扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共2页)
最近做了一个工程,觉得大家以后有可能会用得着,所以拿出来分享一下
情况描述:
S3528P做为核心交换机,划分VLAN隔离广播
PIX525做为防火墙及NAT转换
在这个网里主要有一个WWW服务器是公网IP
要求:
LAN的用户隔离广播风暴,可以上INTERNET 并且可以用域名访问WWW服务器
当然WWW服务器也可以让公网用户访问到,WWW服务器是用主机头+IP+端口号访问的%)
配置文件如下:
dis cu
#
sysname BM_WUYUAN_AR1831
#
ike local-name cnc
#
undo ip option source-routing
#
dialer-rule 1 ip permit
#
ike peer cnc
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zx
remote-address 60.0.0.1
nat traversal
#
ipsec proposal cnc
#
ipsec policy cnc 1 isakmp
security acl 3000
ike-peer cnc
proposal cnc
#
dhcp server ip-pool 1
network 10.70.65.0 mask 255.255.255.240
gateway-list 10.70.65.1
dns-list 202.99.224.8 202.99.224.68
#
interface Bri3/0
link-protocol ppp
#
interface Dialer0
link-protocol ppp
ppp pap local-user wy12345kdxwl@service2m.nm password simple xwl9600
mtu 1450
ip address ppp-negotiate
dialer user wy12345kdxwl@service2m.nm
dialer-group 1
dialer bundle 1
nat outbound 3100
ipsec policy cnc
#
interface Ethernet1/0
ip address 10.70.65.1 255.255.255.240
#
interface Atm2/0
pvc 0/32
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface LoopBack0
#
acl number 3000
rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.0 0.0.0.15
rule 1 permit ip source 10.70.65.0 0.0.0.15 destination 10.70.64.0 0.0.0.255
acl number 3100
rule 0 deny ip destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.65.0 0.0.0.15
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_WUYUAN_AR1831>
......................
Save the current configuration to the device successfully.
<BM_BANGONWAN_EUDEMON200>
<BM_BANGONWAN_EUDEMON200>dis cu
#
sysname BM_BANGONWAN_EUDEMON200
#
super password level 3 cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
nat alg enable ftp
nat alg enable dns
nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
undo nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable sip
#
firewall mode transparent
firewall system-ip 10.70.64.253 255.255.255.0
#
firewall statistic system enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet1/0/0
#
interface Ethernet1/0/1
#
interface NULL0
#
interface LoopBack0
#
acl number 3000
rule 5 permit ip source 10.70.64.0 0.0.0.255
rule 10 permit ip source 10.70.65.0 0.0.0.255
rule 15 permit ip source 192.168.0.0 0.0.0.255
rule 20 deny ip
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0/0
add interface Ethernet1/0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/0/1
add interface Ethernet1/0/1
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
packet-filter 3000 inbound
packet-filter 3000 outbound
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
packet-filter 3000 inbound
packet-filter 3000 outbound
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<BM_BANGONWAN_EUDEMON200>
dis cu
#
sysname BM_BANGONWAN_P1
#
ike local-name p1
#
undo ip option source-routing
#
dialer-rule 1 ip permit
#
ike peer p1
exchange-mode aggressive
pre-shared-key cnc
id-type name
remote-name zx
remote-address 61.138.72.234
nat traversal
#
ipsec proposal p1
#
ipsec policy p1 1 isakmp
security acl 3000
ike-peer p1
proposal p1
#
dhcp server ip-pool 1
network 10.70.65.96 mask 255.255.255.240
gateway-list 10.70.65.97
dns-list 202.99.224.8 202.99.224.68
#
interface Bri3/0
link-protocol ppp
#
interface Dialer0
link-protocol ppp
ppp pap local-user lhkdwtkf1123451@service1m.nm password simple 8810181
mtu 1450
ip address ppp-negotiate
dialer user lhkdwtkf1123451@service1m.nm
dialer-group 1
dialer bundle 1
nat outbound 3100
ipsec policy p1
#
interface Ethernet1/0
ip address 10.70.65.97 255.255.255.240
#
interface Atm2/0
pvc 0/32
map bridge Virtual-Ethernet0
#
interface Virtual-Ethernet0
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 3000
rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.96 0.0.0.15
rule 1 permit ip source 10.70.65.96 0.0.0.15 destination 10.70.64.0 0.0.0.255
acl number 3100
rule 0 deny ip destination 10.70.64.0 0.0.0.255
rule 1 permit ip source 10.70.65.96 0.0.0.15
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
<BM_BANGONWAN_P1>
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。