1、不支持故障切换 global (outside) 1 10.1.1.13-10.1.1.28global (outside) 1 10.1.1.7-10.1.1.9global (outside) 1 10.1.1.10定义内部网络地址将要翻 译成的全局地址或地址范围nat (inside) 0 access-list 101使得符合访问列表为 101 地址不通过翻译,对外部网络是可见的nat (inside) 1 192.168.0.0 255.255.0.0 0 0内部网络地址翻译成外部地址nat (dmz) 1 192.168.0.0 255.255.0.0 0 0DMZ 区网络地址翻译
2、成外部地址static (inside,outside) 10.1.1.5 192.168.12.100 netmask 255.255.255.255 0 0static (inside,outside) 10.1.1.12 192.168.12.158 netmask 255.255.255.255 0 0static (inside,outside) 10.1.1.3 192.168.2.4 netmask 255.255.255.255 0 0设定固定主机与外网固定 IP 之间的一对一静态转换static (dmz,outside) 10.1.1.2 192.168.19.2 netm
3、ask 255.255.255.255 0 0设定 DMZ 区固定主机与外网固定 IP 之间的一对一静态转换static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0设定内网固定主机与 DMZ IP 之间的一对一静态转换static (dmz,outside) 10.1.1.29 192.168.19.3 netmask 255.255.255.255 0 0设定 DMZ 区固定主机与外网固定 IP 之间的一对一静态转换access-group 120 in interface outsideaccess-group
4、120 in interface insideaccess-group 120 in interface dmz将访问列表应用于端口conduit permit tcp host 10.1.1.2 anyconduit permit tcp host 10.1.1.3 anyconduit permit tcp host 10.1.1.12 anyconduit permit tcp host 10.1.1.29 any设置管道:允许任何地址对全局地址进行 TCP 协议的访问conduit permit icmp 192.168.99.0 255.255.255.0 any设置管道:允许任何地
5、址对 192.168.99.0 255.255.255.0 地址进行 PING 测试rip outside passive version 2rip inside passive version 2route outside 0.0.0.0 0.0.0.0 10.1.1.1设定默认路由到电信端route inside 192.168.2.0 255.255.255.0 192.168.1.1 1route inside 192.168.3.0 255.255.255.0 192.168.1.1 1route inside 192.168.4.0 255.255.255.0 192.168.1.
6、1 1route inside 192.168.5.0 255.255.255.0 192.168.1.1 1route inside 192.168.6.0 255.255.255.0 192.168.1.1 1route inside 192.168.7.0 255.255.255.0 192.168.1.1 1route inside 192.168.8.0 255.255.255.0 192.168.1.1 1route inside 192.168.9.0 255.255.255.0 192.168.1.1 1route inside 192.168.10.0 255.255.255
7、.0 192.168.1.1 1route inside 192.168.11.0 255.255.255.0 192.168.1.1 1设定路由回指到内部的子网timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h2251:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol t
8、acacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipsecsysopt connection permit-pptpservice resetinboundservice resetoutsidecrypto ipsec transform-set myset esp-des esp-md5-hmac