-
حذف NAT از روی روتر
سلام
من یه روتر 2600 دارم که نت میکنم باهاش . الان یه ISA Server هم راه اندازی کردم که اون هم نت میکنه ( با 2 تا کارت شبکه . یه اکسترنال و یه اینترنال ) حالا میخوام نت رو از رو روتر حذف کنم که باری که روش هست کمتر بشه و آیزا نت کنه فقط !!
الان نمیدونم چطوری باید این کار رو انجام بدم ( انتقال نت به ایزا)
ممنون.
-
-
دقت کن با حذف nat احتمال داره کانفیگ بهم بریزه.خب.یه sh run بگیر بعدش میتونی اون دستور nat که تو sh run دیدی رو بنویسی ولی قبلش یه no بگذار.مثلا
[B]no ip nat inside source list 1 interface Serial0 overload [/B]
-
[quote=mzbcracker;162450]دقت کن با حذف nat احتمال داره کانفیگ بهم بریزه.خب.یه sh run بگیر بعدش میتونی اون دستور nat که تو sh run دیدی رو بنویسی ولی قبلش یه no بگذار.مثلا
[B]no ip nat inside source list 1 interface Serial0 overload [/B][/quote]
سلام
این کار رو انجام دادم . یعنی [B]no ip nat inside source list 1 interface Serial0 overload رو زدم و نت رو حذف کردم اما نمیدونم چطور نت رو به عهده ISA بزارم . Route-map هم نوشتم یعنی ایزا به صورت کش داره کار میکنه.[/B]
-
Route باید بزاری
رنج IP که میخوایی نت بشه بفرست طرف ISA
-
[quote=darklove;162394]Show Config[/quote]
در حال حاضر کانفیگ روتر اینه
[LEFT]
2621:
Building configuration...
Current configuration : 7963 bytes
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
logging buffered 4096 debugging
no logging console
logging monitor warnings
aaa new-model
aaa authentication ppp default none
aaa authentication ppp isputil group radius local
aaa authorization network default none
aaa authorization network isputil group radius local
aaa accounting send stop-record authentication failure
aaa accounting update newinfo periodic 1
aaa accounting network default none
aaa accounting network isputil start-stop group radius
aaa pod server auth-type any server-key 123
enable secret 5 $iiiiiiiiiiiiiiiiiiiiiii.
enable password 7 1iiiiiiiiiiiiiiiiiiiiiiiiC
!
username iiiiiii privilege 5 password 7 uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
A1uuuu1
ip subnet-zero
no ip domain-lookup
ip name-server 217.218.127.104
ip name-server 4.2.2.4
ip name-server 192.9.9.3
!
async-bootp dns-server 192.9.9.3
!
interface FastEthernet0/0
ip address 217.219.1.1 255.255.255.224 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface Serial0/0
ip unnumbered FastEthernet0/0
ip access-group 172 out
ip nat outside
encapsulation ppp
no ip mroute-cache
load-interval 30
no keepalive
no fair-queue
serial restart-delay 0
no cdp enable
!
interface Group-Async1
ip unnumbered FastEthernet0/0
ip access-group 173 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
ip policy route-map cache
load-interval 30
async default routing
async mode dedicated
peer default ip address pool Dial-up
ppp authentication pap isputil
ppp authorization isputil
ppp accounting isputil
group-range 33 62
!
interface Group-Async2
ip unnumbered FastEthernet0/0
ip access-group 173 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
ip policy route-map cache
load-interval 30
async default routing
async mode dedicated
peer default ip address pool Dial-up
ppp authentication pap isputil
ppp authorization isputil
ppp accounting isputil
group-range 63 64
!
ip local pool Dial-up 10.0.0.101 10.0.0.133
ip nat pool TCB 217.219.1.1 217.219.1.1 netmask 255.255.255.224
ip nat inside source list 102 pool TCB overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
ip http authentication local
!
