大型网络实施经典案例拓扑图及详细配置

1

中型企业网络构建案例 配置文档 设置VTP

Sw_6509_1#conf t

Sw_6509_1(config)#vtp domain cisco Sw_6509_1(config)#vtp mode server Sw_6509_2#conf t

Sw_6509_2(config)#vtp domain cisco Sw_6509_2(config)#vtp mode client Sw_2950_fi1_1#conf t

Sw_2950_fi1_1(config)#vtp domain cisco Sw_2950_fi1_1(config)#vtp mode client Sw_2950_fi3_1#conf t

Sw_2950_fi3_1(config)#vtp domain cisco Sw_2950_fi3_1(config)#vtp mode client Sw_2950_fi5_1#conf t

Sw_2950_fi5_1(config)#vtp domain cisco Sw_2950_fi5_1(config)#vtp mode client Sw_2950_fi7_1#conf t

Sw_2950_fi7_1(config)#vtp domain cisco Sw_2950_fi7_1(config)#vtp mode client 配置中继

Sw_6509_1(config)#int g3/1 Sw_6509_1(config-if)#switchport

2

Sw_6509_1(config-if)#switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config)#int g3/2 Sw_6509_1(config-if)#switchport

Sw_6509_1(config-if)#switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config)#int g3/3 Sw_6509_1(config-if)#switchport

Sw_6509_1(config-if)#switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config)#int g3/4 Sw_6509_1(config-if)#switchport

Sw_6509_1(config-if)#switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config)#int g3/5 Sw_6509_1(config-if)#switchport

Sw_6509_1(config-if)#switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/1 Sw_6509_2(config-if)#switchport

Sw_6509_2(config-if)#switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/2 Sw_6509_2(config-if)#switchport

Sw_6509_2(config-if)#switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/3 Sw_6509_2(config-if)#switchport

Sw_6509_2(config-if)#switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/4 Sw_6509_2(config-if)#switchport

Sw_6509_2(config-if)#switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/5 Sw_6509_2(config-if)#switchport

Sw_6509_2(config-if)#switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q 在楼层交换机上配置

Sw_2950_fl1_1(config)#int g0/1

Sw_2950_fl1_1(config-if)#switchport mode trunk

Sw_2950_fl1_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl1_1(config)#int g0/2

Sw_2950_fl1_1(config-if)#switchport mode trunk

Sw_2950_fl1_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl3_1(config)#int g0/1

Sw_2950_fl3_1(config-if)#switchport mode trunk

Sw_2950_fl3_1(config-if)#switchport trunk encapsulation dot1q

3

Sw_2950_fl3_1(config)#int g0/2

Sw_2950_fl3_1(config-if)#switchport mode trunk

Sw_2950_fl3_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl5_1(config)#int g0/1

Sw_2950_fl5_1(config-if)#switchport mode trunk

Sw_2950_fl5_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl5_1(config)#int g0/2

Sw_2950_fl5_1(config-if)#switchport mode trunk

Sw_2950_fl5_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl7_1(config)#int g0/1

Sw_2950_fl7_1(config-if)#switchport mode trunk

Sw_2950_fl7_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl7_1(config)#int g0/2

Sw_2950_fl7_1(config-if)#switchport mode trunk

Sw_2950_fl7_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl9_1(config)#int g0/1

Sw_2950_fl9_1(config-if)#switchport mode trunk

Sw_2950_fl9_1(config-if)#switchport trunk encapsulation dot1q Sw_2950_fl9_1(config)#int g0/2

Sw_2950_fl9_1(config-if)#switchport mode trunk

Sw_2950_fl9_1(config-if)#switchport trunk encapsulation dot1q 配置以太通道

Sw_6509_1(config)#int g3/15 Sw_6509_1(config-if)# switchport

Sw_6509_1(config-if)# switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config-if)#channel-group 1 mode desirable Sw_6509_1(config)#int g3/16 Sw_6509_1(config-if)# switchport

Sw_6509_1(config-if)# switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_1(config-if)#channel-group 1 mode desirable Sw_6509_1(config-if)#int port-channel 1 Sw_6509_1(config-if)# switchport

