ipSec如何设置
- 0关注
- 1收藏,1033浏览
问题描述:
我公司现分两地办公,总部有独立IP地址,分公司没有ip地址,使用的是PPPOE拨号上网
总部使用设备是secpath f100-c60-winet,分公司使用设备为ER3200,如果进行IPSec设置,我自己设置了很多次都失败了。求大神指导
组网及组网描述:
- 2021-03-11提问
- 举报
-
(0)
最佳答案
关键配置发出来看看,第一二阶段有没有起来
- 2021-03-11回答
- 评论(2)
- 举报
-
(0)
# version 7.1.064, Release 9524P35 # sysname mazida # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # dns server 219.141.140.10 # password-recovery enable # vlan 1 # object-group ip address 1 0 network host address 192.168.1.249 # object-group service jia 40 service tcp source eq 50001 destination eq 50001 50 service tcp source eq 65500 destination eq 65500 60 service tcp source eq 20081 destination eq 20081 70 service tcp source eq 51001 destination eq 51001 # dhcp server ip-pool mazida gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 dns-list 219.141.140.10 219.141.136.10 expired day 0 hour 12 # controller Cellular1/0/0 # interface NULL0 # interface Vlan-interface1 bandwidth 10000000 ip address 192.168.1.1 255.255.255.0 packet-filter 2001 inbound nat hairpin enable dhcp server apply ip-pool mazida # interface GigabitEthernet1/0/0 port link-mode route bandwidth 1000000 flow-control ip address 36.112.99.198 255.255.255.252 tcp mss 1300 packet-filter 3100 inbound nat outbound nat server protocol tcp global current-interface 20081 inside 192.168.1.249 20081 acl 3100 reversible rule ServerRule_1 nat server protocol tcp global current-interface 50001 inside 192.168.1.249 50001 acl 3100 reversible rule ServerRule_2 nat server protocol tcp global current-interface 51001 inside 192.168.1.249 51001 acl 3100 reversible rule ServerRule_3 nat server protocol tcp global current-interface 65500 inside 192.168.1.249 65500 acl 3100 reversible rule ServerRule_4 nat hairpin enable undo dhcp select server ipsec apply policy mazida # interface GigabitEthernet1/0/1 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.50.1 255.255.255.0 undo dhcp select server # interface GigabitEthernet1/0/3 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/4 port link-mode bridge flow-control # interface GigabitEthernet1/0/5 port link-mode bridge flow-control # interface GigabitEthernet1/0/6 port link-mode bridge flow-control # interface GigabitEthernet1/0/7 port link-mode bridge flow-control # security-zone name Local # security-zone name Trust # security-zone name DMZ # security-zone name Untrust # security-zone name Management import interface GigabitEthernet1/0/2 # security-zone name neiwang import interface Vlan-interface1 import interface GigabitEthernet1/0/4 vlan 1 import interface GigabitEthernet1/0/5 vlan 1 import interface GigabitEthernet1/0/6 vlan 1 import interface GigabitEthernet1/0/7 vlan 1 attack-defense apply policy anquan # security-zone name waiwang import interface GigabitEthernet1/0/0 attack-defense apply policy anquan # zone-pair security source Any destination neiwang # zone-pair security source Local destination neiwang packet-filter 2001 # zone-pair security source neiwang destination Any packet-filter 2001 # zone-pair security source neiwang destination Local packet-filter 2001 # zone-pair security source neiwang destination neiwang packet-filter 2001 # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class usb user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 36.112.99.197 # customlog format dpi ips customlog format dpi anti-virus # ssh server enable # arp static 192.168.1.8 1098-c3e3-24d6 1 GigabitEthernet1/0/5 arp static 192.168.1.13 8091-33c9-b18f 1 GigabitEthernet1/0/5 # acl basic 2001 rule 0 permit # acl basic 2100 rule 0 permit # acl advanced 3000 rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 5 permit tcp source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 # acl advanced 3100 rule 0 permit tcp destination-port eq 65500 rule 5 permit tcp destination-port eq 50001 rule 10 permit tcp destination-port eq 20081 rule 15 permit tcp destination-port eq 51001 # radius session-control enable # domain system # domain mazida authentication lan-access none authorization lan-access none # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # user-group mazida # local-user admin class manage password hash $h$6$zpb5lalSDsE1MBc+$7w0pnigFHJ6Yybr7hGk5fKiIPckiIxOcf+FoTtnUKQJPKhgM8bMHhzIb+zBxIbybuNNJ12/QdvWPPyEzTTMrCw== service-type telnet