科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道S3528P PIX525 NAT WWW服务 端口号访问配置

S3528P PIX525 NAT WWW服务 端口号访问配置

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

最近做了一个工程,觉得大家以后有可能会用得着,所以拿出来分享一下情况描述:S3528P做为核心交换机,划分VLAN隔离广播,PIX525做为防火墙及NAT转换,在这个网里主要有一个WWW服务器是公网IP.

作者:HW00003636 来源:huawei forum 2008年6月10日

关键字: NAT 网络地址转换 什么是nat

  • 评论
  • 分享微博
  • 分享邮件

在本页阅读全文(共2页)

  dis cu

  #

  sysname BM_BANGONWAN_P2

  #

  ike local-name p2

  #

  ip option source-routing

  #

  dialer-rule 1 ip permit

  #

  ike peer dk

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name zx

  remote-address 60.0.0.1

  nat traversal

  #

  ipsec proposal dk

  #

  ipsec policy dk 1 isakmp

  security acl 3010

  ike-peer dk

  proposal dk

  #

  dhcp server ip-pool 1

  network 10.70.65.112 mask 255.255.255.240

  gateway-list 10.70.65.113

  dns-list 202.99.224.8 202.99.224.68

  #

  interface Bri3/0

  link-protocol ppp

  #

  interface Dialer0

  link-protocol ppp

  ppp pap local-user lhkdtxf123gs@service2m.nm password simple 8270054

  mtu 1450

  ip address ppp-negotiate

  dialer user lhkdtxf123gs@service2m.nm

  dialer-group 1

  dialer bundle 1

  nat outbound 3001

  ipsec policy dk

  #

  interface Ethernet1/0

  ip address 10.70.65.113 255.255.255.240

  #

  interface Atm2/0

  pvc 0/32

  map bridge Virtual-Ethernet0

  #

  interface Virtual-Ethernet0

  pppoe-client dial-bundle-number 1

  #

  interface NULL0

  #

  interface LoopBack0

  ip address 10.70.65.54 255.255.255.255

  #

  acl number 3001

  rule 0 deny ip destination 10.70.64.0 0.0.0.255

  rule 1 permit ip source 10.70.65.112 0.0.0.15

  acl number 3010

  rule 0 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.112 0.0.0.15

  rule 1 permit ip source 10.70.65.112 0.0.0.15 destination 10.70.64.0 0.0.0.255

  #

  ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 60

  #

  user-interface con 0

  user-interface vty 0 4

  user privilege level 3

  set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!

  #

  return

  <BM_BANGONWAN_P2>

  dis cu

  #

  sysname BM_BANGONGWAN_AR4640

  #

  super password level 3 cipher I=G>;ZJOROP3HC6>:*%XYA!!

  #

  l2tp enable

  #

  local-user root password cipher N`C55QK<`=/Q=^Q`MAF4<1!!

  local-user root service-type telnet

  local-user vpn@cnc.com password simple vpn

  local-user vpn@cnc.com service-type ppp

  local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!

