Router_config#show run
Building configuration...
Current configuration:
! !version 1.3.1Q
service times*****ps log date
service times*****ps debug date
no service password-encryption
! enable password 0 123456789 level 15   //定义路由器登陆的密码!
! interface FastEthernet0/0     //外网口,一般是固定光纤接入,有固定ip
ip address 1.1.1.1 255.255.255.252 //指定外网口ip地址
no ip directed-broadcast
ip nat outside                     //指定该端口在nat转换中的位置
ip nat local-service icmp enable       //打开路由器在NAT时的icmp服务
ip nat local-service udp enable       //打开路由器在NAT时的tcp服务
ip nat local-service tcp enable       //打开路由器在NAT时的udp服务
! interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0   //指定内网口地址(局域网关)
no ip directed-broadcast
ip access-group firewall in             //调用软件防火墙
ip nat inside                           //指定该端口在nat转换中的位置
! interface Async0/0
no ip address
no ip directed-broadcast
! ip route default 1.1.1.2   //默认路由,指向电信的网关;
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list standard NAT             //定义访问列表
permit 192.168.1.0 255.255.255.0   //允许可以NAT上网的局域网范围
! !
ip access-list extended firewall     //定义软件防火墙
deny   tcp any any eq 135       //封掉常见的病毒共计的端口
deny   tcp any any eq 139       //同上
deny   tcp any any eq 445
deny   tcp any any eq 3333
deny   tcp any any eq 593
deny   udp any any eq 135
deny   udp any any eq tftp
deny   udp any any eq 4444
deny   udp any any eq 137
deny   udp any any eq 138
permit ip any any                 //正常的数据允许通过
! !
ivr-cfg
! ip nat translation max-links all 300     //增强路由器抗打击/病毒冲击能力
ip nat inside source list NAT interface FastEthernet0/0   //执行NAT转换成公网地址!
配置说明:
1、enable password 0 123456789 level 15   只会提示输入密码;
  如果要提示输入用户名和密码,则要在config#下配置:
  username bdcom password 0 bdcom //名字和密码自定义
  aaa authentication login default local ena //aaa认证
2、ip nat outside 端口的icmp、tcp、udp服务是可选的,如果不想让外界的icmp和tcp、udp连接进入;可以不用配置上述的三命命令!
3、软件防火墙一般在局域网口调用即可,如果有必要也可在外网口调用!且firewall的端口可以自己增加,以防止更多病毒的冲击;
4、ip nat translation max-links all 300是增强路由器的防病毒能力的,一般中小型网吧配置200/300即可,较大的网吧可以考虑适当增加到500!!
配置说明2:
如果是路由外网口接入是ADSL;那配置应当为:
外网口改成:
interface Dialer0   //建立拨号端口
ip address negotiated   //ip地址自动协商
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222   //设置PPPoE/ADSL的用户名和密码
ip nat outside
ip nat mss           //自动调整PPPoe数据包的大小!
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
! interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0   //物理端口下调用虚拟的拨号端口配置!
相应的,nat的命令要改成:
ip nat inside source list NAT interface Dialer0  
默认路由的命令改成:
ip route default Dialer0
静态端口映射和特殊NAT:
Router_config#show run
Building configuration...
Current configuration:
! !version 1.3.1Q
service times*****ps log date
service times*****ps debug date
no service password-encryption
! username bdcom password 0 bdcom
! interface Dialer0
ip address negotiated
ip mtu 1492
no ip directed-broadcast
ppp pap sent-username 1111111 22222
ip nat outside
ip nat mss
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
! interface FastEthernet0/0
no ip address
no ip directed-broadcast
pppoe-client Dialer 0
! interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip access-group firewall in
ip nat inside
! interface Async0/0
no ip address
no ip directed-broadcast
! !
ip route default Dialer0
! !
gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list standard NAT
permit 192.168.1.0 255.255.255.0
! ip access-list extended firewall
deny   tcp any any eq 135
deny   tcp any any eq 139
deny   tcp any any eq 445
deny   tcp any any eq 3333
deny   tcp any any eq 593
deny   udp any any eq 135
deny   udp any any eq tftp
deny   udp any any eq 4444
deny   udp any any eq 137
deny   udp any any eq 138
permit ip any any
! !
! !
! ivr-cfg
! !
! !
! ip nat service privateservice     //特殊NAT使能开关;
ip nat translation max-links all 300
ip nat outside destination static interface Dialer0 192.168.1.100  
            //开启局域网内某PC/ip地址的特殊NAT服务;
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.100 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.100 21 interface Dialer0 21
            //将局域网内某PC的80/20/21端口映射到公网上!
ip nat inside source list NAT interface FastEthernet0/0
! !
说明:1、如果公网ip想(通过公网ip/路由器外网口ip)连接到局域网的私网ip上,只需要在正常NAT的基础上加上静态端口映射即可! 如,开放http服务是:
  ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
      2、如果局域网PC/ip想通过公网ip地址连接到内网的服务器/ip地址上,就需要路由器打开特殊NAT功能;依次打开ip nat service privateservice和ip nat outside destina****即可,请参阅上面的配置举例!!