Sw_6509_1(config-if)# switchport mode trunk

Sw_6509_1(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config)#int g3/15 Sw_6509_2(config-if)# switchport

Sw_6509_2(config-if)# switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config-if)#channel-group 1 mode desirable Sw_6509_2(config)#int g3/16 Sw_6509_2(config-if)# switchport

Sw_6509_2(config-if)# switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q Sw_6509_2(config-if)#channel-group 1 mode desirable Sw_6509_2(config-if)#int port-channel 1 Sw_6509_2(config-if)# switchport

4

Sw_6509_2(config-if)# switchport mode trunk

Sw_6509_2(config-if)#switchport trunk encapsulation dot1q 创建VLAN

Sw_6509_1#vlan database

Sw_6509_1(vlan)#vlan 2 name manage Sw_6509_1(vlan)#vlan 11 name finance Sw_6509_1(vlan)#vlan 12 name techniqy Sw_6509_1(vlan)#vlan 13 name sales Sw_6509_1(vlan)#vlan 14 name server Sw_6509_1(vlan)#vlan 15 name edge 设置生成树

Sw_6509_1(config)#spanning-tree vlan 2 root primary Sw_6509_1(config)#spanning-tree vlan 11 root primary Sw_6509_1(config)#spanning-tree vlan 12 root primary Sw_6509_1(config)#spanning-tree vlan 13 root secondary Sw_6509_1(config)#spanning-tree vlan 14 root secondary Sw_6509_1(config)#spanning-tree vlan 15 root secondary Sw_6509_1(config)#spanning-tree vlan 2 root secondary Sw_6509_1(config)#spanning-tree vlan 11 root secondary Sw_6509_1(config)#spanning-tree vlan 12 root secondary Sw_6509_1(config)#spanning-tree vlan 13 root primary Sw_6509_1(config)#spanning-tree vlan 14 root primary Sw_6509_1(config)#spanning-tree vlan 15 root primary Sw_2950_fl1_1(conf ig)#int fa0/1

Sw_2950_fl1_1(conf ig)#switchport mode access Sw_2950_fl1_1(conf ig)#switchport access vlan 11 Sw_2950_fl1_1(conf ig)#int fa0/2

Sw_2950_fl1_1(conf ig)#switchport mode access Sw_2950_fl1_1(conf ig)#switchport access vlan 12 Sw_2950_fl1_1(conf ig)#int fa0/3

Sw_2950_fl1_1(conf ig)#switchport mode access Sw_2950_fl1_1(conf ig)#switchport access vlan 13 Sw_2950_fl3_1(conf ig)#int fa0/1

Sw_2950_fl3_1(conf ig)#switchport mode access Sw_2950_fl3_1(conf ig)#switchport access vlan 11 Sw_2950_fl3_1(conf ig)#int fa0/2

Sw_2950_fl3_1(conf ig)#switchport mode access Sw_2950_fl3_1(conf ig)#switchport access vlan 12 Sw_2950_fl3_1(conf ig)#int fa0/3

Sw_2950_fl3_1(conf ig)#switchport mode access Sw_2950_fl3_1(conf ig)#switchport access vlan 13 Sw_2950_fl5_1(conf ig)#int fa0/1

Sw_2950_fl5_1(conf ig)#switchport mode access Sw_2950_fl5_1(conf ig)#switchport access vlan 11 Sw_2950_fl5_1(conf ig)#int fa0/2

Sw_2950_fl5_1(conf ig)#switchport mode access Sw_2950_fl5_1(conf ig)#switchport access vlan 12 Sw_2950_fl5_1(conf ig)#int fa0/3

5

Sw_2950_fl5_1(conf ig)#switchport mode access Sw_2950_fl5_1(conf ig)#switchport access vlan 13 Sw_2950_fl7_1(conf ig)#int fa0/1

Sw_2950_fl7_1(conf ig)#switchport mode access Sw_2950_fl7_1(conf ig)#switchport access vlan 11 Sw_2950_fl7_1(conf ig)#int fa0/2

