端口,地址分别为loopback0:10.1.2.1/32,loopback1:10.1.2.2/32R2作为外部网络的路由器,R1的E0连接内部网络,要求将地址10.1.1.10静态转换为192.1.1.10,10.1.1.212静态转换为192.1.1.212,10.1.2.1静态转换为192.1.3.1,10.1.2.2静态转换为1.1静态地址转换策略定义步骤在全局配置状态下ip nat inside source static 内部本地地址内部全局地址ip nat 关键字inside 关键字,表示对内部地址进行转换source 关键字,表示对源地址进行转换static 关键字,表示进行静态转换1.2 R1具体配置version 11.3!hostname R1ip nat inside source static 10.1.2.2 192.1.3.2!定义将10.1.2.2静态转换为192.1.3.2ip nat inside source static 10.1.2.1 192.1.3.1!定义将10.1.2.1静态转换为192.1.3.1ip nat inside source static 10.1.1.10 192.1.1.100!定义将10.1.1.10静态转换为192.1.1.100ip nat inside source static 10.1.1.212 192.1.1.212!定义将10.1.1.212静态转换为192.1.1.212interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!定义该端口为内部端口interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outside!定义该端口为外部端口clockrate 2000000!ip classlessip route 10.1.2.0 255.255.255.0 10.1.1.10!定义指向10.1.2.0网段的静态路由ip route 192.1.0.0 255.255.0.0 192.1.1.2!定义指向192.1.0.0网段的静态路由,该路由为聚合路由R3的具体配置version 11.3!hostname R3!interface Loopback0ip address 10.1.2.1 255.255.255.255!定义该端口,主要是模拟一台IP地址为10.1.2.1的计算机interface Loopback1ip address 10.1.2.2 255.255.255.255!interface Ethernet0ip address 10.1.1.10 255.255.255.0ip classlessip route 0.0.0.0 0.0.0.0 10.1.1.1!定义缺省路由,将所有去到其他网段的数据包均转发给10.1.1.1R2的具体配置version 11.3hostname R2!interface Loopback0ip address 192.1.2.1 255.255.255.0!interface Serial0ip address 192.1.1.2 255.255.255.0ip classlessip route 192.1.3.0 255.255.255.0 192.1.1.1!定义指向192.1.3.0网段的静态路由,指向192.1.1.1即R1,在定义NAT时,需要有指向NAT转换后!的地址的路由1.3检查手段:1 我们首先可以采用show命令进行检查是否NAT定义正确采用show ip nat translations verbose可以看到当前正在进行的NAT的具体情况R1#show ip nat translations verbosePro Inside global Inside local Outside local Outside global (内部全局地址) (内部本地地址) (外部本地地址) (外部全局地址) --- 192.1.1.100 10.1.1.10 --- ---(表示没有转换)create 00:42:43, use 00:01:53, flags: static表示建立了多长时间,已经累计用了多长时间,flag后为转换类型,此处表示为静态转换--- 192.1.1.212 10.1.1.212 --- --- create 00:42:43, use 00:42:43, flags: static--- 192.1.3.1 10.1.2.1 --- --- create 00:31:47, use 00:31:47, flags: static--- 192.1.3.2 10.1.2.2 --- --- create 00:31:29, use 00:31:29, flags: static采用show ip nat statistics可以检查NAT运行情况R1#show ip nat statisticsTotal active translations: 4 (4 static, 0 dynamic; 0 extended)!表示共有4个激活的地址转换,4个静态转换,0个动态转换,0个扩展的转换Outside interfaces:Serial0!表示外部端口为Serial0Inside interfaces:Ethernet0!表示内部端口为Ethernet0Hits: 264 Misses: 0!表示共有264次转换成功,0次失败Expired translations: 0Dynamic mappings:2 我们也可以采用debug命令实时监控NAT工作情况R1#debug ip nat detailedIP NAT detailed debugging is on我们在R3上采用扩展的PING,从10.1.2.1 PING 192.1.1.1R3#pingProtocol [ip]:Target IP address: 192.1.1.1Repeat count [5]: 100000Datagram size [100]: 1000Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 10.1.2.1R1#debug ip nat detailed04:32:47: NAT: i: icmp (10.1.2.1, 14883) -> (192.1.1.1, 14883) [13036]!R1在Ethernet 0端口接收从10.1.1.10转发过来的IP数据包,源地址为10.1.2.1,目的地址!为192.1.1.1,数据包为ICMP类型,PING由ICMP ECHO 及ECHO-REPLY 类型实现04:32:47: NAT: o: icmp (192.1.1.1, 14883) -> (192.1.3.1, 14883) [13036]!R1将10.1.2.1静态转换为192.1.3.1,因此,192.1.1.1发送的ECHO-REPLY数据包的目的地址!为192.1.3.11.4 这里,我们在R1,R2,R3上采用静态路由,也可以采用动态路由,但是需要注意一个问题:因为采用了NAT地址转换,内部本地地址对外部网络来说是不可见的,在绝大多数情况下,内部本地地址为非法地址,因此,内部本地地址不能广播到外部网络中,因此需要采用路由过滤.如上面的配置改成动态路由,不只是静态NAT,所有NAT转换都会碰到这个问题.采用NAT的路由器的路由广播基于以下原则,对于需要转换的内部本地地址,禁止广播出去,对于不需要转换的地址且这些地址需要与外部网络进行通信,外部网络需要知道到达这些地址的路由,即如果用动态路由,需要将这些地址网段广播出去.R1的配置如下version 11.3hostname R1!ip nat inside source static 10.1.2.2 192.1.3.2ip nat inside source static 10.1.2.1 192.1.3.1ip nat inside source static 10.1.1.10 192.1.1.100ip nat inside source static 10.1.1.212 192.1.1.212!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!router ripredistribute static!将ip route 192.1.3.0 255.255.255.0 Null0定义的静态路由重定向到RIP中并由RIP广播出去,!由于RIP只把从其他路由器学到的路由及正常工作的物理及逻辑端口的IP网段广播出去,RIP不会!把没有端口的192.1.3.0这个网段加到路由表中广播出去,因此,采用重定向技术,将静态路由加!入到RIP路由表中network 10.0.0.0network 192.1.1.0distribute-list 1 out!引用包过滤规则1,对于目的地址网段符合包过滤规则1的路由,将禁止广播出去distribute-list 1 in! 引用包过滤规则1,对于接收道德目的地址网段符合包过滤规则1的路由,将删掉ip classlessip route 192.1.3.0 255.255.255.0 Null0!该静态路由将下一跳地址指向Null0端口,表示对于发往192.1.3.0网段的数据包,本路由器将丢掉!其实,该路由并无实际路由作用,它只是指明有192.1.3.0这个网段,以供RIP广播出去.该路由器!接收到去192.1.3.0网段的数据包,首先要进行NAT转换,然后才进行路由查找.access-list 1 deny 10.0.0.0access-list 1 permit any!