f1030防火墙上网及NAT问题
- 0关注
- 1收藏,4153浏览
问题描述:
移动:112.112.112.112
电信:220.1.1.2
组网及组网描述:
1.#
2.version 7.1.064, Release 9313P07
3.#
4.sysname fw
5.#
6.context Admin id 1
7.#
8.ip vpn-instance management
9.route-distinguisher 1000000000:1
10.vpn-target 1000000000:1 import-extcommunity
11.vpn-target 1000000000:1 export-extcommunity
12.#
13.telnet server enable
14.#
15.irf mac-address persistent timer
16.irf auto-update enable
17.undo irf link-delay
18.irf member 1 priority 1
19.#
20.nat address-group 2020
21.port-block block-size 10
22.address 192.168.10.1 192.168.10.20
23.#
24.dhcp server forbidden-ip 192.168.200.1
25.#
26.dns proxy enable
27.dns server 211.138.151.161
28.dns server 218.85.157.99
29.dns server 114.114.114.114
30.#
31.password-recovery enable
32.#
33.vlan 1
34.#
35.object-group ip address 16服务器
36.description 192.168.1.16
37.0 network host address 192.168.1.16
38.#
39.object-group ip address 88服务器
40.description 192.168.1.20
41.0 network host address 192.168.1.20
42.#
43.object-group ip address AC-ip
44.0 network host address 192.168.0.3
45.#
46.object-group ip address web服务器
47.description 192.168.1.19
48.0 network host address 192.168.1.19
49.#
50.object-group ip address xingzhenglou
51.0 network subnet 192.168.2.0 255.255.254.0
52.#
53.object-group ip address B
54.10 network host address 192.168.6.199
55.#
56.object-group ip address C
57.0 network host address 192.168.1.11
58.#
59.object-group ip address A
60.description A
61.0 network host address 192.168.1.21
62.#
63.object-group service 16服务器端口
64.0 service tcp destination eq 8090
65.10 service tcp destination eq 8080
66.20 service tcp destination eq 8001
67.30 service tcp destination eq 8099
68.#
69.object-group service 88
70.0 service tcp destination eq 88
71.#
72.object-group service AC
73.0 service tcp destination eq 443
74.#
75.object-group service B端口
76.0 service tcp destination eq 554
77.10 service tcp destination eq 8000
78.20 service tcp destination eq 81
79.#
80.dhcp server ip-pool 1
81.gateway-list 192.168.200.1
82.network 192.168.200.0 mask 255.255.255.0
83.dns-list 211.138.151.161 114.114.114.114
84.expired unlimited
85.#
86.policy-based-route gm permit node 1
87.if-match acl 3010
88.#
89.policy-based-route gm permit node 2
90.if-match acl 3001
91.apply next-hop 220.1.1.1
92.#
93.nqa entry admin test
94.type icmp-echo
95. destination ip 112.112.112.1
96. frequency 1000
97. reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
98.#
99.nqa schedule admin test start-time now lifetime forever
100.#
101.interface NULL0
102.#
103.interface GigabitEthernet1/0/0
104.port link-mode route
105.ip address 192.168.100.1 255.255.255.0
106.undo dhcp select server
107.#
108.interface GigabitEthernet1/0/1
109.port link-mode route
110.ip address 192.168.0.2 255.255.255.0
111.nat outbound 3010
112.nat server protocol tcp global 112.112.112.112 80 inside 192.168.1.19 80
113.nat server protocol tcp global 112.112.112.112 81 inside 192.168.6.199 81
114.nat server protocol tcp global 112.112.112.112 443 inside 192.168.1.19 443
115.nat server protocol tcp global 112.112.112.112 554 inside 192.168.6.199 554
116.nat server protocol tcp global 112.112.112.112 4430 inside 192.168.0.3 443
117.nat server protocol tcp global 112.112.112.112 8000 inside 192.168.6.199 8000
118.nat server protocol tcp global 220.1.1.2 80 inside 192.168.1.19 80
119.nat server protocol tcp global 220.1.1.2 88 inside 192.168.1.20 88
120.nat server protocol tcp global 220.1.1.2 443 inside 192.168.1.19 443
121.nat server protocol tcp global 220.1.1.2 554 inside 192.168.1.21 554
122.nat server protocol tcp global 220.1.1.2 3454 inside 192.168.1.21 3454
123.nat server protocol tcp global 220.1.1.2 8001 inside 192.168.1.16 8001
124.nat server protocol tcp global 220.1.1.2 8080 inside 192.168.1.16 8080
125.nat server protocol tcp global 220.1.1.2 8090 inside 192.168.1.16 8090
126.nat server protocol tcp global 220.1.1.2 8099 inside 192.168.1.16 8099