http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user ֣ class network group mazida bind-attribute mac 9cfc-e87b-9dd7 authorization-attribute user-role network-operator # session statistics enable session top-statistics enable # ipsec logging packet enable # ipsec transform-set mazida_IPv4_10 esp encryption-algorithm des-cbc esp authentication-algorithm md5 pfs dh-group1 # ipsec policy-template mazida 10 transform-set mazida_IPv4_10 local-address 36.112.99.198 ike-profile mazida_IPv4_10 # ipsec policy mazida 10 isakmp template mazida # application global statistics enable # ike dpd interval 10 on-demand # ike profile mazida_IPv4_10 keychain mazida_IPv4_10 exchange-mode aggressive local-identity address 192.168.1.1 match remote identity address 0.0.0.0 0.0.0.0 match local address GigabitEthernet1/0/0 proposal 1 # ike proposal 1 authentication-algorithm md5 # ike keychain mazida_IPv4_10 match local address GigabitEthernet1/0/0 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$rMJ8Jc+kzq2ZxXpR61tFeJsfSoRWz/cXyWUF0g== # ip http enable ip https enable # blacklist logging enable # attack-defense policy anquan scan detect level medium action drop logging syn-flood detect non-specific syn-flood action logging ack-flood detect non-specific ack-flood action logging syn-ack-flood detect non-specific syn-ack-flood action logging rst-flood detect non-specific rst-flood action logging fin-flood detect non-specific fin-flood action logging udp-flood detect non-specific udp-flood action logging icmp-flood detect non-specific icmp-flood action logging icmpv6-flood detect non-specific icmpv6-flood action logging dns-flood detect non-specific dns-flood action logging http-flood detect non-specific http-flood action logging sip-flood detect non-specific sip-flood action logging signature detect fragment action drop logging signature detect impossible action drop logging signature detect teardrop action drop logging signature detect tiny-fragment action drop logging signature detect ip-option-abnormal action drop logging signature detect smurf action drop logging signature detect traceroute action drop logging signature detect ping-of-death action drop logging signature detect large-icmp action drop logging signature detect large-icmpv6 action drop logging signature detect tcp-invalid-flags action drop logging signature detect tcp-null-flag action drop logging signature detect tcp-all-flags action drop logging signature detect tcp-syn-fin action drop logging signature detect tcp-fin-only action drop logging signature detect land action drop logging signature detect winnuke action drop logging signature detect udp-bomb action drop logging signature detect snork action drop logging signature detect fraggle action drop logging # netshare-control policy name 1 per-ip-shared max-terminals 1 source-zone neiwang # inspect block-source parameter-profile ips_block_default_parameter # inspect block-source parameter-profile url_block_default_parameter # inspect capture parameter-profile ips_capture_default_parameter # inspect logging parameter-profile av_logging_default_parameter log email # inspect logging parameter-profile ips_logging_default_parameter log email # inspect logging parameter-profile url_logging_default_parameter undo log syslog # inspect redirect parameter-profile av_redirect_default_parameter # inspect redirect parameter-profile ips_redirect_default_parameter # inspect redirect parameter-profile url_redirect_default_parameter # loadbalance snat-pool mazida ip range start 192.168.1.1 end 192.168.1.254 # traffic-policy rule 1 name xianzhi action qos profile xianzhi source-zone neiwang profile name xianzhi traffic-priority 7 bandwidth upstream guaranteed per-ip 5000 bandwidth upstream maximum per-ip 10000 bandwidth downstream guaranteed per-ip 5000 bandwidth downstream maximum per-ip 10000 # ip-mac binding enable ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 vlan 1 ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 # uapp-control policy name quanbu audit source-zone neiwang rule 1 any behavior any bhcontent any keyword include any action permit # security-policy ip rule 0 name neiwanghutong-0 action pass disable rule 1 name neiwang-Any-1 action pass counting enable source-zone neiwang rule 2 name Any-neiwang-2 