Sw_2950_fl7_1(conf ig)#switchport mode access Sw_2950_fl7_1(conf ig)#switchport access vlan 12 Sw_2950_fl7_1(conf ig)#int fa0/3

Sw_2950_fl7_1(conf ig)#switchport mode access Sw_2950_fl7_1(conf ig)#switchport access vlan 13 Sw_2950_fl9_1(conf ig)#int fa0/1

Sw_2950_fl9_1(conf ig)#switchport mode access Sw_2950_fl9_1(conf ig)#switchport access vlan 11 Sw_2950_fl9_1(conf ig)#int fa0/2

Sw_2950_fl9_1(conf ig)#switchport mode access Sw_2950_fl9_1(conf ig)#switchport access vlan 12 Sw_2950_fl9_1(conf ig)#int fa0/3

Sw_2950_fl9_1(conf ig)#switchport mode access Sw_2950_fl9_1(conf ig)#switchport access vlan 13 配置三层交换

Sw_6509_1(config)#int vlan 2

Sw_6509_1(config-if)#ip add 192.168.2.252 255.255.255.0 Sw_6509_1(config)#int vlan 11

Sw_6509_1(config-if)#ip add 192.168.11.252 255.255.255.0 Sw_6509_1(config)#int vlan 12

Sw_6509_1(config-if)#ip add 192.168.12.252 255.255.255.0 Sw_6509_1(config)#int vlan 13

Sw_6509_1(config-if)#ip add 192.168.13.252 255.255.255.0 Sw_6509_1(config)#int vlan 14

Sw_6509_1(config-if)#ip add 192.168.14.252 255.255.255.0 Sw_6509_1(config)#int vlan 15

Sw_6509_1(config-if)#ip add 192.168.15.252 255.255.255.0 Sw_6509_2(config)#int vlan 2

Sw_6509_2(config-if)#ip add 192.168.2.253 255.255.255.0 Sw_6509_2(config)#int vlan 11

Sw_6509_2(config-if)#ip add 192.168.11.253 255.255.255.0 Sw_6509_2(config)#int vlan 12

Sw_6509_2(config-if)#ip add 192.168.12.253 255.255.255.0 Sw_6509_2(config)#int vlan 13

Sw_6509_2(config-if)#ip add 192.168.13.253 255.255.255.0 Sw_6509_2(config)#int vlan 14

Sw_6509_2(config-if)#ip add 192.168.14.253 255.255.255.0 Sw_6509_2(config)#int vlan 15

Sw_6509_2(config-if)#ip add 192.168.15.253 255.255.255.0 配置HSRP

Sw_6509_1#int vlan 2

Sw_6509_1(config-if)#standby 1 ip 192.168.2.251

6

Sw_6509_1(config-if)#standby 1 priority 150 Sw_6509_1#int vlan 11

Sw_6509_1(config-if)#standby 2 ip 192.168.11.251 Sw_6509_1(config-if)#standby 2 priority 150 Sw_6509_1#int vlan 12

Sw_6509_1(config-if)#standby 3 ip 192.168.12.251 Sw_6509_1(config-if)#standby 3 priority 150 Sw_6509_1#int vlan 13

Sw_6509_1(config-if)#standby 4 ip 192.168.13.251 Sw_6509_1(config-if)#standby 4 priority 150 Sw_6509_1#int vlan 14

Sw_6509_1(config-if)#standby 5 ip 192.168.14.251 Sw_6509_1(config-if)#standby 5 priority 150 Sw_6509_1#int vlan 15

Sw_6509_1(config-if)#standby 6 ip 192.168.15.251 Sw_6509_1(config-if)#standby 6 priority 150 Sw_6509_2#int vlan 2