127.nat server protocol udp global 220.1.1.2 554 inside 192.168.1.21 554
128.nat server protocol udp global 220.1.1.2 3454 inside 192.168.1.21 3454
129.nat hairpin enable
130.undo dhcp select server
131.ip policy-based-route gm
132.#
133.interface GigabitEthernet1/0/2
134.port link-mode route
135.ip address 172.16.6.1 255.255.255.0
136.#
137.interface GigabitEthernet1/0/3
138.port link-mode route
139.ip address 172.16.7.1 255.255.255.0
140.undo dhcp select server
141.#
142.interface GigabitEthernet1/0/4
143.port link-mode route
144.ip address 192.168.10.1 255.255.255.0
145.nat outbound port-block-group 2021
146.nat hairpin enable
147.undo dhcp select server
148.#
149.interface GigabitEthernet1/0/5
150.port link-mode route
151.undo dhcp select server
152.#
153.interface GigabitEthernet1/0/6
154.port link-mode route
155.undo dhcp select server
156.#
157.interface GigabitEthernet1/0/7
158.port link-mode route
159.undo dhcp select server
160.#
161.interface GigabitEthernet1/0/8
162.port link-mode route
163.undo dhcp select server
164.#
165.interface GigabitEthernet1/0/9
166.port link-mode route
167.undo dhcp select server
168.#
169.interface GigabitEthernet1/0/10
170.port link-mode route
171.undo dhcp select server
172.#
173.interface GigabitEthernet1/0/11
174.port link-mode route
175.undo dhcp select server
176.#
177.interface GigabitEthernet1/0/12
178.port link-mode route
179.bandwidth 10000
180.ip address dhcp-alloc
181.undo dhcp select server
182.#
183.interface GigabitEthernet1/0/13
184.port link-mode route
185.undo dhcp select server
186.#
187.interface GigabitEthernet1/0/14
188.port link-mode route
189.ip address 220.1.1.2 255.255.255.252
190.ip last-hop hold
191.nat outbound 3001
192.nat server protocol tcp global 220.1.1.2 80 inside 192.168.1.19 80
193.nat server protocol tcp global 220.1.1.2 88 inside 192.168.1.20 88
194.nat server protocol tcp global 220.1.1.2 443 inside 192.168.1.19 443
195.nat server protocol tcp global 220.1.1.2 554 inside 192.168.1.21 554
196.nat server protocol tcp global 220.1.1.2 3454 inside 192.168.1.21 3454
197.nat server protocol tcp global 220.1.1.2 8001 inside 192.168.1.16 8001
198.nat server protocol tcp global 220.1.1.2 8080 inside 192.168.1.16 8080
199.nat server protocol tcp global 220.1.1.2 8090 inside 192.168.1.16 8090
200.nat server protocol tcp global 220.1.1.2 8099 inside 192.168.1.16 8099
201.nat server protocol tcp global 220.1.1.2 8888 inside 192.168.1.11 8888
202.nat server protocol udp global 220.1.1.2 554 inside 192.168.1.21 554
203.nat server protocol udp global 220.1.1.2 3454 inside 192.168.1.21 3454
204.undo dhcp select server
205.#
206.interface GigabitEthernet1/0/15
207.port link-mode route
208.undo dhcp select server
209.#
210.interface GigabitEthernet1/0/16
211.port link-mode route
212.ip address 112.112.112.112 255.255.255.128
213.ip last-hop hold
214.nat outbound 3000
215.nat server protocol tcp global 112.112.112.112 80 inside 192.168.1.19 80
216.nat server protocol tcp global 112.112.112.112 81 inside 192.168.6.199 81
217.nat server protocol tcp global 112.112.112.112 88 inside 192.168.1.20 88
218.nat server protocol tcp global 112.112.112.112 443 inside 192.168.1.19 443
219.nat server protocol tcp global 112.112.112.112 554 inside 192.168.6.199 554
220.nat server protocol tcp global 112.112.112.112 4430 inside 192.168.0.3 443
221.nat server protocol tcp global 112.112.112.112 8000 inside 192.168.6.199 8000
222.nat server protocol tcp global 112.112.112.112 22345 inside 192.168.0.3 22345
223.nat outbound port-block-group 2021
224.nat hairpin enable
225.undo dhcp select server
226.#
227.interface GigabitEthernet1/0/17
228.port link-mode route
229.undo dhcp select server
230.#
231.interface GigabitEthernet1/0/18
232.port link-mode route
233.undo dhcp select server
234.#
235.interface GigabitEthernet1/0/19
236.port link-mode route
237.undo dhcp select server
238.#
239.interface GigabitEthernet1/0/20
240.port link-mode route
