Ping over WAN 到 LAN(以及从服务器到主机)

网络工程 路由 局域网
2022-02-09 15:31:52

我有一个类似于下图所示的网络。主要目的是在防病毒服务器 (10.100.10.9) 和位于其 LAN 网关 (网络 10.200.1.32/28) 后面的主机之间建立连接。

在此处输入图像描述

因此,最简单的 ping-shooting 显示如下(逐步):

从服务器 ping: 1. 从服务器 (10.100.10.9) ping 到 Cisco-1921 WAN 接口 (10.200.1.50) - 成功;2. 从服务器 (10.100.10.9) ping 到 Cisco-1921 LAN 接口 (10.200.1.33) - 成功;3. 从服务器 (10.100.10.9) ping 到 LAN 主机 (10.200.1.34 等) - 没有 ping!

认为主机的 Windows 防火墙默认阻止 icmp 请求是合乎逻辑的,但以下检查打破了这一假设:

在 Cisco-1921 上 Ping: 1. 从 Cisco-1921 WAN 接口 (10.200.1.50) ping 到 Cisco-1921 LAN 接口 (10.200.1.33) - 成功;2. 从 Cisco-1921 LAN-interface (10.200.1.33) ping LAN-hosts (10.200.1.34, etc.) - 成功;3. 从 Cisco-1921 WAN 接口 (10.200.1.50) ping 到 LAN 主机(10.200.1.34 等) - 没有 ping!

所以,我认为从任何地方对主机的网关(10.200.1.33)进行 ping 访问意味着,也应该对主机进行 ping 访问,不是吗?但是没有。

令人上瘾的是,Cisco-1921 上没有 ACL-s 能够对可访问的 LAN 主机产生影响。

Cisco-1921路由表为:

*Gateway of last resort is 10.200.1.49 to network 0.0.0.0*

Cisco-1921 配置为:

r01.rts.nkl#
r01.rts.nkl#
r01.rts.nkl#sh run
Building configuration...