Sw_6509_2(config-if)#standby 1 ip 192.168.2.251 Sw_6509_2#int vlan 11

Sw_6509_2(config-if)#standby 2 ip 192.168.11.251 Sw_6509_2#int vlan 12

Sw_6509_2(config-if)#standby 3 ip 192.168.12.251 Sw_6509_2#int vlan 13

Sw_6509_2(config-if)#standby 4 ip 192.168.13.251 Sw_6509_2#int vlan 14

Sw_6509_2(config-if)#standby 5 ip 192.168.14.251 Sw_6509_2#int vlan 15

Sw_6509_2(config-if)#standby 6 ip 192.168.15.251 配置路由

Sw_6509_1(config)#ip route 192.168.20.0 255.255.255.0 192.168.15.4 Sw_6509_1(config)#ip route 192.168.30.0 255.255.255.0 192.168.15.4 Sw_6509_1(config)#ip route 0.0.0.0 0.0.0.0 192.168.15.1

Sw_6509_2(config)#ip route 192.168.20.0 255.255.255.0 192.168.15.4 Sw_6509_2(config)#ip route 192.168.30.0 255.255.255.0 192.168.15.4 Sw_6509_2(config)#ip route 0.0.0.0 0.0.0.0 192.168.15.1 RT_WAN配置（广域网路由器） RT_WAN(config)#int fa0/0

RT_WAN(config-if)#ip add 192.168.15.2 255.255.255.0 RT_WAN(config-if)#standby 1 ip 192.168.15.4 RT_WAN(config-if)#standby 1 priority 150 RT_WAN(config)#controller E1 1/0 RT_WAN(config-if)#no sh

RT_WAN(config-if)#framing no-crc4

配置CE1/PRI接口的帧校验格式，不进行帧校验为crc4 RT_WAN(config-if)#channel-group 0 timeslot 1-4 RT_WAN(config-if)#channel-group 1 timeslot 5-8

进行时隙的划分，将1～4时隙捆绑为0组，5～8时隙捆绑为1组,0组和1组分别对应下面的虚拟串口s 1/0:0和s 1/0:1

7

RT_WAN(config-if)#int s 1/0:0 RT_WAN(config-if)#no sh

RT_WAN(config-if)#encapsulation ppp

RT_WAN(config-if)#ip add 192.168.1.1 255.255.255.252 RT_WAN(config-if)#int s 1/0:1 RT_WAN(config-if)#no sh

RT_WAN(config-if)#encapsulation ppp

RT_WAN(config-if)#ip add 192.168.1.5 255.255.255.252 RT_WAN(config)#ip route 192.168.20.0 255.255.255.0 s 1/0:0 RT_WAN(config)#ip route 192.168.30.0 255.255.255.0 s 1/0:1 RT_WAN(config)#ip route 192.168.2.0 255.255.255.0 192.168.15.251 RT_WAN(config)#ip route 192.168.11.0 255.255.255.0 192.168.15.251 RT_WAN(config)#ip route 192.168.12.0 255.255.255.0 192.168.15.251 RT_WAN(config)#ip route 192.168.13.0 255.255.255.0 192.168.15.251 RT_WAN(config)#ip route 192.168.14.0 255.255.255.0 192.168.15.251 RT_WAN(config)#snmp-server community public RO RT_WAN(config)#no snmp-server location RT_WAN(config)#no snmp-server contact 配置RT_REMOTE（远程访问服务器）

RT_REMOTE(config)#username RT_FZ1 passowrd cisco RT_REMOTE(config)#username RT_FZ2 passowrd cisco RT_REMOTE(config)#int fa0/0

RT_REMOTE(config-if)#ip add 192.168.15.3 255.255.255.0 RT_REMOTE(config-if)#standby 1 ip 192.168.15.4 RT_REMOTE(config-if)#controller E1 1/0 RT_REMOTE(config-if)#framing no-crc4 RT_REMOTE(config-if)#linecode hdb3 指定ISDN PRI 的线路编码格式为hdb3

RT_REMOTE(config-if)#pri-group timeslots 1-31

把PRI接口划分为31个信道，其中第16个信道（对应逻辑接口为s 0/0:15）是管理信道. RT_REMOTE(config-if)#int s 0/0:15 RT_REMOTE(config-if)#no sh

RT_REMOTE(config-if)#ip unnumbered fa0/0 RT_REMOTE(config-if)#encapsulation ppp RT_REMOTE(config-if)#dialer-group 1

