Printable View
سلام
من یه روتر 2600 دارم که نت میکنم باهاش . الان یه ISA Server هم راه اندازی کردم که اون هم نت میکنه ( با 2 تا کارت شبکه . یه اکسترنال و یه اینترنال ) حالا میخوام نت رو از رو روتر حذف کنم که باری که روش هست کمتر بشه و آیزا نت کنه فقط !!
الان نمیدونم چطوری باید این کار رو انجام بدم ( انتقال نت به ایزا)
ممنون.
Show Config
دقت کن با حذف nat احتمال داره کانفیگ بهم بریزه.خب.یه sh run بگیر بعدش میتونی اون دستور nat که تو sh run دیدی رو بنویسی ولی قبلش یه no بگذار.مثلا
[B]no ip nat inside source list 1 interface Serial0 overload [/B]
[quote=mzbcracker;162450]دقت کن با حذف nat احتمال داره کانفیگ بهم بریزه.خب.یه sh run بگیر بعدش میتونی اون دستور nat که تو sh run دیدی رو بنویسی ولی قبلش یه no بگذار.مثلا
[B]no ip nat inside source list 1 interface Serial0 overload [/B][/quote]
سلام
این کار رو انجام دادم . یعنی [B]no ip nat inside source list 1 interface Serial0 overload رو زدم و نت رو حذف کردم اما نمیدونم چطور نت رو به عهده ISA بزارم . Route-map هم نوشتم یعنی ایزا به صورت کش داره کار میکنه.[/B]
Route باید بزاری
رنج IP که میخوایی نت بشه بفرست طرف ISA
[quote=darklove;162394]Show Config[/quote]
در حال حاضر کانفیگ روتر اینه
[LEFT]
2621:
Building configuration...
Current configuration : 7963 bytes
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
logging buffered 4096 debugging
no logging console
logging monitor warnings
aaa new-model
aaa authentication ppp default none
aaa authentication ppp isputil group radius local
aaa authorization network default none
aaa authorization network isputil group radius local
aaa accounting send stop-record authentication failure
aaa accounting update newinfo periodic 1
aaa accounting network default none
aaa accounting network isputil start-stop group radius
aaa pod server auth-type any server-key 123
enable secret 5 $iiiiiiiiiiiiiiiiiiiiiii.
enable password 7 1iiiiiiiiiiiiiiiiiiiiiiiiC
!
username iiiiiii privilege 5 password 7 uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
A1uuuu1
ip subnet-zero
no ip domain-lookup
ip name-server 217.218.127.104
ip name-server 4.2.2.4
ip name-server 192.9.9.3
!
async-bootp dns-server 192.9.9.3
!
interface FastEthernet0/0
ip address 217.219.1.1 255.255.255.224 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface Serial0/0
ip unnumbered FastEthernet0/0
ip access-group 172 out
ip nat outside
encapsulation ppp
no ip mroute-cache
load-interval 30
no keepalive
no fair-queue
serial restart-delay 0
no cdp enable
!
interface Group-Async1
ip unnumbered FastEthernet0/0
ip access-group 173 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
ip policy route-map cache
load-interval 30
async default routing
async mode dedicated
peer default ip address pool Dial-up
ppp authentication pap isputil
ppp authorization isputil
ppp accounting isputil
group-range 33 62
!
interface Group-Async2
ip unnumbered FastEthernet0/0
ip access-group 173 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
ip policy route-map cache
load-interval 30
async default routing
async mode dedicated
peer default ip address pool Dial-up
ppp authentication pap isputil
ppp authorization isputil
ppp accounting isputil
group-range 63 64
!
ip local pool Dial-up 10.0.0.101 10.0.0.133
ip nat pool TCB 217.219.1.1 217.219.1.1 netmask 255.255.255.224
ip nat inside source list 102 pool TCB overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
ip http authentication local
!