定义包过滤表1,表示10.0.0.0网段将丢掉,其他网段允许通过,该过滤表供RIP过滤使用1.5 静态地址转换适用环境●当与IP公用网进行连接时,有需要对外部网络提供服务的计算机,而且该计算机放在内部网络中,必须采用静态地址转换●需要针对于IP地址进行记费2 动态地址转换具体配置具体配置步骤地址转换策略配置步骤2.1 在全局配置状态下,定义标准包过滤,包过滤表中包含有允许进行地址转换的内部本地地址access-list 包过滤序号[permit|deny] 内部本地地址集合2.2 在全局配置状态下,定义内部全局地址所组成的地址池ip nat pool 地址池名字字符串起始IP地址终止IP地址netmask 子网掩码ip nat pool 关键字netmask 关键字2.3 在全局配置状态下,将包过滤定义的内部本地地址与由内部全局地址组成的地址池相关连,表示按照定义的先后顺序将内部本地地址依次与内部本地地址进行一一映射,进行地址转换ip nat inside source list 由2.1.1步骤定义的包过滤序号pool 由2.1.2定义的地址池名字字符串ip nat inside source list 关键字pool 关键字我们仍然采用静态地址例子的拓扑结构,并且要求将内部本地地址10.1.2.1/24,10.1.2.2/24采用动态一对一地址转换方法转换到192.1.3.1/24,这样做,主要为了观察该种NAT转换的特点具体配置实例R1的具体配置version 11.3!hostname R1!ip nat pool test 192.1.3.1 192.1.3.1 netmask 255.255.255.0!定义内部全局地址池从192.1.3.1到192.1.3.1,子网掩码为24位,地址池的名字位testip nat inside source list 2 pool test!将由包过滤2定义的内部本地地址池依次与test地址池中的地址进行一一映射,进行转换ip nat inside source static 10.1.1.212 192.1.1.212ip nat inside source static 10.1.1.10 192.1.1.100!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!router ripredistribute staticnetwork 10.0.0.0network 192.1.1.0distribute-list 1 out Serial0distribute-list 1 in Serial0!ip classlessip route 192.1.3.0 255.255.255.0 Null0!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 2 permit 10.1.2.1 0.0.0.0access-list 2 permit host 10.1.2.2!定义包过滤规则2,允许10.1.2.1/24,10.1.2.2地址,其他均拒绝,该过滤规则提供给NAT转换用! access-list 2 permit 10.1.2.1 0.0.0.0完全等效与access-list 2 permit host 10.1.2.1检查手段:首先,采用sho ip nat translations verbose命令R1#sho ip nat translations verbosePro Inside global Inside local Outside local Outside global--- 192.1.1.100 10.1.1.10 --- ---create 00:34:54, use 00:34:54, flags: static--- 192.1.1.212 10.1.1.212 --- ---create 00:34:54, use 00:34:54, flags: static我们发现没有动态的地址转换的列表,因为,该命令只显示当前正在正在转换的地址列表,静态转换定义好后转换就会始终起作用,但是动态转换只有有数据包穿过NAT内外端口且需要转换时才进行转换.我们在R3上同时采用扩展的ping,从10.1.2.1 ping 192.1.1.2,从10.1.2.2 ping 192.1.1.2我们会发现,如果10.1.2.1转换为192.1.3.1,10.1.2.2就无法进行转换,只有在10.1.2.1数据传输完毕一段时间后,R1才释放192.1.3.1,10.1.2.2才能转换到192.1.3.1,反之亦然.因此,这种转换方法内部本地地址与内部全局地址之间是一一映射的,内部本地地址以定义的先后顺序与内部全局地址进行转换,如果所有内部全局地址正在使用,需要进行转换的内部本地地址只有等待有内部全局地址释放出来.路由器如何确定在内部本地地址传输完数据后到释放内部全局地址的时间间隔呢?我们可以通过设置参数进行控制.在全局配置状态下,定义在内部本地地址传输完数据后到释放内部全局地址的时间间隔.R1(config)#ip nat translation timeout 时间间隔参数(单位秒)ip nat translation timeout 关键字,其后可以跟两种参数ip nat translation timeout ?<0-2147483647> Timeout in secondsnever Never timeout如果,采用never参数,则如果一对内部本地地址与内部全局地址转换成功,则该转换永远有效,除非路由器关掉电源或强行删除该地址转换.这个参数很少使用,也不建议使用.现在,我们看一下正在工作的地址转换列表R1#sho ip nat translationsPro Inside global Inside local Outside local Outside global--- 192.1.1.100 10.1.1.10 --- ------ 192.1.1.212 10.1.1.212 --- ------ 192.1.3.1 10.1.2.1 --- ---我们也可以强行删除正在工作的动态生成的地址转换列表在超级权限状态下,删除所有正在工作的动态生成的地址转换列表R1#clear ip nat translation *clear ip nat translation 关键字* 表示所有动态生成的地址转换列表我们再来看一下正在工作的地址转换列表R1#sho ip nat translationsPro Inside global Inside local Outside local Outside global--- 192.1.1.100 10.1.1.10 --- ------ 192.1.1.212 10.1.1.212 --- ---静态地址转换列表无法用clear命令删除,只能通过删除静态地址转换配置删除.我们也可以将关于地址转换的统计数字清零,以便进行重新计数在超级权限状态下, 将关于地址转换的统计数字清零,以便进行重新计数R1#clear ip nat statistics适用环境内部全局地址多于或等于内部本地地址内部全局地址少于内部本地地址,但是,同时访问外部网络的内部本地地址数目在绝大多数情况下少于内部全局地址2.2 PAT地址转换配置PAT(端口地址转换)是一种扩展的地址转换,路由器将通过纪录地址,应用端口等唯一标识一个转换,通过这种转换可以使多个内部本地地址同时与同一个内部全局地址进行转换同时对外部网网络进行访问.PAT有两种配置方法方法一PAT地址转换策略配置1 在全局配置状态下,定义标准包过滤,包过滤表中包含有允许进行地址转换的内部本地地址access-list 包过滤序号[permit|deny] 内部本地地址集合2 在全局配置状态下,定义内部全局地址所组成的地址池ip nat pool 地址池名字字符串起始IP地址终止IP地址netmask 子网掩码ip nat pool 关键字netmask 关键字其中起始IP地址与终止IP地址应为同一个IP地址,终止IP地址也可以大于起始IP地址,但是路由器只使用第一个IP地址进行PAT转换.3 在全局配置状态下,将包过滤定义的内部本地地址与由内部全局地址相关连,进行PAT地址转换ip nat inside source list 由步骤1定义的包过滤序号pool 由步骤2定义的地址池名字字符串overloadip nat inside source list 关键字pool 关键字overload 关键字,表示PAT地址转换.这种PAT地址转换与动态一对一地址转换配置步骤唯一的区别就是这个参数.我们仍然采用静态地址例子的拓扑结构,并且要求将内部本地地址10.1.2.1/24,10.1.2.2/24,10.1.2.3/24采用动态一对多地址转换方法转换到192.1.3.1/24.在R3上添加一个loopback端口,地址为10.1.2.3/32这样做,主要为了观察该种NAT转换的特点具体配置实例version 11.3hostname R1!ip nat translation timeout 10ip nat pool test 192.1.3.1 192.1.3.2 netmask 255.255.255.0!这里起始IP地址与终止IP地址并不是一个,好像可以用两个内部全局地址进行转换,其实路由器只!使用192.1.3.1进行转换,并不使用192.1.3.2,因此,建议两个地址为同一个地址ip nat inside source list 2 pool test overload!将由list 2定义的内部本地地址范围与由test定义的内部全局地址进PAT转换ip nat inside source static 10.1.1.10 192.1.1.100ip nat inside source static 10.1.1.212 192.1.1.212!