241.undo dhcp select server
242.#
243.interface GigabitEthernet1/0/21
244.port link-mode route
245.undo dhcp select server
246.#
247.interface GigabitEthernet1/0/22
248.port link-mode route
249.undo dhcp select server
250.#
251.interface GigabitEthernet1/0/23
252.port link-mode route
253.undo dhcp select server
254.#
255.object-policy ip DMZ-Untrust
256.rule 0 pass
257.#
258.object-policy ip Local-Any
259.rule 0 pass
260.#
261.object-policy ip Trust-DMZ
262.rule 0 drop
263.#
264.object-policy ip Trust-Local
265.rule 0 pass
266.#
267.object-policy ip Trust-Trust
268.rule 0 pass
269.rule 1 pass destination-ip 16服务器 service 16服务器端口
270.rule 2 pass destination-ip B
271.#
272.object-policy ip Trust-Untrust
273.rule 0 pass
274.#
275.object-policy ip Untrust-DMZ
276.rule 0 pass
277.#
278.object-policy ip Untrust-Local
279.rule 0 drop logging
280.#
281.object-policy ip Untrust-Trust
282.rule 0 pass destination-ip AC-ip service AC logging
283.rule 1 pass destination-ip web服务器 service http
284.rule 2 drop destination-ip 88服务器 service 88
285.rule 3 pass destination-ip 16服务器 service 16服务器端口
286.rule 4 pass destination-ip web服务器 service https
287.rule 5 pass destination-ip A
288.rule 6 pass destination-ip B
289.rule 7 pass destination-ip C
290.#
291.object-policy ip Untrust-Untrust
292.rule 0 pass
293.#
294.security-zone name Local
295.#
296.security-zone name Trust
297.import interface GigabitEthernet1/0/1
298.#
299.security-zone name DMZ
300.import interface GigabitEthernet1/0/2
301.import interface GigabitEthernet1/0/3
302.import interface GigabitEthernet1/0/4
303.#
304.security-zone name Untrust
305.import interface GigabitEthernet1/0/14
306.import interface GigabitEthernet1/0/16
307.attack-defense apply policy gongji
308.#
309.security-zone name Management
310.import interface GigabitEthernet1/0/0
311.#
312.zone-pair security source DMZ destination Untrust
313.object-policy apply ip DMZ-Untrust
314.#
315.zone-pair security source Local destination Any
316.object-policy apply ip Local-Any
317.#
318.zone-pair security source Trust destination DMZ
319.object-policy apply ip Trust-DMZ
320.#
321.zone-pair security source Trust destination Local
322.object-policy apply ip Trust-Local
323.#
324.zone-pair security source Trust destination Trust
325.object-policy apply ip Trust-Trust
326.#
327.zone-pair security source Trust destination Untrust
328.object-policy apply ip Trust-Untrust
329.#
330.zone-pair security source Untrust destination DMZ
331.object-policy apply ip Untrust-DMZ
332.#
333.zone-pair security source Untrust destination Local
334.object-policy apply ip Untrust-Local
335.#
336.zone-pair security source Untrust destination Trust
337.object-policy apply ip Untrust-Trust
338.#
339.zone-pair security source Untrust destination Untrust
340.object-policy apply ip Untrust-Untrust
341.#
342.scheduler logfile size 16
343.#
344.line class aux
345.user-role network-operator
346.#
347.line class console
348.user-role network-admin
349.#
350.line class vty
351.user-role network-operator
352.#
353.line aux 0
354.user-role network-admin
355.#
356.line con 0
357.authentication-mode scheme
358.user-role network-admin
359.#
360.line vty 0 63
361.authentication-mode scheme
362.user-role network-admin
363.#
364.ip route-static 0.0.0.0 0 112.112.112.1 track 1
365.ip route-static 0.0.0.0 0 220.1.1.1
366.ip route-static 0.0.0.0 0 112.112.112.112
367.ip route-static 192.168.0.0 16 192.168.0.1
368.#
369.ssh server enable
370.#
371.acl advanced 3000
372.rule 0 permit ip
373.#
374.acl advanced 3001
375.rule 5 permit ip source 192.168.1.0 0.0.0.255
376.#
377.acl advanced 3010
378.rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
379.rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
380.#
381.domain system
382.#
383.aaa session-limit ftp 16
384.aaa session-limit telnet 16
385.aaa session-limit ssh 16
386.domain default enable system
387.#
388.role name level-0
389.description Predefined level-0 role