logging 10.0.0.169
access-list 100 permit ip any any
access-list 102 remark <NAT>
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 102 remark <NAT>
access-list 105 deny ip host 217.219.1.2 any (ip cache sever)
access-list 105 permit tcp 10.0.0.0 0.0.0.255 any eq www
access-list 105 permit tcp 217.219.1.0 0.0.0.31 any eq www
access-list 128 permit tcp any any eq www
access-list 172 deny udp any any eq 1434
access-list 172 deny udp any any eq 1433
access-list 172 deny tcp any any eq 1434
access-list 172 deny tcp any any eq 1433
access-list 172 deny udp any eq 1434 any
access-list 172 deny udp any eq 1433 any
access-list 172 deny tcp any eq 1434 any
access-list 172 deny tcp any eq 1433 any
access-list 172 remark DENY BLASTER
access-list 172 deny udp any any eq tftp
access-list 172 deny tcp any any eq 135
access-list 172 deny udp any any eq 135
access-list 172 deny tcp any any eq 139
access-list 172 deny tcp any eq 139 any
access-list 172 deny udp any any eq netbios-ss
access-list 172 deny tcp any any eq 445
access-list 172 deny udp any any eq 445
access-list 172 deny tcp any any eq 593
access-list 172 deny tcp any any eq 4444
access-list 172 remark /DENY BLASTER
access-list 172 deny udp any any eq ntp
access-list 172 deny udp any any eq 995
access-list 172 deny udp any any eq 996
access-list 172 deny udp any any eq 997
access-list 172 deny udp any any eq 998
access-list 172 deny udp any any eq 999
access-list 172 deny udp any any eq 8998
access-list 172 deny udp any eq 8998 any
access-list 172 remark DENY ICMP
access-list 172 permit icmp any any
access-list 172 remark /DENY ICMP
access-list 172 remark /MAIL AND DOMAIN WEB SNMP
access-list 172 permit ip 217.219.1.0 0.0.0.31 any
access-list 172 permit ip 10.0.0.0 0.0.0.255 any
access-list 172 deny ip any any
access-list 173 remark FIREWALL-ASYNC
access-list 173 remark DENY SQL SLAMMER
access-list 173 deny udp any any eq 1434
access-list 173 deny udp any any eq 1433
access-list 173 deny tcp any any eq 1434
access-list 173 deny tcp any any eq 1433
access-list 173 remark /DENY SQL SLAMMER
access-list 173 remark DENY BLASTER & Sasser
access-list 173 deny udp any any eq tftp
access-list 173 deny tcp any any eq 135
access-list 173 deny udp any any eq 135
access-list 173 deny tcp any any eq 139
access-list 173 deny udp any any eq netbios-ss
access-list 173 deny tcp any any eq 445
access-list 173 deny udp any any eq 445
access-list 173 deny tcp any any eq 5554
access-list 173 deny tcp any any eq 9996
access-list 173 deny tcp any any eq 593
access-list 173 deny tcp any any eq 4444
access-list 173 remark /DENY BLASTER & Sasser
access-list 173 remark DENY SOBIG
access-list 173 deny udp any any eq ntp
access-list 173 deny udp any any eq 995
access-list 173 deny udp any any eq 996
access-list 173 deny udp any any eq 997
access-list 173 deny udp any any eq 998
access-list 173 deny udp any any eq 999
access-list 173 deny udp any any eq 8998
access-list 173 remark /DENY SOBIG
access-list 173 permit ip 217.219.1.0 0.0.0.31 any
access-list 173 permit ip 10.0.0.0 0.0.0.255 any
access-list 173 deny ip any any
no cdp run
route-map cache permit 2
match ip address 105
set ip next-hop 10.0.0.3
!
snmp-server community llllllll RW 15
snmp-server community lllllll RO
radius-server host 10.0.0.4 auth-port 2222 acct-port 2223
radius-server retransmit 5
radius-server timeout 10
radius-server key 7 kkkkkkkk
radius-server vsa send accounting
radius-server vsa send authentication
!
line con 0
line 33 52
login authentication dial-in
modem answer-timeout 10
modem InOut
modem autoconfigure type USR
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line 53 64
login authentication dial-in
modem answer-timeout 10
modem InOut
modem autoconfigure type default
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 102 in
password 7 12jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj4
line vty 5 15
access-class 102 in
!
end
2621:
الان آیزا در حالت کش کار میکنه اما میخوام نت هم به عهده آیزا باشه و از روی روتر غیر فعال بشه !![/LEFT]
-
فکر نمی کنم چیز خاصی باشه تغییر بدی غیر از route
ip route 0.0.0.0 0.0.0.0 ip_isa
حتی می تونی acl ها رو هم برداری و با isa انجام بدی
موفق باشی
-