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!router ripredistribute staticnetwork 10.0.0.0network 192.1.1.0distribute-list 1 out Serial0distribute-list 1 in Serial0!ip classlessip route 192.1.3.0 255.255.255.0 Null0!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 2 permit 10.1.2.1access-list 2 permit 10.1.2.3access-list 2 permit 10.1.2.2检查手段R1#sho ip nat traslationsPro Inside global Inside local Outside local Outside global--- 192.1.1.100 10.1.1.10 --- ------ 192.1.1.212 10.1.1.212 --- ---icmp 192.1.3.1:6631 10.1.2.2:6631 192.1.1.2:6631 192.1.1.2:6631icmp 192.1.3.1:5973 10.1.2.1:5876 192.1.1.2:5876 192.1.1.2:5973icmp 192.1.3.1:8537 10.1.2.3:8537 192.1.1.2:8537 192.1.1.2:8537icmp 192.1.3.1:6630 10.1.2.2:6630 192.1.1.2:6630 192.1.1.2:6630icmp 192.1.3.1:5972 10.1.2.1:5875 192.1.1.2:5875 192.1.1.2:5972这里我们可以看到我们虽然定义了192.1.3.1,192.1.3.2两个内部全局地址,但是路由器只使用192.1.3.1一个地址进行转换. icmp 192.1.3.1:6631,冒号后应用端口号适用环境:NAT内外部端口,均有独立的IP地址,并且有专门的IP地址用来进行PAT转换.NAT内外部端口,均有独立的IP地址,没有专门的IP地址用来进行PAT转换.所有内部用户需要同时访问外部网络,并且内部本地地址远远多于内部全局地址.方法二:1 在全局配置状态下,定义标准包过滤,包过滤表中包含有允许进行地址转换的内部本地地址access-list 包过滤序号[permit|deny] 内部本地地址集合2 在全局配置状态下,将包过滤定义的内部本地地址与由NAT外部端口相关连,,进行地址转换ip nat inside source list 由步骤1定义的内部本地地址集合interface 端口号overload具体配置实例version 11.3!hostname R1!ip nat inside source list 2 interface Serial0 overload!表示将包过滤规则2定义的内部本地地址集合,转换为Serial0的IP地址,允许多个内部本地地址!同时转换为Serial 0的地址ip nat inside source static 10.1.1.212 192.1.1.212ip nat inside source static 10.1.1.10 192.1.1.100!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!router ripredistribute staticnetwork 10.0.0.0network 192.1.1.0distribute-list 1 out Serial0distribute-list 1 in Serial0!ip classlessip route 192.1.3.0 255.255.255.0 Null0!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 2 permit 10.1.2.1access-list 2 permit 10.1.2.3access-list 2 permit 10.1.2.2检查手段R1#sho ip nat translations verbosePro Inside global Inside local Outside local Outside globalicmp 192.1.1.1:12245 10.1.2.1:12245 192.1.1.2:12245 192.1.1.2:12245 create 00:00:00, use 00:00:00, left 00:00:59, flags: extendedicmp 192.1.1.1:7850 10.1.2.2:7850 192.1.1.2:7850 192.1.1.2:7850 create 00:00:00, use 00:00:00, left 00:00:59, flags: extended这里,我们可以看到PAT转换的详细资料.Flag:extended,表示扩展的NAT转换,所谓的扩展NAT,是指路由器在转换过程中,不但纪录内部本地地址,内部全局地址,外部本地地址,外部全局地址,而且纪录它们相应的应用段口号,以便唯一识别每一个转换.再看下一个例子,如果内部网络有多个出口去到外部网络,我们需要到达某些外部网络的内部本地地址转换为一个端口地址,而到达另外一些外部网络转换为另一个端口地址,我们可以通过配置多个PAT 来解决本例要求,10.1.2.1,10.1.2.2到达192.1.2.0/24网段的数据包,转换为192.1.1.1,通过Serial 0转发出去,而它们到达192.1.3.0/24网段的数据包,转换为192.1.10.1,通过Serial 1转发出去.具体配置实例 version 11.3 !hostname R1 !ip nat translation timeout 240!将NAT 转换保存时间变为240秒,主要为了能够有足够的时间抓取转换列表的内容 ip nat inside source list 102 interface Serial0 overload!符合包过滤102的内部本地地址采用PAT 地址转换为Serial0的IP 地址, 这里采用扩展的包过滤, !只有源地址,目的地址甚至段口号全部符合的内部本地地址才进行转换,而且进行完全扩展转换, !即纪录内部本地地址,内部全局地址,外部本地地址,外部全局地址和相应的端口号 ip nat inside source list 103 interface Serial1 overload!符合包过滤103的内部本地地址采用PAT 地址转换为Serial1的IP 地址 ip nat inside source static 10.1.1.212 192.1.1.212 ip nat inside source static 10.1.1.10 192.1.1.100 !interface Ethernet0ip address 10.1.1.1 255.255.255.0 ip nat inside !interface Serial0ip address 192.1.1.1 255.255.255.0 ip nat outside clockrate 2000000 !interface Serial1ip address 192.1.10.1 255.255.255.0R4 loopback0 192.1.3.1/24R2ip nat outsideclockrate 2000000!router ripnetwork 10.0.0.0network 192.1.1.0network 192.1.10.0distribute-list 1 outdistribute-list 1 in!ip classless!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 102 permit ip host 10.1.2.1 192.1.2.0 0.0.0.255access-list 102 permit ip host 10.1.2.2 192.1.2.0 0.0.0.255!定义扩展的包过滤规则102以供PAT转换使用,允许从10.1.2.1及10.1.2.2到192.1.2.0的数据包,其!他拒绝access-list 103 permit ip host 10.1.2.1 192.1.3.0 0.0.0.255access-list 103 permit ip host 10.1.2.2 192.1.3.0 0.0.0.255!这里必须如果采用标准的包过滤,路由器在转换之前按照扩展包过滤的所有定义的选项,如源地址即内部本地地址,目的地址,即外部本地地址,应用端口号依次搜索转换列表中是否有符合的转换.比!如,如果采用标准的包过滤,从10.1.2.1到192.1.3.1及10.1.2.1到192.1.2.1的数据流无法区分出来!,如果已经有了对于10.1.2.1的转换,由于转换纪录只保存内部本地地址与内部全局地址的映射如!下,这时从10.1.2.1到外部网络不同地点又有数据流,则路由器只检查内部本地地址是否在转换列!表中存在,如果存在依然采用该转换Pro Inside global Inside local Outside local Outside global--- 192.1.3.1 10.1.2.1 --- ---!这里需要说明一点,在动态地址转换中即使采用扩展的包过滤,路由器也只检查源地址即内部本!