指定本接口属于拔组1,注意组号与下面定义的dialer-list 1对应 RT_REMOTE(config-if)#isdn switch-type primary-net5 RT_REMOTE(config-if)#isdn incoming-voice modem 将模拟modem呼叫转接到内部数字modem来处理

RT_REMOTE(config-if)#peer default ip address pool isdnpool 为拔入的ISDN呼叫从地址池isdnpool中分配IP地址 RT_REMOTE(config-if)#ppp authentication pap RT_REMOTE(config-if)#int group-async1 RT_REMOTE(config-if)#ip unnumbered fa0/0 RT_REMOTE(config-if)#encapsulation ppp 建立一个异步拔号组，用于接收模拟modem呼叫 RT_REMOTE(config-if)#async mode interactive

指定异步串口建立链路的方式dedicate 直接模式、interactive 交互模式

8

RT_REMOTE(config-if)#peer default ip address pool pstnpool 为拔入的模拟呼叫从地址池pstnpool中分配ip地址

RT_REMOTE(config-if)#ppp quthentication pap if-needed RT_REMOTE(config-if)#group-range 33 62 指定此模拟拔号组对应的端口

RT_REMOTE(config)#no dialer-list 1

RT_REMOTE(config)#dialer-list protocol ip permit

为拔号组1指定激活拔号的条件，这里所有的IP访问都可以激活拔号

RT_REM(config)#ip local pool isdnpool 192.168.15.201 192.168.15.220 RT_REM(config)#ip local pool pstnpool 192.168.15.221 192.168.15.240 RT_REMOT(config)#ip route 192.168.2.0 255.255.255.0 192.168.15.251 RT_REMO(config)#ip route 192.168.11.0 255.255.255.0 192.168.15.251 RT_REMO(config)#ip route 192.168.12.0 255.255.255.0 192.168.15.251 RT_REMO(config)#ip route 192.168.13.0 255.255.255.0 192.168.15.251 RT_REMO(config)#ip route 192.168.14.0 255.255.255.0 192.168.15.251 RT_REMOTE(config)#snmp-server community public RO RT_REMOTE(config)#no snmp-server location RT_REMOTE(config)#no snmp-server contact RT_REMOTE(config)#line 33 62 进入modem 口线路模式

RT_REMOTE(config-line)#autoselect during-login 配置为自动登录

RT_REMOTE(config-line)#autoselect ppp 配置为自动选择ppp协议

RT_REMOTE(config-line)#login local 配置为使用本地数据库进行认证

RT_REMOTE(config-line)#modem inout 配置端口为允许拔入和拔出

RT_REMOTE(config-line)#modem autoconfigure discovery 自动识别modem

RT_REMOTE(config-line)#qutocommand ppp default 连通后自动执行ppp命令 配置RT_FZ1（分支机构1）

RT_FZ1(config)#username RT_REMOTE password cisco

RT_FZ1(config)#chat-script dialout “”“AT”TIMEOUT 30 OK“ATDT\\T”TIMEOUT 30 CONNECT\\c 定义拔号脚本“dialout” RT_FZ1(config)#int fa0/0

RT_FZ1(config-if)#ip add 192.168.20.254 255.255.255.0 RT_FZ1(config-if)#int s0/0

RT_FZ1(config-if)#encapsulation ppp

RT_FZ1(config-if)#ip add 192.168.1.2 255.255.255.252 RT_FZ1(config-if)#int async 1 进入异步接口

RT_FZ1(config-if)#ip address negotiated 自动协商IP地址

RT_FZ1(config-if)#encpsulation ppp RT_FZ1(config-if)#async mode interactive RT_FZ1(config-if)#dialer in-band

9

设定接口为按需拔号（DDR）

RT_FZ1(config-if)#dialer string 68001000 RT_FZ1(config-if)#ppp authentication pap

RT_FZ1(config-if)#ppp pap sent-username TR_FZ1 password cisco RT_FZ1(config-if)#no dialer-list 1

