一台cisco 3700 router，分别连到公共网和教育网上，内部连firewall上
一台cisco 3700 router，分别连到公共网和教育网上，内部连firewall上
ip subnet-zero
!
!
!
ip cef
ip name-server 202.103.24.68 202.114.128.2
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
description lan-net
ip address 11.1.1.1 255.255.255.0(连内网的接口)
ip nat inside
duplex auto
speed auto
no keepalive
!
interface FastEthernet0/1
description edu
ip address 202.114.X.X 255.255.255.192(教育网地址)
ip nat outside
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/0
description pub
ip address 221.232.X.X 255.255.255.248(电信)
ip nat outside
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/1
no ip address
shutdown
duplex auto
speed auto
no keepalive
!
ip nat inside source route-map pub interface fa 2/0 overload
ip nat inside source route-map edu interface fa 0/1 overload
ip nat inside source static 11.1.1.3 221.232.155.3
ip nat inside source static 11.1.1.4 221.232.155.4
ip classless
ip route 0.0.0.0 0.0.0.0 221.232.155.1
ip route 130.14.0.0 255.255.0.0 202.114.130.1
ip route 166.111.0.0 255.255.0.0 202.114.130.1
ip route 202.112.0.0 255.240.0.0 202.114.130.1
ip route 202.200.0.0 255.248.0.0 202.114.130.1
ip route 216.143.0.0 255.255.0.0 202.114.130.1
!
access-list 101 deny   ip any 130.14.0.0 0.0.255.255
access-list 101 deny   ip any 166.111.0.0 0.0.255.255
access-list 101 deny   ip any 202.112.0.0 0.15.255.255
access-list 101 deny   ip any 202.200.0.0 0.7.255.255
access-list 101 deny   ip any 216.143.0.0 0.0.255.255
access-list 101 deny   ip any 202.114.130.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip any 202.114.130.0 0.0.0.255
access-list 102 permit ip any 216.143.0.0 0.0.255.255
access-list 102 permit ip any 202.200.0.0 0.7.255.255
access-list 102 permit ip any 202.112.0.0 0.15.255.255
access-list 102 permit ip any 166.111.0.0 0.0.255.255
access-list 102 permit ip any 130.14.0.0 0.0.255.255

route-map pub per 10 

  match ip address 101

route-map edu per 10

  match ip address 102


line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end


这样做的访问控制列表我觉得不太好，如果链接教育网的F0/1口down了以后，与之相关的路由会消失，所有的数据会走剩下的缺省路由到公网出口 F2/0，而在route-map pub中运用的访问控制列表102会导致访问教育网的数据不能做nat，也就是说一旦F0/1口down了，则不能正常访问教育网的那几个网络。我得建议是访问控制列表都改为per ip any any。

       同时，如果公网出口F2/0口down了，与之对应的缺省路由就会消失，导致所有访问公网的数据丢失。如果双出口是为了负载平衡＋备份的话。应该在加一条缺省路由。

       修改命令如下：

        ip route 0.0.0.0 0.0.0.0 221.232.155.1
        ip route 130.14.0.0 255.255.0.0 202.114.130.1
        ip route 166.111.0.0 255.255.0.0 202.114.130.1
        ip route 202.112.0.0 255.240.0.0 202.114.130.1
        ip route 202.200.0.0 255.248.0.0 202.114.130.1
        ip route 216.143.0.0 255.255.0.0 202.114.130.1

        ip route 0.0.0.0 0.0.0.0 202.114.130.1 200这条语句加了后当F2/0口down后，此路由出现在路由表中，所有访问公网的数据走F0/1口。完成了备份的功能。

        access-list 101 deny   ip any  any

        access-list 102 deny   ip any  any（也可以直接使用标志访问控制列表