地地址部分检查手段R1#sho ip nat translations verbosePro Inside global Inside local Outside local Outside globalicmp 192.1.10.1:4724 10.1.2.2:4724 192.1.3.1:4724 192.1.3.1:4724 create 00:00:05, use 00:00:05, left 00:00:54, flags: extendedicmp 192.1.10.1:1250 10.1.2.1:1250 192.1.3.1:1250 192.1.3.1:1250 create 00:00:36, use 00:00:36, left 00:00:23, flags: extendedicmp 192.1.1.1:2603 10.1.2.2:2603 192.1.2.1:2603 192.1.2.1:2603 create 00:00:21, use 00:00:21, left 00:00:38, flags: extendedicmp 192.1.1.1:1245 10.1.2.1:1245 192.1.2.1:1245 192.1.2.1:1245 create 00:00:53, use 00:00:53, left 00:00:06, flags: extended适用环境NAT内外部端口具有独立的IP地址,无额外的内部全局地址供转换所有内部用户需要同时访问外部网络,并且内部本地地址远远多于内部全局地址.4 基于路由图(ROUTE-MAP)的NAT配置我们知道动态的地址转换的缺陷在于他只能使用标准的包过滤检查源地址即内部本地地址以下场合,动态地址转换并不适合使用●内部网络有多个NAT外部端口,而且同一个内部本地地址从不同的NAT外部端口出去,需要转换为不同的内部全局地址●同一个内部本地地址针对于不同的应用, 需要转换为不同的内部全局地址通过采用基于路由图(ROUTE-MAP)的NAT配置可以解决这个问题,因为这种地址转换方法采用的是完全扩展的地址转换.基于路由图(ROUTE-MAP)的NAT的策略配置●定义扩展包过滤规则,确定符合条件的内部本地地址集合●定义路由图,引用扩展包过滤规则, 确定符合条件的内部本地地址集合在全局配置状态下,route-map 路由图名字字符串[permit|deny] 序列号route-map 关键字match ip address 扩展的包过滤规则match ip address 关键字,检查数据包是否符合扩展的包过滤规则●符合路由图的内部本地地址采用PAT转换或地址池转换采用PAT转换,这种方法与以上介绍的PAT转换效果完全一致.在全局配置状态下ip nat inside source route-map 路由图名字字符串interface 端口号overloadip nat inside source route-map 关键字interface 关键字overload 关键字地址池转换ip nat inside source route-map 路由图名字字符串pool 地址池名字ip nat inside source route-map 关键字pool 关键字配置实例1如图,要求10.1.2.1,10.1.2.2,10.1.2.3到达192.1.2.0/24网段,转换为192.1.1.100至192.1.1.101,它们到达192.1.3.0/24网段时,转换为192.1.10.100至192.1.10.101具体配置实例!version 11.3!hostname R1!ip nat translation timeout 10ip nat pool t0 192.1.1.100 192.1.1.101 netmask 255.255.255.0ip nat pool t1 192.1.10.100 192.1.10.101 netmask 255.255.255.0ip nat inside source route-map test0 pool t0!将路由图test0定义的内部本地地址与地址池t0关联,进行一对一地址转换,如果所有的内部!全局地址用完,则需要转换的内部本地地址只有等待由地址池t0定义的内部全局地址释放!该条语句表示从10.1.2.1,10.1.2.2,10.1.2.3到192.1.2.0/24网段的数据包转换为192.1.1.100或!192.1.1.101ip nat inside source route-map test1 pool t1! 该条语句表示从10.1.2.1,10.1.2.2,10.1.2.3到192.1.3.0/24网段的数据包转换为192.1.10.100!或192.1.10.101ip nat inside source static 10.1.1.212 192.1.1.212ip nat inside source static 10.1.1.10 192.1.1.100!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!interface Serial1ip address 192.1.10.1 255.255.255.0ip nat outsideclockrate 2000000!router ripnetwork 10.0.0.0network 192.1.1.0network 192.1.10.0distribute-list 1 outdistribute-list 1 in!ip classless!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 102 permit ip host 10.1.2.1 192.1.2.0 0.0.0.255access-list 102 permit ip host 10.1.2.2 192.1.2.0 0.0.0.255access-list 102 permit ip host 10.1.2.3 192.1.2.0 0.0.0.255access-list 103 permit ip host 10.1.2.1 192.1.3.0 0.0.0.255access-list 103 permit ip host 10.1.2.2 192.1.3.0 0.0.0.255access-list 103 permit ip host 10.1.2.3 192.1.3.0 0.0.0.255route-map test0 permit 10match ip address 102!路由图test0引用扩展包过滤规则102对进行地址转换检查route-map test1 permit 10match ip address 103配置实例2要求如果从10.1.1.0/24网段到192.1.3.0/24网段的数据包为ICMP类型,内部本地地址转换为192.1.1.100-192.1.1.101; 如果从10.1.1.0/24,到192.1.3.0/24网段的数据包为telnet类型, 内部本地地址转换为192.1.10.100-192.1.10.101具体配置version 11.3hostname R1ip nat pool t0 192.1.1.100 192.1.1.101 netmask 255.255.255.0ip nat pool t1 192.1.10.100 192.1.10.101 netmask 255.255.255.0ip nat inside source route-map test0 pool t0ip nat inside source route-map test1 pool t1!interface Ethernet0ip address 10.1.1.1 255.255.255.0ip nat inside!interface Serial0ip address 192.1.1.1 255.255.255.0ip nat outsideclockrate 2000000!interface Serial1ip address 192.1.10.1 255.255.255.0ip nat outsideclockrate 2000000!router ripnetwork 10.0.0.0network 192.1.1.0network 192.1.10.0distribute-list 1 outdistribute-list 1 in!ip classless!access-list 1 deny 10.0.0.0access-list 1 permit anyaccess-list 102 permit icmp 10.1.1.0 0.0.0.255 192.1.3.0 0.0.0.255!扩展包过滤102表示对于从10.1.1.0/24网段到192.1.3.0/24网段的数据包为ICMP类型,允许!检查通过access-list 103 permit tcp 10.1.1.0 0.0.0.255 192.1.3.0 0.0.0.255 eq telnet! 扩展包过滤103表示从10.1.1.0/24,到192.1.3.0/24网段的数据包为telnet类型, 允许!检查通过route-map test0 permit 10match ip address 102!route-map test1 permit 10match ip address 103检查手段我们可以通过sho ip nat translations verbose检查NAT转换情况R1#sho ip nat translations verbosePro Inside global Inside local Outside local Outside globalicmp 192.1.1.100:5764 10.1.1.10:5764 192.1.3.1:5764 192.1.3.1:5764 create 00:00:35, use 00:00:35, left 00:00:24, flags: extended!我们在从10.1.1.10 ping 192.1.3.1 ,路由器将10.1.1.10转换为192.1.1.100,ping 是通过!ICMP 的ECHO 及ECHO-REPLY实现的tcp 192.1.10.100:58371 10.1.1.10:58371 192.1.3.1:23 192.1.3.1:23。