RT_FZ1(config-if)#dialer-list 1 protocol ip permit RT_FZ1(config)#ip route 0.0.0.0 0.0.0.0 s0/0 1 RT_FZ1(config)#ip route 0.0.0.0 0.0.0.0 async1 200 RT_FZ1(config)#line 1

RT_FZ1(config-line)#autoselect during-login RT_FZ1(config-line)#autoselect ppp RT_FZ1(config-line)#modem inout

RT_FZ1(config-line)#modem autoconfigure discovery RT_FZ1(config-line)#autocommand ppp RT_FZ1(config-line)#script dialer dialout 指定拔出所用的脚本dialout

RT_FZ1(config-line)#transport input all RT_FZ1(config-line)#flowcontrol hardware 配置RT_FZ2（分支机构2）

RT_FZ2(config)#username RT_REMOTE password cisco

RT_FZ2(config)#chat-script dialout “”“AT”TIMEOUT 30 OK“ATDT\\T”TIMEOUT 30 CONNECT\\c RT_FZ2(config)#int fa0/0

RT_FZ2(config-if)#ip add 192.168.30.254 255.255.255.0 RT_FZ2(config-if)#int s0/0

RT_FZ2(config-if)#encapsulation ppp

RT_FZ2(config-if)#ip add 192.168.1.6 255.255.255.252 RT_FZ2(config-if)#int async 1

RT_FZ2(config-if)#ip address negotiated RT_FZ2(config-if)#encpsulation ppp RT_FZ2(config-if)#async mode interactive RT_FZ2(config-if)#dialer in-band

RT_FZ2(config-if)#dialer string 68001000 RT_FZ2(config-if)#ppp authentication pap

RT_FZ2(config-if)#ppp pap sent-username TR_FZ1 password cisco RT_FZ2(config-if)#no dialer-list 1

RT_FZ2(config-if)#dialer-list 1 protocol ip permit RT_FZ2(config)#ip route 0.0.0.0 0.0.0.0 s0/0 1 RT_FZ2(config)#ip route 0.0.0.0 0.0.0.0 async1 200 RT_FZ2(config)#line 1

RT_FZ2(config-line)#autoselect during-login RT_FZ2(config-line)#autoselect ppp RT_FZ2(config-line)#modem inout

RT_FZ2(config-line)#modem autoconfigure discovery RT_FZ2(config-line)#autocommand ppp RT_FZ2(config-line)#script dialer dialout RT_FZ1(config-line)#transport input all RT_FZ1(config-line)#flowcontrol hardware 配置防火墙PIX_515（安全设备）

10

Pix_515(config)#nameif ethernet0 outside security 0 Pix_515(config)#nameif ethernet1 inside security 100 Pix_515(config)#nameif ethernet2 dmz security 50 Pix_515(config)#interface ethernet0 auot Pix_515(config)#interface ethernet1 auot Pix_515(config)#interface ethernet2 auot 启用内外接口和dmz接口

Pix_515(config)#ip address outside 202.106.11.225 255.255.255.240 Pix_515(config)#ip address inside 192.168.15.1 255.255.255.0 Pix_515(config)#ip address dmz 192.168.16.5 255.255.255.0 设置内外接口地址

Pix_515(config)#global (outside) 1 202.106.11.229-202.106.11.233 设置全局复用地址

Pix_515(config)#global (outside) 1 202.106.11.234 单个PAT地址

Pix_515(config)#static (dmz,outside) 202.106.11.235 192.168.16.1 netmask 255.255.255.255 Pix_515(config)#static (dmz,outside) 202.106.11.236 192.168.16.2 netmask 255.255.255.255 Pix_515(config)#static (dmz,outside) 202.106.11.237 192.168.16.3 netmask 255.255.255.255 将服务器映射到外网

Pix_515(config)#static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.14.0 192.168.14.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.15.0 192.168.15.0 netmask 255.255.255.0 内网访问服务器时不做地址转换

Pix_515(config)#nat (inside) 1 0 0 所有内网地址访问外网进行地址转换

Pix_515(config)#access-list allowin permit tcp any host 202.106.11.235 eq http Pix_515(config)#access-list allowin permit tcp any host 202.106.11.236 eq smtp Pix_515(config)#access-list allowin permit tcp any host 202.106.11.237 eq domain Pix_515(config)#access-list allowin permit udp any host 202.106.11.237 eq domain 允许外部任何地址对dmz区的服务器进行相应的访问

