扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
最近做了一个工程,觉得大家以后有可能会用得着,所以拿出来分享一下
情况描述:
S3528P做为核心交换机,划分VLAN隔离广播
PIX525做为防火墙及NAT转换
在这个网里主要有一个WWW服务器是公网IP
要求:
LAN的用户隔离广播风暴,可以上INTERNET 并且可以用域名访问WWW服务器
当然WWW服务器也可以让公网用户访问到,WWW服务器是用主机头+IP+端口号访问的%)
配置文件如下:
dis cu
#
sysname BM_WUYUAN_AR1831
#
ike local-name cnc
#
undo ip option source-routing
#
dialer-rule 1 ip permit
#
ike peer cnc
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zx
remote-address 60.0.0.1
nat traversal
#
ipsec proposal cnc
#
ipsec policy cnc 1 isakmp
security acl 3000
ike-peer cnc
proposal cnc
#
dhcp server ip-pool 1
network 10.70.65.0 mask 255.255.255.240
gateway-list 10.70.65.1
dns-list 202.99.224.8 202.99.224.68
#
interface Bri3/0
link-protocol ppp
#
interface Dialer0
link-protocol ppp
ppp pap local-user wy12345kdxwl@service2m.nm password simple xwl9600
mtu 1450
ip address ppp-negotiate
dialer user wy12345kdxwl@service2m.nm
dialer-group 1
dialer bundle 1
nat outbound 3100
ipsec policy cnc
#
interface Ethernet1/0
ip address 10.70.65.1 255.255.255.240
#
interface Atm2/0
pvc 0/32
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface LoopBack0
#
acl number 3000
rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.0 0.0.0.15
rule 1 permit ip source 10.70.65.0 0.0.0.15 destination 10.70.64.0 0.0.0.255
acl number 3100
rule 0 deny ip destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.65.0 0.0.0.15
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_WUYUAN_AR1831>
......................
Save the current configuration to the device successfully.
<BM_BANGONWAN_EUDEMON200>
<BM_BANGONWAN_EUDEMON200>dis cu
#
sysname BM_BANGONWAN_EUDEMON200
#
super password level 3 cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
nat alg enable ftp
nat alg enable dns
nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
undo nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable sip
#
firewall mode transparent
firewall system-ip 10.70.64.253 255.255.255.0
#
firewall statistic system enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet1/0/0
#
interface Ethernet1/0/1
#
interface NULL0
#
interface LoopBack0
#
acl number 3000
rule 5 permit ip source 10.70.64.0 0.0.0.255
rule 10 permit ip source 10.70.65.0 0.0.0.255
rule 15 permit ip source 192.168.0.0 0.0.0.255
rule 20 deny ip
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0/0
add interface Ethernet1/0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/0/1
add interface Ethernet1/0/1
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
packet-filter 3000 inbound
packet-filter 3000 outbound
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
packet-filter 3000 inbound
packet-filter 3000 outbound
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_BANGONWAN_EUDEMON200>
dis cu
#
sysname BM_BANGONWAN_P1
#
ike local-name p1
#
undo ip option source-routing
#
dialer-rule 1 ip permit
#
ike peer p1
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zx
remote-address 61.138.72.234
nat traversal
#
ipsec proposal p1
#
ipsec policy p1 1 isakmp
security acl 3000
ike-peer p1
proposal p1
#
dhcp server ip-pool 1
network 10.70.65.96 mask 255.255.255.240
gateway-list 10.70.65.97
dns-list 202.99.224.8 202.99.224.68
#
interface Bri3/0
link-protocol ppp
#
interface Dialer0
link-protocol ppp
ppp pap local-user lhkdwtkf1123451@service1m.nm password simple 8810181
mtu 1450
ip address ppp-negotiate
dialer user lhkdwtkf1123451@service1m.nm
dialer-group 1
dialer bundle 1
nat outbound 3100
ipsec policy p1
#
interface Ethernet1/0
ip address 10.70.65.97 255.255.255.240
#
interface Atm2/0
pvc 0/32
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 3000
rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.96 0.0.0.15
rule 1 permit ip source 10.70.65.96 0.0.0.15 destination 10.70.64.0 0.0.0.255
acl number 3100
rule 0 deny ip destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.65.96 0.0.0.15
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
<BM_BANGONWAN_P1>
dis cu
#
sysname BM_BANGONWAN_P2
#
ike local-name p2
#
ip option source-routing
#
dialer-rule 1 ip permit
#
ike peer dk
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zx
remote-address 60.0.0.1
nat traversal
#
ipsec proposal dk
#
ipsec policy dk 1 isakmp
security acl 3010
ike-peer dk
proposal dk
#
dhcp server ip-pool 1
network 10.70.65.112 mask 255.255.255.240
gateway-list 10.70.65.113
dns-list 202.99.224.8 202.99.224.68
#
interface Bri3/0
link-protocol ppp
#
interface Dialer0
link-protocol ppp
ppp pap local-user lhkdtxf123gs@service2m.nm password simple 8270054
mtu 1450
ip address ppp-negotiate
dialer user lhkdtxf123gs@service2m.nm
dialer-group 1
dialer bundle 1
nat outbound 3001
ipsec policy dk
#
interface Ethernet1/0
ip address 10.70.65.113 255.255.255.240
#
interface Atm2/0
pvc 0/32
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface LoopBack0
ip address 10.70.65.54 255.255.255.255
#
acl number 3001
rule 0 deny ip destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.65.112 0.0.0.15
acl number 3010
rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.112 0.0.0.15
rule 1 permit ip source 10.70.65.112 0.0.0.15 destination 10.70.64.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_BANGONWAN_P2>
dis cu
#
sysname BM_BANGONGWAN_AR4640
#
super password level 3 cipher I=G>;ZJOROP3HC6>:*%XYA!!