思科1700系列说明书

Cisco 1700 SeriesModular Access RoutersFigure 1Cisco 1700 SeriesCisco 1700 Series Modular Access Router Solutions The Cisco 1700 Series of modular access routers are designed to provide acost-effective integrated platform for small and medium-sized businesses and enterprise small branch ofﬁces. They provide ﬂexibility and manageability to meet the most demanding and evolving business requirements such as multiservice data/voice/video/fax integration, business-class digital subscriber line (DSL), and comprehensive network security.See Figure 1.The Competitive Advantage Today’s businesses are recognizing that business success relies on more than simply using e-mail or putting up a Web panies that want to streamline operations and reduce costs while gaining the competitive advantages of the Internet need to integrate business processesinto their everyday business practices by adopting applications such as Web-based transaction processing, telecommuting,and e-learning. These kinds of business tools improve communications between employees, customers, and suppliers;increase productivity and efﬁciency; and enhance customer satisfaction to make businesses more competitive. The effectiveness of business solutions depends on the performance and capabilities of the access solution.To fully realize all the competitive advantages companies need a ﬂexible and affordable access solution that supports a full range of technologies and applications.The Cisco 1700 Series of modular access routers are optimized to provide comprehensive features such as virtual private networks (VPNs),security ﬁrewalls,business-class DSL, and multiservice integration of data, voice, video, and fax.The routers deliver high-speed WAN connectivity for communications over the Internet and between remote ofﬁce sites.For an overview of Cisco 1700 Series features, refer to Table 1.The Cisco 1760 Modular Access Router provides multiservice voice/video/data solutions in a 19-inch rackmount chassis. Four modular slots are available to support a variety of WICs and VICs. The Cisco 1751 Modular Access Router designed in a desktop form factor also provides multiservice voice/video/data integration.The Cisco 1721 Modular Access Router is optimized for ﬂexible data-access solutions supporting dual WAN applications for high availability.The Cisco 1711 and 1712 Security Access Router provides a cost-effective integrated security and routing solution in a single device for secure broadband access.The Cisco 1701 ADSL Security Access Router provides secure and reliable Internet and corporate network connectivity and business-class ADSL over basic telephone service (POTS) with a redundant ISDN WAN link.Table 1Overview of Cisco 1700 Series FeaturesBenefitsFeaturesFlexibility and investment protection•Offers modular data and voice slots (except Cisco 1701, 1711, 1712)•Provides customization through a wide range of WAN and voice interface cards (except Cisco 1701, 1711,1712)•Presents migration path to multiservice voice and data integration (Cisco 1751 and 1760)Security•Offers Cisco IOS ® stateful inspection ﬁrewall•Provides VPN IP Security (IPSec) encryption (Digital Encryption Standard [DES] and Triple DES [3DES])•Enables encryption up to T1/E1 speeds (4-Mbps full duplex) using optional VPN module (included in Cisco 1711 and 1712—optional for the other Cisco 1700Series models)Business-class DSL•Supports ADSL and G.shdsl•Offers enhanced quality of service (QoS) over DSL •Offers toll-quality voice over DSLMultiservice data and voice integration (Cisco 1751 and 1760)•Provides support for analog and digital voice calls •Supports IP telephony•Interoperates with next-generation voice-enabled business applications such as integrated messaging and Web-based call centers•Works with existing telephone infrastructure: phones,fax machines, key telephone system (KTS) units, and private branch exchanges (PBXs) (including digital PBXs)Remote Manageability•Supports CiscoWorks management applications •Enables QoS and trafﬁc prioritization through Cisco IOS SoftwareTable 2Cisco 1700 Series ComparisonCisco 1701Cisco1711Cisco1712Cisco1721Cisco1751Cisco1751-VCisco1760Cisco1760-VApplication ADSLSecurity BroadbandSecurityBroadbandSecurityDataAccessData andVoiceData andVoiceData andVoiceData andVoiceForm Factor Desktop Desktop Desktop Desktop Desktop Desktop19" Rack-mount 19" Rack-mountFixed/ModularFixed Fixed Fixed Modular Modular Modular Modular ModularDefaultMemory(Flash/DRAM MB)32/6432/6432/6416/3216/3232/6416/3232/64MaximumMemory(Flash/DRAM MB)32/9632/12832/12816/9616/9632/9664/9664/96WAN AccessModularSlots23344IntegratedWAN PortADSL10/10010/100Backup WAN ISDN AnalogModemISDN optional optional optional optional optionalLANLAN Ports1–10/1004–10/1004–10/1001–10/1001–10/1001–10/1001–10/1001–10/100 802.1QVLANMultiservice VoiceVoice overIPAnalog/DigitalVoiceQoSIntegrated SecurityHardwareAcceleratedVPNoptional optional optional optional optional optionalVPNTunnels100100100100100100100100The Cisco 1700 Series Key BenefitsThe Cisco 1700 Series routers are designed to enable small/medium-sized businesses and small enterprise branch ofﬁces to successfully deploy networked applications by providing:•Flexibility and investment protection •Comprehensive security •Business-class DSL•Multiservice data/voice/video/fax integration •Enhanced manageabilityFlexibility and Investment ProtectionThe modularity of the Cisco 1700Series allows it to easily ﬁt the needs of growing companies.Interchangeable WICs and voice interface cards (VICs)enable easy additions or changes in WAN technologies without requiring a forklift upgrade of an entire platform. The wide range of available WIC and VIC solutions gives customers a choice when implementing WAN and voice technologies.It allows customers to start out with a solution that meets current needs and easily expand as business demands grow. WAN technologies supported include broadband DSL, ISDN, leased lines,and Frame Relay.Voice technologies supported are VoIP and VoFR.These WICs and VICs are also shared with the Cisco 2600, 3600, and 3700 Series prehensive SecurityTo succeed, companies must deploy robust network security measures. Business applications often involve storing and transmitting sensitive data, such as customer credit information, and this data can be an attractive target for hackers and other malicious agents.To keep networks secure and protect sensitive information,businesses deploy a range of security technologies, including ﬁrewalls, VPNs, and intrusion detection systems.Stateful Firewall optional optional optional optional optional IDS(Intrusion Detection)optionaloptionaloptionaloptionaloptionalEasy VPN Remote/Server optional optional optional optional optionalWebsense URL Filtering optional optional optional optional optionalSDMEmbedded Web ToolTable 2Cisco 1700 Series ComparisonCisco 1701Cisco 1711Cisco 1712Cisco 1721Cisco 1751Cisco 1751-V Cisco 1760Cisco 1760-VCisco IOS Software is the industry’s widely accepted standard for the Internet and private network operations.Based on Cisco IOS security technology,the Cisco1700Series routers provide powerful,integratedﬁrewall,VPN,and IDS capabilities. As new security technologies are developed, they often can be simply uploaded to a Cisco 1700 Series Router—there is no need for costly hardware replacements.FirewallJust as physical businesses require security measures for protection against theft of physical assets, businesses also require tools to maintain the security and conﬁdentiality of its intellectual property.Firewalls provide this protection by preventing unauthorized users from accessing conﬁdential corporate data.The Cisco1700Series routers offer integrated security features,including stateful inspectionﬁrewall functionality as an optional Cisco IOS Software feature. By deploying Cisco IOS Software ﬁrewall functionality, customers do not need to purchase or manage multiple devices, simplifying network management and reducing capital costs.Cisco IOS Softwareﬁrewall security features include access control lists(ACLs),user authentication,authorization, and accounting (such as Password Authentication Protocol/Challenge Handshake Authentication Protocol [PAP/ CHAP],TACACS+,and Remote Access Dial-In User Service[RADIUS]).These security features provide the optimal level of ﬁrewall protection to customers.Virtual Private NetworksThe Cisco1700Series is part of the end-to-end Cisco VPN solution.VPNs create secure tunnel connections via the Internet to connect geographically dispersed ofﬁces, business partners, and remote users while providing security, trafﬁc prioritization,management,and reliability equal to that of private networks.VPNs signiﬁcantly reduce WAN costs,and they can be set up and torn down rapidly to provide secure extranet links to customers,business partners, and remote employees on demand.By supporting industry standards such as IPSec,Layer2Tunneling Protocol(L2TP),and DES,3DES,and AES Cisco 1700 Series routers deliver robust VPN solutions to ensure data privacy, integrity, and authenticity.The optional*VPN Hardware Encryption Module for Cisco1700Series routers further optimizes VPN encryption performance.Through ofﬂoading encryption tasks to the VPN module,the router processor is freed to handle other operations. The VPN module accelerates the rate at which encryption occurs, speeding the process of transmitting secure data, and this factor is critical when using 3DES encryption.