action pass logging enable counting enable destination-zone neiwang destination-ip 1 # ips policy 1 object-dir server client severity-level high protect-target ApplicationSoftware MailClient protect-target Database ACCESS protect-target Database MS-SQL protect-target Database MySQL protect-target Database Oracle protect-target Database Other protect-target FTPServer Any protect-target MailServer LotusNotes protect-target NetworkProtocol FTP protect-target NetworkProtocol HTTP protect-target NetworkProtocol TELNET protect-target Other Other protect-target WebApplication Any protect-target WebApplication Blog protect-target WebApplication CMS protect-target WebApplication Other protect-target WebApplication PHP protect-target WebServer Any protect-target WebServer Other protect-target WebServer WebLogic attack-category Other Other attack-category Vulnerability SQLInjection attack-category Vulnerability XSS # ips logging parameter-profile ips_logging_default_parameter # anti-virus logging parameter-profile av_logging_default_parameter #
# version 7.1.064, Release 9524P35 # sysname mazida # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # dns server 219.141.140.10 # password-recovery enable # vlan 1 # object-group ip address 1 0 network host address 192.168.1.249 # object-group service jia 40 service tcp source eq 50001 destination eq 50001 50 service tcp source eq 65500 destination eq 65500 60 service tcp source eq 20081 destination eq 20081 70 service tcp source eq 51001 destination eq 51001 # dhcp server ip-pool mazida gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 dns-list 219.141.140.10 219.141.136.10 expired day 0 hour 12 # controller Cellular1/0/0 # interface NULL0 # interface Vlan-interface1 bandwidth 10000000 ip address 192.168.1.1 255.255.255.0 packet-filter 2001 inbound nat hairpin enable dhcp server apply ip-pool mazida # interface GigabitEthernet1/0/0 port link-mode route bandwidth 1000000 flow-control ip address 36.112.99.198 255.255.255.252 tcp mss 1300 packet-filter 3100 inbound nat outbound nat server protocol tcp global current-interface 20081 inside 192.168.1.249 20081 acl 3100 reversible rule ServerRule_1 nat server protocol tcp global current-interface 50001 inside 192.168.1.249 50001 acl 3100 reversible rule ServerRule_2 nat server protocol tcp global current-interface 51001 inside 192.168.1.249 51001 acl 3100 reversible rule ServerRule_3 nat server protocol tcp global current-interface 65500 inside 192.168.1.249 65500 acl 3100 reversible rule ServerRule_4 nat hairpin enable undo dhcp select server ipsec apply policy mazida # interface GigabitEthernet1/0/1 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.50.1 255.255.255.0 undo dhcp select server # interface GigabitEthernet1/0/3 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/4 port link-mode bridge flow-control # interface GigabitEthernet1/0/5 port link-mode bridge flow-control # interface GigabitEthernet1/0/6 port link-mode bridge flow-control # interface GigabitEthernet1/0/7 port link-mode bridge flow-control # security-zone name Local # security-zone name Trust # security-zone name DMZ # security-zone name Untrust # security-zone name Management import interface GigabitEthernet1/0/2 # security-zone name neiwang import interface Vlan-interface1 import interface GigabitEthernet1/0/4 vlan 1 import interface GigabitEthernet1/0/5 vlan 1 import interface GigabitEthernet1/0/6 vlan 1 import interface GigabitEthernet1/0/7 vlan 1 attack-defense apply policy anquan # security-zone name waiwang import interface GigabitEthernet1/0/0 attack-defense apply policy anquan # zone-pair security source Any destination neiwang # zone-pair security source Local destination neiwang packet-filter 2001 # zone-pair security source neiwang destination Any packet-filter 2001 # zone-pair security source neiwang destination Local packet-filter 2001 # zone-pair security source neiwang destination neiwang packet-filter 2001 # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class usb user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 36.112.99.197 # customlog format dpi ips customlog format dpi anti-virus # ssh server enable # arp static 192.168.1.8 1098-c3e3-24d6 1 GigabitEthernet1/0/5 arp static 192.168.1.13 8091-33c9-b18f 1 