Current configuration : 5791 bytes
!
! Last configuration change at 17:19:16 VLAD Wed Mar 11 2020 by beritsky
! NVRAM config last updated at 10:00:36 VLAD Thu Mar 12 2020 by beritsky
! NVRAM config last updated at 10:00:36 VLAD Thu Mar 12 2020 by beritsky
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname r01.rts.nkl
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 NBPjn9wnrPeJVbPzwqsrzEd4jkrMA5w3hySKFR.Y6Bc
enable password 7 013B5D025F1837
!
aaa new-model
!
!
aaa group server tacacs+ tac-int
 server 10.100.0.3
!
aaa authentication login admin group tac-int local
aaa authorization console
aaa authorization exec admin group tac-int local 
aaa authorization commands 15 admin group tac-int local 
aaa accounting update newinfo
aaa accounting commands 15 admin start-stop group tac-int
!
!
!
!
!
aaa session-id common
clock timezone VLAD 11 0
!
!
!
!
ip dhcp excluded-address 172.16.0.2 172.16.0.5
ip dhcp excluded-address 10.200.1.34 10.200.1.36
ip dhcp ping packets 1
!
ip dhcp pool LAN
 network 10.200.1.32 255.255.255.240
 default-router 10.200.1.33 
 dns-server 10.100.0.5 188.72.74.3 
 lease 0 12
 update arp
   remember
!
ip dhcp pool Tukachev
 host 10.200.1.35 255.255.255.240
 client-identifier 018c.89a5.e719.ed
 default-router 10.200.1.33 
 dns-server 10.100.0.5 188.72.74.3 
 lease infinite
   remember
!
ip dhcp pool Aleksashkin
 host 10.200.1.34 255.255.255.240
 client-identifier 0100.1cc0.19c3.5a
 default-router 10.200.1.33 
 dns-server 10.100.0.5 188.72.74.3 
 lease infinite
   remember
!
!
!
ip domain name dvrc.ru
ip name-server 188.72.74.3
ip name-server 188.72.75.23
ip name-server 10.100.0.5
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1806C2WU
!
!
username ROOT privilege 15 secret 4 Ue3RcTGnMSk6gfOFywXbnttEkXRNK3N5kgdBpUOVN3.
!
redundancy
!
!
ip ssh version 2
!
class-map match-any voip
 match access-group 102
!
policy-map voip-tos
 class voip
  set ip precedence 5
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description #_iDirect_to_r01.rts.nkl_#
 ip address 10.200.1.50 255.255.255.240
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.19
 description to dataminer-GD
 encapsulation dot1Q 19
 ip address 10.100.95.34 255.255.255.252
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
 description #mgt#
 encapsulation dot1Q 20
 ip address 10.21.14.1 255.255.255.240
!
interface GigabitEthernet0/1.32
 description CTV-net
 encapsulation dot1Q 32
 ip address 10.27.99.30 255.255.255.240
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.210
 description _LAN_&_voip-phones_
 encapsulation dot1Q 210
 ip address 172.16.0.1 255.255.255.240 secondary
 ip address 10.200.1.33 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 rate-limit input access-group 2001 512000 96000 192000 conform-action transmit exceed-action drop
 service-policy input voip-tos
!
interface GigabitEthernet0/1.250
 description _for_VoIP_Nateks_
 encapsulation dot1Q 250
 ip address 10.1.2.121 255.255.255.248
 service-policy input voip-tos
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 2002 interface GigabitEthernet0/1.19 overload
ip route 0.0.0.0 0.0.0.0 10.200.1.49
ip route 10.100.2.14 255.255.255.255 10.100.95.33
!
logging host 10.100.0.22
!
route-map CTV permit 10
 match ip address 2002
 set ip next-hop 10.27.99.17
!
!
snmp-server community zaebix$ RO 66
snmp-server community getConf777 RW 77
snmp-server location CUS
snmp-server contact CUS
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.100.0.2 version 2c zaebix$ 
tacacs-server host 10.100.0.3 key 7 073B3343425F4E55181E24
tacacs-server timeout 10
tacacs-server directed-request
access-list 60 permit 10.100.0.0 0.0.0.255
access-list 60 permit 10.21.189.0 0.0.0.255
access-list 66 permit 10.21.189.62
access-list 66 permit 10.100.0.0 0.0.0.255
access-list 101 remark iDirect
access-list 101 permit ip 10.200.1.32 0.0.0.15 any
access-list 101 remark iDirect
access-list 102 permit ip 10.1.2.120 0.0.0.7 host 192.168.13.30
access-list 102 permit ip 10.1.2.120 0.0.0.7 host 192.168.13.38
access-list 102 permit ip 10.200.1.32 0.0.0.15 host 192.168.13.30
access-list 102 permit ip 10.200.1.32 0.0.0.15 host 192.168.13.38
access-list 2001 remark trueconf
access-list 2001 deny   ip 10.200.1.32 0.0.0.15 host 10.100.0.21
access-list 2001 permit ip any any
access-list 2001 remark truecon
access-list 2002 remark ip nat CTV0out
access-list 2002 permit ip any 10.27.0.0 0.0.255.255
access-list 2002 permit ip any 10.100.0.0 0.0.255.255
access-list 2002 remark ip nat CTV0out
!
!
!         
control-plane
!
!
banner login ^C

        You have entered $(hostname) at $(domain) network.
    Disconnect immediately if you are not an authorized user!

^C
!
line con 0
 exec-timeout 30 0
 password 7 045A0F0B062F
 authorization commands 15 admin
 authorization exec admin
 accounting commands 15 admin
 login authentication admin
line aux 0
 exec-timeout 30 0
 authorization commands 15 admin
 authorization exec admin
 accounting commands 15 admin
 login authentication admin
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 30 0
 password 7 11081D081E1C
 authorization commands 15 admin
 authorization exec admin
 accounting commands 15 admin
 login authentication admin
 transport input all
!
scheduler allocate 20000 1000
ntp server 10.100.0.1
!
end

更值得注意的是:从 LAN 主机(10.200.1.34 等)到服务器(10.100.10.9)的 ping 成功!

任何想法,可能是什么原因?请记住,我需要防病毒服务器(10.100.10.9)和主机(10.200.1.34 等)之间的完全连接。

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇在网络内缓存数据包 下一篇如果相同的路由通过更好的路径存在,路由器不会学习 RIPv2 宣布的默认路由