*The VPN hardware encryption module is included on Cisco1711and1712Security Access Routers and optional on all other Cisco 1700 Series routers.Intrusion DetectionPreventing unauthorized users from entering the corporate network is an essential role of any security system.A network-based IDS provides around-the-clock network surveillance, analyzing packets and data streams and searching for signs of unauthorized activity.When it identiﬁes unauthorized activity,the IDS can generate alarms to alert network managers for immediate response and corrective action.Through Cisco IOS Software,Cisco1700Series routers can provide customers with an integrated IDS solution.With this feature deployed,businesses can beneﬁt from continuous security monitoring to detect unauthorized activity that may occur over the Internet or other unsecured networks.Security Device Manager (SDM)Cisco SDM is an intuitive,Web-based device management tool embedded within the Cisco 1700access routers.Cisco SDM simpliﬁes router and security conﬁguration through smart wizards enabling customers to quickly and easily deploy, conﬁgure and monitor a Cisco 1700 access router without requiring knowledge of Cisco IOS Software Command Line Interface (CLI).Business-Class DSLThe Cisco 1700 Series supports business-class DSL through the optional ADSL or symmetrical high-bit-rate DSL (G.shdsl)WICs,or with the 1701which has a built in ADSL port.The Cisco 1700Series business-class DSL solution combines the cost beneﬁts of DSL service with the advanced routing capability required for business use of the Internet. Cisco business-class DSL delivers advanced QoS and industry-proven reliability. Through enhanced DSL QoS features, performance levels for mission-critical applications and toll-quality voice/data integration are maintained. (Refer to Figure 2.)Figure 2The Cisco 1700 Series Deployed with an ADSL WICCisco 1711 and 1712 routers, and Cisco 1721, 1751, 1760 routers with optional Ethernet WIC, support dual Ethernet conﬁguration, enabling deployment with an external broadband modem (such as DSL, cable modem, or wireless modem)—often supplied by a service provider (Figure 3).Figure 3The Cisco 1700 Series Deployed with an Ethernet WIC and an External DSL or Cable ModemSmall Enterprise Branch OfficeCisco 1700 Series Router with ADSLCisco 6000(DSLAM)HeadquartersCisco 7000WANADSLInternetDSL/Cable ModemCisco 1700 Series Router with Cisco IOS Firewall and Dual EthernetLANMultiservice Data/Voice/Video/Fax IntegrationIn addition to supporting the same security and business-class DSL features as the entire Cisco 1700Series,the Cisco 1751and 1760provide a cost-effective way to extend multiservice (data and voice)networks to branch ofﬁing the sophisticated QoS features of Cisco IOS Software, the Cisco 1751 and 1760 allow voice trafﬁc to be digitized,encapsulated in data packets, and prioritized over other data trafﬁc. Data/voice/video/fax integration using IP protocols over the Internet enables administrators to reduce long-distance toll charges between ofﬁces and support voice-enabled desktop applications such as integrated messaging and packet video.The Cisco 1751 and 1760 support analog and digital voice communications while working with the existing telephone infrastructure—such as phones,fax machines,KTSs,and PBXs—thus minimizing capital costs by reducing the need for additional equipment expenditure. In addition, these routers provide for easy deployment of IP telephony. (Refer to Figure 4.)Figure 4Multiservice Data/Voice/Fax IntegrationEnhancements to Cisco IOS Software allow the Cisco 1751 and 1760 to support survivable remote site telephony (SRST). This feature allows branch ofﬁces to utilize key telephony features such as hold and call forwarding if the main call server fails. Recently introduced VIC cards support direct inward dial (DID), allowing customers to directly reach key employees and caller ID (CLID) ensures that employees can identify and respond to important customer calls.Phone FaxFaxIP Phone1-8* Analog Calls or1-16 Digital Calls* 1 WIC slot is left for WAN access. The maximum number of analog calls for the Cisco 1760 is 8.KTS/PBXPSTNSmall Enterprise Branch OfficeCisco 1760Cisco 2600HeadquartersBranch Office Up to 288Digital Calls Up to 60Digital CallsIntranet Leased Line Frame RelayMCM GatekeeperIP VVPBXPBXCisco Voice ManagerFaxCisco 3600VManageabilityCisco 1700 Series routers support a wide range of network installation and management tools:•SDM—Cisco SDM is a Web-based device management tool embedded within the Cisco IOS access ing smart wizards,SDM simpliﬁes router and security conﬁguration enabling customers to quickly and easily deploy, conﬁgure and monitor a Cisco access router without requiring knowledge of Cisco IOS Software Command Line Interface (CLI).•CiscoView—This GUI-based device management software application for UNIX and Windows platforms provides dynamic status, statistics, and comprehensive conﬁguration information.•CiscoWorks—This industry-leading, Web-based network management suite simpliﬁes tasks such as network inventory management and device change,rapid software image deployment,and troubleshooting from a central location.•Cisco Secure Policy Manager—This Windows NT-based application allows users to deﬁne,conﬁgure,distribute, enforce,and audit network-wide security policies,simplifying Cisco IOSﬁrewalls,VPNs,and IDS deployments.•Cisco QoS Policy Manager—This tool offers the ability to deﬁne QoS policies across multiple devices,easing the task of creating and conﬁguring QoS policies for users and applications.•Cisco Voice Manager—This application enables conﬁguration and provisioning of voice ports,and creation and modiﬁcation of dial plans on voice-enabled Cisco routers for VoIP and VoFR.Cisco 1700 Series Business FeaturesThe Cisco 1700 Series offers a comprehensive feature set designed to enable small to medium-sized businesses and small enterprise branch ofﬁces to connect to the Internet and to the corporate intranet. For a complete description of platform features and beneﬁts, refer to Table 3.Table 3Beneﬁts and Features of the Cisco 1700 SeriesFeatures BenefitsFlexibilityFull Cisco IOS Software support, including multiprotocol routing(IP,IPX1,AppleTalk,IBM/SNA2) and bridging •Provides the industry’s most robust, scalable, and feature-rich internetworking software support using the accepted standard networking software for the Internet and private WANs•Constitutes part of the Cisco end-to-end network solutionIntegrated voice and data networkingCisco 1751 and 1760 routers accept both WAN and voice interface cards •Reduces long-distance toll charges by allowing the data network to carry interofﬁce voice and fax trafﬁc •Works with existing handsets, key units, and PBXs, eliminating the need for a costly phone-equipment upgradeModular architectureAccepts an array of WICs and VICs•Adds ﬂexibility and investment protectionWICs are shared with Cisco 1700, 2600, and 3600routers•Reduces cost of maintaining inventory•Lowers training costs for support personnel•Protects investments through reuse on various platforms Autosensing 10/100 Fast Ethernet •Simpliﬁes migration to Fast Ethernet performance in the ofﬁceExpansion slot on motherboard•Allows expandability to support hardware-assisted encryption at T1/E1 speeds•Allows support for future technologiesDual DSP slots (Cisco 1751 and 1760)•Allows expandability to support additional voice channels Security SDM• Simpliﬁes router and security conﬁguration through