GigabitEthernet1/0/5 # acl basic 2001 rule 0 permit # acl basic 2100 rule 0 permit # acl advanced 3000 rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 5 permit tcp source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 # acl advanced 3100 rule 0 permit tcp destination-port eq 65500 rule 5 permit tcp destination-port eq 50001 rule 10 permit tcp destination-port eq 20081 rule 15 permit tcp destination-port eq 51001 # radius session-control enable # domain system # domain mazida authentication lan-access none authorization lan-access none # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # user-group mazida # local-user admin class manage password hash $h$6$zpb5lalSDsE1MBc+$7w0pnigFHJ6Yybr7hGk5fKiIPckiIxOcf+FoTtnUKQJPKhgM8bMHhzIb+zBxIbybuNNJ12/QdvWPPyEzTTMrCw== service-type telnet http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user ֣ class network group mazida bind-attribute mac 9cfc-e87b-9dd7 authorization-attribute user-role network-operator # session statistics enable session top-statistics enable # ipsec logging packet enable # ipsec transform-set mazida_IPv4_10 esp encryption-algorithm des-cbc esp authentication-algorithm md5 pfs dh-group1 # ipsec policy-template mazida 10 transform-set mazida_IPv4_10 local-address 36.112.99.198 ike-profile mazida_IPv4_10 # ipsec policy mazida 10 isakmp template mazida # application global statistics enable # ike dpd interval 10 on-demand # ike profile mazida_IPv4_10 keychain mazida_IPv4_10 exchange-mode aggressive local-identity address 192.168.1.1 match remote identity address 0.0.0.0 0.0.0.0 match local address GigabitEthernet1/0/0 proposal 1 # ike proposal 1 authentication-algorithm md5 # ike keychain mazida_IPv4_10 match local address GigabitEthernet1/0/0 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$rMJ8Jc+kzq2ZxXpR61tFeJsfSoRWz/cXyWUF0g== # ip http enable ip https enable # blacklist logging enable # attack-defense policy anquan scan detect level medium action drop logging syn-flood detect non-specific syn-flood action logging ack-flood detect non-specific ack-flood action logging syn-ack-flood detect non-specific syn-ack-flood action logging rst-flood detect non-specific rst-flood action logging fin-flood detect non-specific fin-flood action logging udp-flood detect non-specific udp-flood action logging icmp-flood detect non-specific icmp-flood action logging icmpv6-flood detect non-specific icmpv6-flood action logging dns-flood detect non-specific dns-flood action logging http-flood detect non-specific http-flood action logging sip-flood detect non-specific sip-flood action logging signature detect fragment action drop logging signature detect impossible action drop logging signature detect teardrop action drop logging signature detect tiny-fragment action drop logging signature detect ip-option-abnormal action drop logging signature detect smurf action drop logging signature detect traceroute action drop logging signature detect ping-of-death action drop logging signature detect large-icmp action drop logging signature detect large-icmpv6 action drop logging signature detect tcp-invalid-flags action drop logging signature detect tcp-null-flag action drop logging signature detect tcp-all-flags action drop logging signature detect tcp-syn-fin action drop logging signature detect tcp-fin-only action drop logging signature detect land action drop logging signature detect winnuke action drop logging signature detect udp-bomb action drop logging signature detect snork action drop logging signature detect fraggle action drop logging # netshare-control policy name 1 per-ip-shared max-terminals 1 source-zone neiwang # inspect block-source parameter-profile ips_block_default_parameter # inspect block-source parameter-profile url_block_default_parameter # inspect capture parameter-profile ips_capture_default_parameter # inspect logging parameter-profile av_logging_default_parameter log email # inspect logging parameter-profile ips_logging_default_parameter log email # inspect logging parameter-profile url_logging_default_parameter undo log syslog # inspect redirect parameter-profile av_redirect_default_parameter # inspect redirect parameter-profile ips_redirect_default_parameter # inspect redirect parameter-profile url_redirect_default_parameter # loadbalance snat-pool mazida ip range start 192.168.1.1 end 192.168.1.254 # traffic-policy rule 1 name xianzhi action qos profile xianzhi source-zone neiwang profile name xianzhi traffic-priority 7 bandwidth upstream guaranteed per-ip 5000 bandwidth upstream maximum per-ip 10000 bandwidth downstream guaranteed per-ip 5000 bandwidth downstream maximum per-ip 10000 # ip-mac binding enable ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 vlan 1 ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 # uapp-control policy name quanbu audit source-zone neiwang rule 1 any behavior any bhcontent any keyword include any action permit # security-policy ip rule 0 name neiwanghutong-0 action pass disable rule 1 name neiwang-Any-1 action pass counting enable source-zone neiwang rule 2 name Any-neiwang-2 action pass logging enable counting enable destination-zone neiwang destination-ip 1 # ips policy 1 object-dir server client severity-level high protect-target ApplicationSoftware MailClient protect-target Database ACCESS protect-target Database MS-SQL protect-target Database MySQL protect-target Database Oracle protect-target Database Other protect-target FTPServer Any protect-target MailServer LotusNotes protect-target NetworkProtocol FTP protect-target NetworkProtocol HTTP protect-target NetworkProtocol TELNET protect-target Other Other protect-target WebApplication Any protect-target WebApplication Blog protect-target WebApplication CMS protect-target WebApplication Other protect-target WebApplication PHP protect-target WebServer Any protect-target WebServer Other protect-target WebServer WebLogic attack-category Other Other attack-category Vulnerability SQLInjection attack-category Vulnerability XSS # ips logging parameter-profile ips_logging_default_parameter # anti-virus logging parameter-profile av_logging_default_parameter #
# version 7.1.064, Release 9524P35 # sysname mazida # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # dns server 219.141.140.10 # password-recovery enable # vlan 1 # object-group ip address 1 0 network host address 192.168.1.249 # object-group service jia 40 service tcp source eq 50001 destination eq 50001 50 service tcp source eq 65500 destination eq 65500 60 service tcp source eq 20081 destination eq 20081 70 service tcp source eq 51001 destination eq 51001 # dhcp server ip-pool mazida gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 dns-list 219.141.140.10 219.141.136.10 expired day 0 hour 12 # controller Cellular1/0/0 # interface NULL0 # interface Vlan-interface1 bandwidth 10000000 ip address 192.168.1.1 255.255.255.0 packet-filter 2001 inbound nat hairpin enable dhcp server apply ip-pool mazida # interface GigabitEthernet1/0/0 port link-mode route bandwidth 1000000 flow-control ip address 36.112.99.198 255.255.255.252 tcp mss 1300 packet-filter 3100 inbound nat outbound nat server protocol tcp global current-interface 20081 inside 192.168.1.249 20081 acl 3100 reversible rule ServerRule_1 nat server protocol tcp global current-interface 50001 inside 192.168.1.249 50001 acl 3100 reversible rule ServerRule_2 nat server protocol tcp global current-interface 51001 inside 192.168.1.249 51001 acl 3100 reversible rule ServerRule_3 nat server protocol tcp global current-interface 65500 inside 192.168.1.249 65500 acl 3100 reversible rule ServerRule_4 nat hairpin enable undo dhcp select server ipsec apply policy mazida # interface GigabitEthernet1/0/1 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.50.1 255.255.255.0 undo dhcp select server # interface GigabitEthernet1/0/3 port link-mode route undo dhcp select server # interface GigabitEthernet1/0/4 port link-mode bridge flow-control # interface GigabitEthernet1/0/5 port link-mode bridge flow-control # interface GigabitEthernet1/0/6 port link-mode bridge flow-control # interface GigabitEthernet1/0/7 port link-mode bridge flow-control # security-zone name Local # security-zone name Trust # security-zone name DMZ # security-zone name Untrust # security-zone name Management import interface GigabitEthernet1/0/2 # security-zone name neiwang import interface Vlan-interface1 import interface GigabitEthernet1/0/4 vlan 1 import interface GigabitEthernet1/0/5 vlan 1 import interface GigabitEthernet1/0/6 vlan 1 import interface