固定IP上網(wǎng)配置：

用戶使用電信的光纖線路接入Internet，用戶將電信提供的光纖接頭通過光纖轉(zhuǎn)換器與路由器的WAN口連接。用戶在WAN口上使用電信分配的廣域網(wǎng)地址218.5.19.2，在LAN口上使用內(nèi)部網(wǎng)地址192.168.0.1，該地址即內(nèi)部網(wǎng)關(guān)地址。用戶在LAN和WAN口上配置了NAT以使內(nèi)部網(wǎng)用戶可以共享光纖線路來訪問Internet。

固定 IP地址接入典型配置示例

在這種情況下，就可以在NBR上如下配置即可：

Red-Giant>enable

!啟動快速配置功能

Red-Giant#setup

------------ 交互式系統(tǒng)配置 ----------------

輸入ctrl-c中止配置流程；默認(rèn)配置參數(shù)在'[]'中。

!選擇是否進(jìn)入快速配置流程

確定進(jìn)入交互式系統(tǒng)配置? [yes]: yes

配置全局參數(shù):

請輸入路由器名稱（只能用字母數(shù)字組合） [Red-Giant]: NBR

!配置進(jìn)入特權(quán)用戶層的口令

請輸入特權(quán)用戶密碼: private

!配置允許遠(yuǎn)程Telnet登陸的用戶密碼

請輸入telnet遠(yuǎn)程登陸密碼: remoteuser

!啟動防止沖擊波病毒的功能

啟動防止沖擊波病毒功能會降低性能，如果確認(rèn)沒有病毒，請不要啟動!

是否啟動此功能? [no]: yes

!選擇廣域網(wǎng)接入方式。這個(gè)示例中由于是通過電信的光纖接入，廣域網(wǎng)使用的是電信分配的固定IP地址，故這里選擇模式1

請選擇上網(wǎng)模式:

1. 固定IP地址

2. PPPOE連接

3. DHCP分配IP

請輸入數(shù)字1---3: 1

!這里為廣域網(wǎng)接口FastEthernet 0設(shè)置電信分配的固定IP地址以及掩碼。

配置廣域網(wǎng)口FastEthernet0:

請輸入IP地址: 218.5.19.2

請輸入地址掩碼 [255.255.255.0]:

!禁止廣域網(wǎng)上其他用戶ping廣域網(wǎng)口以防止來自廣域網(wǎng)上的Ping攻擊。

是否允許ping廣域網(wǎng)接口? [yes]: no

!配置本地局域網(wǎng)口FastEthernet 1的地址和掩碼，這也是內(nèi)部網(wǎng)關(guān)的地址

配置局域網(wǎng)口FastEthernet1:

請輸入IP地址: 192.168.0.1

請輸入地址掩碼 [255.255.255.0]:

!配置廣域網(wǎng)路由信息,這里設(shè)置的是廣域網(wǎng)下一跳路由。

配置廣域網(wǎng)缺省網(wǎng)關(guān)（下一跳IP地址）:

請輸入缺省網(wǎng)關(guān)IP地址:218.5.19.1

!內(nèi)部網(wǎng)絡(luò)的網(wǎng)絡(luò)主機(jī)使用的是固定IP地址，因此無需為內(nèi)部主機(jī)開啟DHCP Server功能。

是否對內(nèi)部局域網(wǎng)啟用DHCP SERVER功能? [no]:

!至此，快速配置生成的配置教本預(yù)覽

配置完畢，生成的配置腳本文件如下:

hostname NBR

ip routing

enable secret 5 $1$I3u0$.RIU6kH0S.fil.ivOe9td1

line vty 0 4

password remoteuser

!

!

interface FastEthernet0

no shutdown

ip address 218.5.19.2 255.255.255.0

ip access-group 100 in

ip nat outside

no ip unreachables

!

!

interface FastEthernet1

no shutdown

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

!

access-list 100 deny icmp any any echo

access-list 100 deny icmp any any echo-reply

ip route 0.0.0.0 0.0.0.0 218.5.19.1

!

ip nat inside source list 1 interface FastEthernet 0 overload

ip nat optimize

!

access-list 1 permit any

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 136

access-list 100 deny tcp any any eq 137

access-list 100 deny tcp any any eq 138

access-list 100 deny tcp any any eq 139

access-list 100 deny tcp any any eq 445

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq 136

access-list 100 deny udp any any eq netbios-ns

access-list 100 deny udp any any eq netbios-dgm

access-list 100 deny udp any any eq 139

access-list 100 deny udp any any eq 445

access-list 100 deny tcp any any eq 4444

access-list 100 deny udp any any eq tftp

access-list 100 deny icmp any any echo

access-list 100 deny icmp any any echo-reply

access-list 100 permit ip any any

!

end

!確定保存當(dāng)前配置

是否應(yīng)用此配置? [yes/no]: yes

Building configuration...

[OK]

在enabled 模式下使用'configure'命令可修改這些配置。

NBR#

%UPDOWN: Line protocol on Interface FastEthernet0, changed state to up

%UPDOWN: Line protocol on Interface FastEthernet1, changed state to up

%CHANGED: Interface Dialer0, changed state to administratively down

%UPDOWN: Interface FastEthernet0, changed state to up

%UPDOWN: Interface FastEthernet1, changed state to up

!再次檢查配置.

NBR#show running-config

Building configuration...

Current configuration:

!

!

hostname "NBR"

!

enable secret 5 $1$I3u0$.RIU6kH0S.fil.ivOe9td1

!

!

!

ip subnet-zero

!

interface FastEthernet0

ip address 218.5.19.2 255.255.255.0

ip access-group 100 in

no ip unreachables

ip nat outside

!

interface FastEthernet1

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

!

ip nat inside source list 1 interface FastEthernet0 overload

ip nat optimize

ip classless

ip route 0.0.0.0 0.0.0.0 218.5.19.1

access-list 1 permit any

access-list 100 deny icmp any any echo

access-list 100 deny icmp any any echo-reply

access-list 100 deny tcp any any eq 135

access-list 100 deny tcp any any eq 136

access-list 100 deny tcp any any eq 137

access-list 100 deny tcp any any eq 138

access-list 100 deny tcp any any eq 139

access-list 100 deny tcp any any eq 445

access-list 100 deny udp any any eq 135

access-list 100 deny udp any any eq 136

access-list 100 deny udp any any eq netbios-ns

access-list 100 deny udp any any eq netbios-dgm

access-list 100 deny udp any any eq 139

access-list 100 deny udp any any eq 445

access-list 100 deny tcp any any eq 4444

access-list 100 deny udp any any eq tftp

access-list 100 permit ip any any

!

line con 0

line vty 0 4

password remoteuser

login

!