Pix_515(config)#access-list allowin in interface outside 将访问控制列表应用到防火墙的外口上

Pix_515(config)#route outside 0.0.0.0 0.0.0.0 202.106.11.226

Pix_515(config)#route inside 192.168.0.0 255.255.0.0 192.168.15.251 配置RT_INTERNET（设置接入internet 路由器） RT_INTERNET(config)#int fa0/0

RT_INTERNET(config-if)#ip address 202.106.11.226 255.255.255.240 RT_INTERNET(config)#int s0/0

RT_INTERNET(config-if)#ip address 192.168.1.1 255.255.255.252 RT_INTERNET(config-if)#encapsulation ppp

RT_INTERNET(config)#ip route 0.0.0.0 0.0.0.0 s0/0 RT_INTERNET(config)#snmp-server community prublic RO RT_INTERNET(config)#no snmp-server location RT_INTERNET(config)#no snmp-server contact

11

Pix_515(config)#nameif ethernet0 outside security 0 Pix_515(config)#nameif ethernet1 inside security 100 Pix_515(config)#nameif ethernet2 dmz security 50 Pix_515(config)#interface ethernet0 auot Pix_515(config)#interface ethernet1 auot Pix_515(config)#interface ethernet2 auot 启用内外接口和dmz接口

Pix_515(config)#ip address outside 202.106.11.225 255.255.255.240 Pix_515(config)#ip address inside 192.168.15.1 255.255.255.0 Pix_515(config)#ip address dmz 192.168.16.5 255.255.255.0 设置内外接口地址

Pix_515(config)#global (outside) 1 202.106.11.229-202.106.11.233 设置全局复用地址

Pix_515(config)#global (outside) 1 202.106.11.234 单个PAT地址

Pix_515(config)#static (dmz,outside) 202.106.11.235 192.168.16.1 netmask 255.255.255.255 Pix_515(config)#static (dmz,outside) 202.106.11.236 192.168.16.2 netmask 255.255.255.255 Pix_515(config)#static (dmz,outside) 202.106.11.237 192.168.16.3 netmask 255.255.255.255 将服务器映射到外网

Pix_515(config)#static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.14.0 192.168.14.0 netmask 255.255.255.0 Pix_515(config)#static (inside,dmz) 192.168.15.0 192.168.15.0 netmask 255.255.255.0 内网访问服务器时不做地址转换

Pix_515(config)#nat (inside) 1 0 0 所有内网地址访问外网进行地址转换

Pix_515(config)#access-list allowin permit tcp any host 202.106.11.235 eq http Pix_515(config)#access-list allowin permit tcp any host 202.106.11.236 eq smtp Pix_515(config)#access-list allowin permit tcp any host 202.106.11.237 eq domain Pix_515(config)#access-list allowin permit udp any host 202.106.11.237 eq domain 允许外部任何地址对dmz区的服务器进行相应的访问

Pix_515(config)#access-list allowin in interface outside 将访问控制列表应用到防火墙的外口上

Pix_515(config)#route outside 0.0.0.0 0.0.0.0 202.106.11.226

Pix_515(config)#route inside 192.168.0.0 255.255.0.0 192.168.15.251 配置RT_INTERNET（设置接入internet 路由器） RT_INTERNET(config)#int fa0/0

RT_INTERNET(config-if)#ip address 202.106.11.226 255.255.255.240 RT_INTERNET(config)#int s0/0

RT_INTERNET(config-if)#ip address 192.168.1.1 255.255.255.252 RT_INTERNET(config-if)#encapsulation ppp

RT_INTERNET(config)#ip route 0.0.0.0 0.0.0.0 s0/0 RT_INTERNET(config)#snmp-server community prublic RO RT_INTERNET(config)#no snmp-server location RT_INTERNET(config)#no snmp-server contact

11

本文来源：https://www.bwwdw.com/article/8uuo.html