  local-user test service-type ppp

  #

  ip pool 1 192.168.0.2 192.168.0.254

  #

  aaa enable

  #

  ike local-name zx

  #

  nat address-group 0 60.0.0.1 60.0.0.6

  #

  ike peer cnc

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name cnc

  nat traversal

  max-connections 100

  #

  ike peer dk

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name dk

  nat traversal

  max-connections 100

  #

  ike peer hq

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name hq

  nat traversal

  max-connections 100

  #

  ike peer p1

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name p1

  nat traversal

  max-connections 100

  #

  ike peer p2

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name p2

  nat traversal

  max-connections 100

  #

  ike peer p3

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name p3

  nat traversal

  max-connections 100

  #

  ike peer p4

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name p4

  nat traversal

  max-connections 100

  #

  ike peer qq

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name qq

  nat traversal

  max-connections 100

  #

  ike peer sb

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name sb

  nat traversal

  max-connections 100

  #

  ike peer zq

  exchange-mode aggressive

  pre-shared-key cnc

  id-type name

  remote-name zq

  nat traversal

  max-connections 100

  #

  ipsec proposal cnc

  #

  ipsec policy zx 1 isakmp

  security acl 3001

  ike-peer cnc

  proposal cnc

  #

  ipsec policy zx 2 isakmp

  security acl 3001

  ike-peer qq

  proposal cnc

  #

  ipsec policy zx 3 isakmp

  security acl 3001

  ike-peer zq

  proposal cnc

  #

  ipsec policy zx 4 isakmp

  security acl 3001

  ike-peer hq

  proposal cnc

  #

  ipsec policy zx 5 isakmp

  security acl 3001

  ike-peer dk

  proposal cnc

  #

  ipsec policy zx 6 isakmp

  security acl 3001

  ike-peer sb

  proposal cnc

  #

  ipsec policy zx 7 isakmp

  security acl 3001

  ike-peer p1

  proposal cnc

  #

  ipsec policy zx 8 isakmp

  security acl 3001

  ike-peer p2

  proposal cnc

  #

  ipsec policy zx 9 isakmp

  security acl 3001

  ike-peer p3

  proposal cnc

  #

  ipsec policy zx 10 isakmp

  security acl 3001

  ike-peer p4

  proposal cnc

  #

  dhcp server ip-pool 10

  network 10.70.64.0 mask 255.255.255.0

  gateway-list 10.70.64.1

  dns-list 2.99.224.8 202.99.224.68

  #

  interface Virtual-Template1

  ppp authentication-mode pap

  ip address 192.168.0.1 255.255.255.0

  remote address pool 1

  #

  interface Aux0

  async mode flow

  link-protocol ppp

  #

  interface Ethernet0/0/0

  speed 100

  duplex full

  description connect to S8016_E15/0/6

  tcp mss 1024

  ip address 60.0.0.1 255.255.255.248

  firewall packet-filter 3500 inbound

  firewall packet-filter 3500 outbound

  nat outbound 3000 address-group 0

  ipsec policy zx

  #

  interface Ethernet0/0/1

  description connect to EUDEMON200e1/0/1

  ip address 10.70.64.1 255.255.255.0

  firewall packet-filter 3500 inbound

  firewall packet-filter 3500 outbound

  #

  interface Ethernet1/0/0

  #

  interface Ethernet1/0/1

  #

  interface NULL0

  #

  interface Loopback0

  ip address 10.70.64.99 255.255.255.255

  #

  acl number 3000

  rule 0 deny ip destination 10.70.65.0 0.0.0.255

  rule 1 permit ip source 10.70.64.0 0.0.0.255

  acl number 3001

  rule 0 permit ip source 10.70.65.0 0.0.0.255 destination 10.70.64.0 0.0.0.255

  rule 1 permit ip source 10.70.64.0 0.0.0.255 destination 10.70.65.0 0.0.0.255

  acl number 3500

  rule 0 deny udp source-port eq tftpdestination-port eq tftp

  rule 1 deny tcp source-port eq 135 destination-port eq 135

  rule 2 deny udp source-port eq 135 destination-port eq 135

  rule 3 deny udp source-port eq netbios-ns destination-port eq netbios-ns

  rule 4 deny udp source-port eq netbios-dgm destination-port eq netbios-dgm

  rule 5 deny udp source-port eq netbios-ssn destination-port eq netbios-ssn

  rule 6 deny tcp source-port eq 139 destination-port eq 139

  rule 7 deny tcp source-port eq 445 destination-port eq 445

  rule 8 deny tcp source-port eq 593 destination-port eq 593

  rule 9 deny tcp source-port eq 4444 destination-port eq 5444

  rule 11 deny tcp destination-port eq 5554

  rule 12 deny tcp destination-port eq 9995

  rule 13 deny tcp destination-port eq 9996

  rule 14 deny tcp destination-port eq 3127

  rule 15 deny tcp destination-port eq 1025

  rule 16 deny tcp destination-port eq 137

  rule 17 deny tcp destination-port eq 138

  rule 18 deny tcp destination-port eq 5800

  rule 19 deny tcp destination-port eq 5900

  rule 20 deny tcp destination-port eq 8998

  #

  l2tp-group 1

  undo tunnel authentication

  allow l2tp virtual-template 1

  #

  dhcp server forbidden-ip 10.70.64.240 10.70.64.254

  #

  ip route-static 0.0.0.0 0.0.0.0 60.0.0.6 preference 60

  #

  user-interface con 0

  user-interface aux 0

  user-interface vty 0 4

  user privilege level 3

  set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!

  #

  return

  <BM_BANGONGWAN_AR4640>

    • 评论
    • 分享微博
    • 分享邮件
    VIP专区
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章

    业界热点:

    北京第二十六维信息技术有限公司(至顶网)版权所有. 京ICP备15039648号-7 京ICP证161336号 京公网安备 11010802021500号