smart wizards to enable customers to quickly and easily deploy, conﬁgure and monitor a Cisco access routerwithout requiring knowledge of Cisco IOS Command Line Interface (CLI).Cisco IOS Firewall feature set includes context-based access control for dynamic ﬁrewall ﬁltering,denial-of-service detection and prevention, Java blocking, real-time alerts, IDS, and encryption •Allows internal users to access the Internet with secure,per-application-based dynamic access control, whilepreventing unauthorized Internet users from accessing the internal LANIPSec DES and 3DES•Enables creation of VPNs by providing industry-standard data privacy, integrity, and authenticity as data traverses the Internet or a shared public network •Supports up to 168-bit encryptionHardware-based encryption module •Supports wire-speed encryption up to T1/E1 speeds Easy VPN server/remote•Allows router to act as VPN server to terminate VPN client sessions initiated by Cisco VPN clients•Easy VPN Remote provides ease of deployment by allowing centralized VPN policy pushed from a VPN concentrator to Cisco 1700 routerDevice authentication and key management IKE 3, X.509v3 digital certiﬁcation, and support for Certiﬁcate Enrollment Protocol (CEP) withcertiﬁcation authorities such as Verisign and Entrust•Ensures proper identity and authenticity of devices and data•Enables scalability to very large IPSec networks through automated key managementUser authenticationPAP/CHAP , RADIUS, TACACS+•Supports all leading user identity-veriﬁcation schemesTable 3Beneﬁts and Features of the Cisco 1700 SeriesFeaturesBenefitsVPN tunnelingIPSec, generic routing encapsulation (GRE), L2TP, Layer2 Forwarding (L2F)•Offers choice of standards-based tunneling methods to create VPNs for IP and non-IP trafﬁc•Allows standards-based IPSec or L2TP client to interoperate with Cisco IOS tunneling technologies•Is fully interoperable with public certiﬁcate authorities and IPSec standards-based products•Constitutes part of the scalable Cisco end-to-end VPN solution portfolioManagementIEEE 802.1Q VLAN•Enables efﬁcient trafﬁc separation, provides betterbandwidth utilization, and alleviates scaling issues bylogically segmenting the physical LAN infrastructure intodifferent subnetsManageable via SNMP4 (CiscoView, CiscoWorks2000), Telnet, and console port •Allows central monitoring, conﬁguration, and diagnostics for all functions integrated in the Cisco1700Series Router, reducing management time and costsIntegrated analog modem (optional)•Allows out-of-band remote management for monitoringand conﬁguration of Cisco 1700 Series routersEase of use and installationCisco ConﬁgMaker, setup conﬁguration utility, color-coded ports/cables, and LED status indicators •Simpliﬁes and reduces deployment time and costs •Allows quick diagnostics and troubleshootingNetwork Address Translation (NAT)•Simpliﬁes deployment and reduces Internet access costs QoSCAR5, Policy Routing, WFQ6, PQ/CBWFQ7, GTS8, RSVP9, DSCP10, cRTP11, MLP12, and LFI13•Allocates WAN bandwidth to priority applications for improved performanceReliability and scalabilityCisco IOS Software, dial-on-demand routing,dual-bank Flash memory, scalable routing protocols such as OSPF14, EIGRP15, and HSRP16•Improves network reliability and enables scalability to large networksBroadband connectivity optionsDSL connectivity delivers business-class broadband access •Takes advantage of broadband access technologies such as DSL to increase WAN connectivity speeds and reduce WAN access costs•Supports ADSL connectivity with ADSL WIC •Supports G.shdsl connectivity with the G.shdsl WIC •Supports cable connectivity with the Cisco 1700 Series and optional integrated Cisco uBR 910 Series Universal Broadband Router cable DSU to deliver business-class broadband accessTable 3Beneﬁts and Features of the Cisco 1700 Series Features BenefitsCisco Systems, Inc.All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.Page 11 of 12Cisco IOS TechnologyCisco IOS Software is an innovative and feature-rich network system software that offers networks intelligence and agility. It allows the effective deployment of new applications and services quickly and withoutdisruption—applications and services that enable your customer’s business to generate revenue, reduce costs, and improve customer service.Service and Support Technical Support ServicesTechnical Support Services for the Cisco 1700 Series are available through Cisco SMARTnet™ and SMARTnet Onsite service programs.Cisco SMARTnet support augments the resources of business operations staff;it provides access to a wealth of expertise, both online and via telephone; it provides the ability to refresh system software at will; and it offers a range of hardware Advance Replacement options. Table 4 details the features and beneﬁts of Cisco SMARTnet offerings.Device integrationIntegrated router,voice gateway,ﬁrewall,encryption,VPN tunnel server, DSU/CSU 17, and NT1 in a single device•Reduces costs and simpliﬁes management•Offers voice gateway functionality (Cisco 1751/1760)1.Internetwork Packet Exchange2.Systems Network Architecture3.Internet Key Exchange4.Simple Network Management Protocolmitted Access Rate6.Weighted Fair Queuing7.Priority Queuing/Class-Based WFQ 8.Generic traffic shaping9.Resource Reservation Protocol 10.Differentiated services code point 11.Real-Time Transport Protocol 12.Multilink PPP13.Link Fragmentation and Interleaving 14.Open Shortest Path First15.Enhanced Interior Gateway Routing Protocol 16.Hot Standby Router Protocol17.Data service unit/Channel service unitTable 4Cisco SMARTnet Features and BeneﬁtsT echnicalSupport ServicesFeaturesBeneﬁtsCisco SMARTnet SupportCisco SMARTnet Onsite SupportAccess 24 x 7 to software updates Web access to technical repositoriesTelephone support through the Technical Assistance Center (TAC)Advance Replacement of hardware partsEnables proactive or expedited issue resolutionLowers cost of ownership by utilizing Cisco expertise and knowledgeMinimizes network downtimeTable 3Beneﬁts and Features of the Cisco 1700 SeriesFeaturesBenefitsCorporate Headquarters Cisco Systems, Inc.170 West Tasman Drive San Jose, CA 95134-1706USA Tel:408 526-4000800 553-NETS (6387)Fax:408 526-4100European HeadquartersCisco Systems International BV HaarlerbergparkHaarlerbergweg 13-191101 CH Amsterdam The Netherlands Tel:31 0 20 357 1000Fax:31 0 20 357 1100Americas Headquarters Cisco Systems, Inc.170 West Tasman Drive San Jose, CA 95134-1706USA Tel:408 526-7660Fax:408 527-0883Asia Paciﬁc Headquarters Cisco Systems, Inc.Capital Tower168 Robinson Road #22-01 to #29-01Singapore Tel:+65 6317 7777Fax:+65 6317 7799Cisco Systems has more than 200 ofﬁces in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on theC i s c o W e b s i t e a t w w w.c i s c o.c o m /g o /o f f i c e sArgentina •Australia •Austria •Belgium •Brazil •Bulgaria •Canada •Chile •China PRC •Colombia •Costa Rica •Croatia Czech Republic •Denmark •Dubai,UAE •Finland •France •Germany •Greece •Hong Kong SAR •Hungary •India •Indonesia •Ireland Israel •Italy •Japan •Korea •Luxembourg •Malaysia •Mexico •The Netherlands •New Zealand •Norway •Peru •Philippines •Poland Portugal •Puerto Rico •Romania •Russia •Saudi Arabia •Scotland •Singapore •Slovakia •Slovenia •South Africa •Spain •Sweden Switzerland •Taiwan •Thailand •Turkey •Ukraine •United Kingdom •United States •Venezuela •Vietnam •ZimbabweAll contents are Copyright ©1992–2003Cisco Systems,Inc.All rights reserved.Cisco,Cisco IOS,Cisco Systems,the Cisco Systems logo,and SMARTnet are registered trademarks of Cisco Systems,Inc.and/or its affiliates in the U.S. and certain other countries.All other trademarks mentioned in this document or Web site are the property of their respective owners.The use of the word partner does not imply a partnership relationship between Cisco and any other company.(0304R)MS/LW488107/03Cisco SMARTnet Onsite provides all Cisco SMARTnet services and complements the hardware Advance Replacement feature by adding the services of a ﬁeld engineer, offering support that can be critical for those locations where stafﬁng is insufﬁcient or unavailable to perform parts replacement activities.Technical Support Services DeliveryCisco SMARTnet support is available to customers from both Cisco directly and through Cisco’s channel partners.How to OrderTo order a Cisco 1700 Series Modular Access Router contact your local Cisco reseller. To ﬁnd the one nearest you, visit the Cisco Reseller Locator at:/warp/partner/psp/locator.html。