logging 10.0.0.169
access-list 100 permit ip any any
access-list 102 remark <NAT>
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 102 remark <NAT>
access-list 105 deny ip host 217.219.1.2 any (ip cache sever)
access-list 105 permit tcp 10.0.0.0 0.0.0.255 any eq www
access-list 105 permit tcp 217.219.1.0 0.0.0.31 any eq www
access-list 128 permit tcp any any eq www
access-list 172 deny udp any any eq 1434
access-list 172 deny udp any any eq 1433
access-list 172 deny tcp any any eq 1434
access-list 172 deny tcp any any eq 1433
access-list 172 deny udp any eq 1434 any
access-list 172 deny udp any eq 1433 any
access-list 172 deny tcp any eq 1434 any
access-list 172 deny tcp any eq 1433 any
access-list 172 remark DENY BLASTER
access-list 172 deny udp any any eq tftp
access-list 172 deny tcp any any eq 135
access-list 172 deny udp any any eq 135
access-list 172 deny tcp any any eq 139
access-list 172 deny tcp any eq 139 any
access-list 172 deny udp any any eq netbios-ss
access-list 172 deny tcp any any eq 445
access-list 172 deny udp any any eq 445
access-list 172 deny tcp any any eq 593
access-list 172 deny tcp any any eq 4444
access-list 172 remark /DENY BLASTER
access-list 172 deny udp any any eq ntp
access-list 172 deny udp any any eq 995
access-list 172 deny udp any any eq 996
access-list 172 deny udp any any eq 997
access-list 172 deny udp any any eq 998
access-list 172 deny udp any any eq 999
access-list 172 deny udp any any eq 8998
access-list 172 deny udp any eq 8998 any
access-list 172 remark DENY ICMP
access-list 172 permit icmp any any
access-list 172 remark /DENY ICMP
access-list 172 remark /MAIL AND DOMAIN WEB SNMP
access-list 172 permit ip 217.219.1.0 0.0.0.31 any
access-list 172 permit ip 10.0.0.0 0.0.0.255 any
access-list 172 deny ip any any
access-list 173 remark FIREWALL-ASYNC
access-list 173 remark DENY SQL SLAMMER
access-list 173 deny udp any any eq 1434
access-list 173 deny udp any any eq 1433
access-list 173 deny tcp any any eq 1434
access-list 173 deny tcp any any eq 1433
access-list 173 remark /DENY SQL SLAMMER
access-list 173 remark DENY BLASTER & Sasser
access-list 173 deny udp any any eq tftp
access-list 173 deny tcp any any eq 135
access-list 173 deny udp any any eq 135
access-list 173 deny tcp any any eq 139
access-list 173 deny udp any any eq netbios-ss
access-list 173 deny tcp any any eq 445
access-list 173 deny udp any any eq 445
access-list 173 deny tcp any any eq 5554
access-list 173 deny tcp any any eq 9996
access-list 173 deny tcp any any eq 593
access-list 173 deny tcp any any eq 4444
access-list 173 remark /DENY BLASTER & Sasser
access-list 173 remark DENY SOBIG
access-list 173 deny udp any any eq ntp
access-list 173 deny udp any any eq 995
access-list 173 deny udp any any eq 996
access-list 173 deny udp any any eq 997
access-list 173 deny udp any any eq 998
access-list 173 deny udp any any eq 999
access-list 173 deny udp any any eq 8998
access-list 173 remark /DENY SOBIG
access-list 173 permit ip 217.219.1.0 0.0.0.31 any
access-list 173 permit ip 10.0.0.0 0.0.0.255 any
access-list 173 deny ip any any
no cdp run
route-map cache permit 2
match ip address 105
set ip next-hop 10.0.0.3
!
snmp-server community llllllll RW 15
snmp-server community lllllll RO
radius-server host 10.0.0.4 auth-port 2222 acct-port 2223
radius-server retransmit 5
radius-server timeout 10
radius-server key 7 kkkkkkkk
radius-server vsa send accounting
radius-server vsa send authentication
!
line con 0
line 33 52
login authentication dial-in
modem answer-timeout 10
modem InOut
modem autoconfigure type USR
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line 53 64
login authentication dial-in
modem answer-timeout 10
modem InOut
modem autoconfigure type default
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 102 in
password 7 12jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj4
line vty 5 15
access-class 102 in
!
end
2621:
الان آیزا در حالت کش کار میکنه اما میخوام نت هم به عهده آیزا باشه و از روی روتر غیر فعال بشه !![/LEFT]
فکر نمی کنم چیز خاصی باشه تغییر بدی غیر از route
ip route 0.0.0.0 0.0.0.0 ip_isa
حتی می تونی acl ها رو هم برداری و با isa انجام بدی
موفق باشی
Route-Map بردار