#
l2tp enable
#
local-user root password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user root service-type telnet
local-user vpn@cnc.com password simple vpn
local-user vpn@cnc.com service-type ppp
local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!
local-user test service-type ppp
#
ip pool 1 192.168.0.2 192.168.0.254
#
aaa enable
#
ike local-name zx
#
nat address-group 0 60.0.0.1 60.0.0.6
#
ike peer cnc
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name cnc
nat traversal
max-connections 100
#
ike peer dk
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name dk
nat traversal
max-connections 100
#
ike peer hq
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name hq
nat traversal
max-connections 100
#
ike peer p1
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name p1
nat traversal
max-connections 100
#
ike peer p2
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name p2
nat traversal
max-connections 100
#
ike peer p3
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name p3
nat traversal
max-connections 100
#
ike peer p4
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name p4
nat traversal
max-connections 100
#
ike peer qq
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name qq
nat traversal
max-connections 100
#
ike peer sb
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name sb
nat traversal
max-connections 100
#
ike peer zq
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zq
nat traversal
max-connections 100
#
ipsec proposal cnc
#
ipsec policy zx 1 isakmp
security acl 3001
ike-peer cnc
proposal cnc
#
ipsec policy zx 2 isakmp
security acl 3001
ike-peer qq
proposal cnc
#
ipsec policy zx 3 isakmp
security acl 3001
ike-peer zq
proposal cnc
#
ipsec policy zx 4 isakmp
security acl 3001
ike-peer hq
proposal cnc
#
ipsec policy zx 5 isakmp
security acl 3001
ike-peer dk
proposal cnc
#
ipsec policy zx 6 isakmp
security acl 3001
ike-peer sb
proposal cnc
#
ipsec policy zx 7 isakmp
security acl 3001
ike-peer p1
proposal cnc
#
ipsec policy zx 8 isakmp
security acl 3001
ike-peer p2
proposal cnc
#
ipsec policy zx 9 isakmp
security acl 3001
ike-peer p3
proposal cnc
#
ipsec policy zx 10 isakmp
security acl 3001
ike-peer p4
proposal cnc
#
dhcp server ip-pool 10
network 10.70.64.0 mask 255.255.255.0
gateway-list 10.70.64.1
dns-list 2.99.224.8 202.99.224.68
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 192.168.0.1 255.255.255.0
remote address pool 1
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
speed 100
duplex full
description connect to S8016_E15/0/6
tcp mss 1024
ip address 60.0.0.1 255.255.255.248
firewall packet-filter 3500 inbound
firewall packet-filter 3500 outbound
nat outbound 3000 address-group 0
ipsec policy zx
#
interface Ethernet0/0/1
description connect to EUDEMON200e1/0/1
ip address 10.70.64.1 255.255.255.0
firewall packet-filter 3500 inbound
firewall packet-filter 3500 outbound
#
interface Ethernet1/0/0
#
interface Ethernet1/0/1
#
interface NULL0
#
interface Loopback0
ip address 10.70.64.99 255.255.255.255
#
acl number 3000
rule 0 deny ip destination 10.70.65.0 0.0.0.255
rule 1 permit ip source 10.70.64.0 0.0.0.255
acl number 3001
rule 0 permit ip source 10.70.65.0 0.0.0.255 destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.0 0.0.0.255
acl number 3500
rule 0 deny udp source-port eq tftpdestination-port eq tftp
rule 1 deny tcp source-port eq 135 destination-port eq 135
rule 2 deny udp source-port eq 135 destination-port eq 135
rule 3 deny udp source-port eq netbios-ns destination-port eq netbios-ns
rule 4 deny udp source-port eq netbios-dgm destination-port eq netbios-dgm
rule 5 deny udp source-port eq netbios-ssn destination-port eq netbios-ssn
rule 6 deny tcp source-port eq 139 destination-port eq 139
rule 7 deny tcp source-port eq 445 destination-port eq 445
rule 8 deny tcp source-port eq 593 destination-port eq 593
rule 9 deny tcp source-port eq 4444 destination-port eq 5444
rule 11 deny tcp destination-port eq 5554
rule 12 deny tcp destination-port eq 9995
rule 13 deny tcp destination-port eq 9996
rule 14 deny tcp destination-port eq 3127
rule 15 deny tcp destination-port eq 1025
rule 16 deny tcp destination-port eq 137
rule 17 deny tcp destination-port eq 138
rule 18 deny tcp destination-port eq 5800
rule 19 deny tcp destination-port eq 5900
rule 20 deny tcp destination-port eq 8998
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
dhcp server forbidden-ip 10.70.64.240 10.70.64.254
#
ip route-static 0.0.0.0 0.0.0.0 60.0.0.6 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_BANGONGWAN_AR4640>
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
去集群 更超群——大容量网络演进之路
2019 IBM 中国论坛
H3C 2019 Navigate 领航者峰会
助推数据中心网络现代化转型 打造灵活可靠基础架构平台
京公网安备 11010802021500号