Cisco 思科产品常见问题一百问

思科产品常见问题一百问1.1600 系列路由器支持什么广域网卡，什么广域网链路，特点是什么？Cisco1600系列路由器支持WIC-1T、WIC-1B-S/T、WIC-1D SU-56K4（在中国不支持的WIC在这里未列出），WIC-1T 可支持异步链接，速率可达到1 15.Kbps;也可支持同步连接（如帧中继、专线、X.25）,速率可达2.048 Mbps。

Cisco16 00不支持WIC-2T。

2. Cisco3600 系列路由器目前是否支持广域网接口卡WIC-2T 和WIC-2A/S？Cisco3600 系列路由器在12.007XK 及以上版本支持WIC-2T 和WIC-2A/S 这两种广域网接口卡。

但是需要注意的是：只有快速以太网混合网络模块能够支持这两种广域网接口卡。

支持这两种接口卡的网络模块如下所示：NM-1FE2W，NM-2FE 2W，NM-1FE1R2W，NM-2W 。

而以太网混合网络模块不支持，如下所示：NM-1E2W，NM-2E2W，NM1E1R2W。

3. Cisco 7000 系列上的ME1 与Cisco 2600/3600 上的E1、CE1 有什么区别？Cisco 7000上的ME1 可配置为E1、CE1，而Cisco 260 0/3600 上的E1、CE1 仅支持自己的功能。

4. Cisco 2600 系列路由器，是否支持VLAN 间路由，对IOS软件有何需求？Cisco 2600 系列路由器中，只有Cisco2620 和Cisco2621 可以支持VLAN 间的路由(百兆端口才支持VLAN 间路由)。

并且如果支持VLAN 间路由，要求IOS 软件必须包括IP Plus 特性集。

5. Cisco 1750 路由器是否支持数据加密？CISCO 1750 是否支持ISL 或者802.1q 功能？支持。

1750 支持2 种加密技术：IPSec Data Encryption Standard (DES)56 和IPSec 3 DES. CISCO1750不支持802.1Q及ISL，CISCO1700系列中只有CISCO1710及CISCO1751 支持802.1 Q,但不支持ISL。

cisco路由公网配置

路由器接入公网的配置方法电信宽带为2M, 分配给的固定IP地址：202.249.11.101 子网掩码：255.255.255.248 网关：202.249.11.20 局域网规划地址范围为：192.168.0.2 - 192.168.0.254 子网掩码：255.255.255.248 网关：192.168.0.1 路由器为Cisco 1721 自带10/100M自适应端口一个，其次我们还要配置一块1ENET的扩展卡，卡上带有10M RJ45端口一个。

我们将1ENET的口作为外网端口，机器上的口作为内网端口。

配置过程如下：Router>en//进入特权配置模式Router#configure terminal//进入全局配置模式Enter configuration commands, one per line. End with CNTL/Z. (设备自动出现的提示，主要告诉你目前已经进入主控制台)Router<config>#interface FastEthernet 0//首先进入内网端口(设备自带端口)Router<config-if>#ip address 192.168.0.1 255.255.255.0//指定内网端口的IP地址及子网掩码Router<config-if>#ip nat inside//将该端口定义为地址转换(NAT)的“内部端口”Router<config-if>#no shutdown//使该端口处于“运行”状态Router<config-if>#exit//返回Router<config>#interface Ethernet 0//进入外网端口(1ENET上面的端口)Router<config-if>#ip address 202.249.11.101 255.255.255.248//指定外网IP地址及子网掩码Router<config-if>#ip nat outside//将该端口定义为地址转换(NAT)的“外部端口”Router<config-if>#no shutdown//使该端口处于“运行”状态Router<config-if>#exit [/color]//返回Router<config>#ip route 0.0.0.0 0.0.0.0 202.249.11.20//定义路由地址Router<config>#no access-list 1//我们先取消出厂状态下的访问控制列表“1”Router<config>#access-list 1 permit 192.168.0.0 0.0.0.255//重新定义访问控制列表“1”为“允许192.168.0.0/24的网段”Router<config>#ip nat pool nanpool 202.249.11.97 202.249.11.102 netmask 255.255.255.248//定义从ISP供应商那里申请到的公网IP地址在企业内部的分配策略，在这里我们定义了一个地址池，名称为“nanpool”，在这个池里所定义的IP地址（202.249.11.97到202.249.11.102）将被内网的用户用来上网。

思科路由器如何配置NAT功能

思科路由器如何配置NAT功能很多网络技术上的新手，还不知道如何配置思科路由器的NAT功能。

不过没关系，看完小编这个文章应该对你帮助会很大。

那么接下来就让小编来教你如何配置思科路由器NAT功能吧。

首先，小编必须要介绍下什么是NAT。

NAT，英文全称为Network Address Translation，是指网络IP 地址转换。

NAT的出现是为了解决IP日益短缺的问题，将多个内部地址映射为少数几个甚至一个公网地址。

这样，就可以让我们内部网中的计算机通过伪IP访问INTERNET的资源。

如我们局域网中的192.168.1.1地址段属私网地址，就是通过NAT转换过来的。

NAT分为静态地址转换、动态地址转换、复用动态地址转换。

下面是小编将列出思科路由器NAT配置实例，希望对您有所帮助。

Current configuration:!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 2611!enable secret 5 $JIeG$UZJNjKhcptJXHPc/BP5GG0enable password 2323ipro!ip subnet-zerono ip source-routeno ip finger!!!interface Ethernet0/0ip address 192.168.10.254 255.255.255.0 secondary ip address 218.27.84.249 255.255.255.248no ip directed-broadcastip accounting output-packetsno ip mroute-cacheno cdp enable!interface Serial0/0ip unnumbered Ethernet0/0no ip directed-broadcastip accounting output-packetsip nat outsideno ip mroute-cacheno fair-queueno cdp enable!interface Ethernet0/1ip address 192.168.2.254 255.255.255.0no ip directed-broadcastip nat insideno ip mroute-cacheno cdp enable!interface Virtual-T okenRing35no ip addressno ip directed-broadcastno ip mroute-cacheshutdownring-speed 16!router ripredistribute connectednetwork 192.168.2.0network 192.168.10.0network 218.27.84.0!ip default-gateway 218.27.127.217ip nat pool nat-pool 218.27.84.252 218.27.84.254 netmask 255.255.255.248ip nat inside source list 1 pool nat-pool overloadip nat inside source static 192.168.2.254 218.27.84.249ip classlessip route 0.0.0.0 0.0.0.0 Serial0/0ip http serverip http port 9091ip ospf name-lookup!ip access-list extended filterinpermit tcp any host 218.27.84.249 eq www reflect httpfilter access-list 1 permit 192.168.2.0 0.0.0.255no cdp run!line con 0transport input noneline aux 0line vty 0 4password routrlogin!end按照步骤敲完这些代码，那么你应该就会了解到如何配置思科路由器NAT功能了。