    3、 3、特殊NAT在很多网吧都是很有应用前景的!
      4、特殊NAT需要特殊版本支持,或者需要将版本升至131Q full!
如果网吧有两条外线接入(需要配置额外的以太口模块),那么可以使用策略路由来实现!下面这个是两条固定ip接入的例子:
Current configuration:
! !version 1.3.1Q
service times*****ps log date
service times*****ps debug date
no service password-encryption
! username bdcom password 0 bdcom
! interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
no ip directed-broadcast
ip nat outside
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
! interface FastEthernet0/0
ip address 2.2.2.1 255.255.255.252
no ip directed-broadcast
ip nat outside
ip nat local-service icmp enable
ip nat local-service udp enable
ip nat local-service tcp enable
! interface FastEthernet1/1 //额外增加的以太口,局域网口
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip access-group firewall in
ip policy route-map celue   //路由器内网口启用策略路由
ip nat inside
! interface Async0/0
no ip address
no ip directed-broadcast
! !
gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list standard NAT1     //两个NAT访问列表相同,但是必须要2个
permit 192.168.1.0 255.255.255.0
! ip access-list standard NAT2     //两个NAT访问列表相同,但是必须要2个
permit 192.168.1.0 255.255.255.0
! ip access-list standard CL1     //将局域网分成两组,1
permit 192.168.1.0 255.255.255.128
! ip access-list standard CL2     //将局域网分成两组,2
permit 192.168.1.128 255.255.255.128
! ip access-list extended firewall
deny   tcp any any eq 135
deny   tcp any any eq 139
deny   tcp any any eq 445
deny   tcp any any eq 3333
deny   tcp any any eq 593
deny   udp any any eq 135
deny   udp any any eq tftp
deny   udp any any eq 4444
deny   udp any any eq 137
deny   udp any any eq 138
permit ip any any
! !
route-map celue 1 permit   //定义策略组
match ip address CL1       //调用第一个网段
set ip next-hop 1.1.1.2 2.2.2.2   //设置下一跳网关,后者作为前者的备份
! route-map celue 1 permit //定义策略组
match ip address CL2     //调用第二个网段
set ip next-hop 2.2.2.2 1.1.1.2   //设置下一跳网关,后者作为前者的备份
! ivr-cfg
! !
ip nat translation max-links all 300
ip nat inside source list NAT1 interface FastEthernet0/0
ip nat inside source list NAT2 interface FastEthernet0/1
说明配置完成之后,局域网的前后两个网段分别优先走第一和第二条外线,在其中一条线出现故障时,能够自动启用另外一条线路作备份!
这里再补充一个两条ADSL(非固定ip)的例子:
注释就免了:
Current configuration:              
!
!version 1.3.1S          
service times*****ps log date                  
service times*****ps debug date                  
no service password-encryption                    
!
username AD0000690628 password 0 123456                          
username AD0751115075 password 0 654321                          
!
interface Dialer0          
ip address negotiated              
ip mtu 1492        
no ip directed-broadcast                
ppp chap hostname AD0000690628                    
ppp chap password 123456                
ip nat outside          
ip nat mss      
ip nat local-service icmp enable                      
ip nat local-service udp enable                    
ip nat local-ser          
!
interface Dialer1          
ip address negotiated              
ip mtu 1492        
no ip directed-broadcast                
ppp chap hostname AD0751115075                    
ppp chap password 654321                
ip nat outside          
ip nat mss      
ip nat local-service icmp enable                      
ip nat local-service udp enable                    
ip nat local-service tcp enable                    
!
interface FastEthernet0/0                
no ip address        
no ip directed-broadcast                
pppoe-client Dialer 0              
!
interface FastEthernet0/1                
no ip address        
no ip directed-broadcast                
pppoe-client Dialer 1              
!
interface Ethernet1/0              
ip address 192.168.0.251 255.255.255.0                          
no ip directed-broadcast                
duplex full        
ip policy route-map celue                
ip nat inside        
!
interface Serial0/2            
no ip address        
no ip directed-broadcast                
!
interface Serial0/3            
no ip address        
no ip directed-broadcast                
!
interface Async0/0            
no ip address        
no ip directed-broadcast                
!
!
ip route default Dialer1                
ip route default Dialer0                
!
!
gateway-cfg      
Gateway keepAlive 60              
shutdown      
!
ip access-list standard cl1                  
permit 192.168.0.0 255.255.255.128                      
!
ip access-list standard cl2                  
permit 192.168.0.128 255.255.255.128                        
!
ip access-list standard nat0                  
permit 192.168.0.0 255.255.255.0                      
!
ip access-list standard nat1                  
permit 192.168.0.0 255.255.255.0                      
!
!
route-map celue 1 permit
match ip address cl1
set default interface Dialer0 Dialer1
! route-map celue 2 permit
match ip address cl2
set default interface Dialer1 Dialer0
! !
ivr-cfg
! ip nat translation max-links all 300
ip nat inside source list nat0 interface Dialer0
ip nat inside source list nat1 interface Dialer1
!
注意:由于固定ip接入和ADSL线路接入本身的问题,暂时还无法有效实现一个固定ip接入和一个ADSL接入的混合策略!!