390.#
391.role name level-1
392.description Predefined level-1 role
393.#
394.role name level-2
395.description Predefined level-2 role
396.#
397.role name level-3
398.description Predefined level-3 role
399.#
400.role name level-4
401.description Predefined level-4 role
402.#
403.role name level-5
404.description Predefined level-5 role
405.#
406.role name level-6
407.description Predefined level-6 role
408.#
409.role name level-7
410.description Predefined level-7 role
411.#
412.role name level-8
413.description Predefined level-8 role
414.#
415.role name level-9
416.description Predefined level-9 role
417.#
418.role name level-10
419.description Predefined level-10 role
420.#
421.role name level-11
422.description Predefined level-11 role
423.#
424.role name level-12
425.description Predefined level-12 role
426.#
427.role name level-13
428.description Predefined level-13 role
429.#
430.role name level-14
431.description Predefined level-14 role
432.#
433.user-group system
434.#
435.local-user admin class manage
436.password hash $h$6$rmlUykD4KB3Jr/V9$2qN19Vj4gzvV6EFxGXDdlBopnhTCJR+SgC4o6OZ4E1yetUSqd8m1HN8KZl9v0hXw/crwBiXWOwwbgyHY/iPtBg==
437.service-type ssh telnet terminal https
438.authorization-attribute user-role level-3
439.authorization-attribute user-role network-admin
440.authorization-attribute user-role network-operator
441.#
442.nat port-block-group 2021
443.local-ip-address 192.168.10.2 192.168.10.10
444.global-ip-pool 112.112.112.112 112.112.112.112
445.#
446.ip https port 60080
447.ip https enable
448.#
449.attack-defense policy gongji
450.scan detect level low action logging
451.syn-flood action logging
452.ack-flood action logging
453.syn-ack-flood action logging
454.rst-flood action logging drop
455.fin-flood action logging drop
456.udp-flood action logging
457.icmp-flood action logging
458.icmpv6-flood action logging
459.dns-flood action logging
460.http-flood action logging drop
461.signature detect fragment action drop logging
462.signature detect impossible action drop logging
463.signature detect teardrop action drop logging
464.signature detect tiny-fragment action drop logging
465.signature detect ip-option-abnormal action drop logging
466.signature detect smurf action drop logging
467.signature detect traceroute action drop logging
468.signature detect ping-of-death action drop logging
469.signature detect large-icmp action logging
470.signature detect large-icmpv6 action logging
471.signature detect tcp-invalid-flags action drop logging
472.signature detect tcp-null-flag action drop logging
473.signature detect tcp-all-flags action drop logging
474.signature detect tcp-syn-fin action logging
475.signature detect tcp-fin-only action drop logging
476.signature detect land action drop logging
477.signature detect winnuke action drop logging
478.signature detect udp-bomb action drop logging
479.signature detect snork action drop logging
480.signature detect fraggle action drop logging
481.#
482.inspect block-source parameter-profile ips_block_default_parameter
483.#
484.loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
485.forward all
486.#
487.loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
488.default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
489.#
490.virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
491.virtual ip address 0.0.0.0 0
492.lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
493.#
494.loadbalance isp file lbispinfo.tp
495.#
496.traffic-policy
497.#
498.ips policy default
499.#
500.anti-virus policy default
501.#
502.track 1 nqa entry admin test reaction 1
503.#
504.return
- 2020-08-31提问
- 举报
-
(0)
您好,请知:
关于使用192.168.1.0网络走电信网络,以下是部署要点,请参考:
1、配置策略路由让192.168.1.0网络走电信的出口。
2、在部署NAT时,仅让192.168.1.0网段在与电信的出口进行转换,其他出口部参与转换。
3、以下是F1000系列的用户手册,请参考:
https://www.h3c.com/cn/Service/Document_Software/Document_Center/IP_Security/FW_VPN/F10X0/
- 2020-08-31回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论