GigabitEthernet1/0/7 vlan 1 attack-defense apply policy anquan # security-zone name waiwang import interface GigabitEthernet1/0/0 attack-defense apply policy anquan # zone-pair security source Any destination neiwang # zone-pair security source Local destination neiwang packet-filter 2001 # zone-pair security source neiwang destination Any packet-filter 2001 # zone-pair security source neiwang destination Local packet-filter 2001 # zone-pair security source neiwang destination neiwang packet-filter 2001 # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class usb user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 36.112.99.197 # customlog format dpi ips customlog format dpi anti-virus # ssh server enable # arp static 192.168.1.8 1098-c3e3-24d6 1 GigabitEthernet1/0/5 arp static 192.168.1.13 8091-33c9-b18f 1 GigabitEthernet1/0/5 # acl basic 2001 rule 0 permit # acl basic 2100 rule 0 permit # acl advanced 3000 rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 rule 5 permit tcp source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 # acl advanced 3100 rule 0 permit tcp destination-port eq 65500 rule 5 permit tcp destination-port eq 50001 rule 10 permit tcp destination-port eq 20081 rule 15 permit tcp destination-port eq 51001 # radius session-control enable # domain system # domain mazida authentication lan-access none authorization lan-access none # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # user-group mazida # local-user admin class manage password hash $h$6$zpb5lalSDsE1MBc+$7w0pnigFHJ6Yybr7hGk5fKiIPckiIxOcf+FoTtnUKQJPKhgM8bMHhzIb+zBxIbybuNNJ12/QdvWPPyEzTTMrCw== service-type telnet http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user ֣ class network group mazida bind-attribute mac 9cfc-e87b-9dd7 authorization-attribute user-role network-operator # session statistics enable session top-statistics enable # ipsec logging packet enable # ipsec transform-set mazida_IPv4_10 esp encryption-algorithm des-cbc esp authentication-algorithm md5 pfs dh-group1 # ipsec policy-template mazida 10 transform-set mazida_IPv4_10 local-address 36.112.99.198 ike-profile mazida_IPv4_10 # ipsec policy mazida 10 isakmp template mazida # application global statistics enable # ike dpd interval 10 on-demand # ike profile mazida_IPv4_10 keychain mazida_IPv4_10 exchange-mode aggressive local-identity address 192.168.1.1 match remote identity address 0.0.0.0 0.0.0.0 match local address GigabitEthernet1/0/0 proposal 1 # ike proposal 1 authentication-algorithm md5 # ike keychain mazida_IPv4_10 match local address GigabitEthernet1/0/0 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$rMJ8Jc+kzq2ZxXpR61tFeJsfSoRWz/cXyWUF0g== # ip http enable ip https enable # blacklist logging enable # attack-defense policy anquan scan detect level medium action drop logging syn-flood detect non-specific syn-flood action logging ack-flood detect non-specific ack-flood action logging syn-ack-flood detect non-specific syn-ack-flood action logging rst-flood detect non-specific rst-flood action logging fin-flood detect non-specific fin-flood action logging udp-flood detect non-specific udp-flood action logging icmp-flood detect non-specific icmp-flood action logging icmpv6-flood detect non-specific icmpv6-flood action logging dns-flood detect non-specific dns-flood action logging http-flood detect non-specific http-flood action logging sip-flood detect non-specific sip-flood action logging signature detect fragment action drop logging signature detect impossible action drop logging signature detect teardrop action drop logging signature detect tiny-fragment action drop logging signature detect ip-option-abnormal action drop logging signature detect smurf action drop logging signature detect traceroute action drop logging signature detect ping-of-death action drop logging signature detect large-icmp action drop logging signature detect large-icmpv6 action drop logging signature detect tcp-invalid-flags action drop logging signature detect tcp-null-flag action drop logging signature detect tcp-all-flags action drop logging signature detect tcp-syn-fin action drop logging signature detect tcp-fin-only action drop logging signature detect land action drop logging signature detect winnuke action drop logging signature detect udp-bomb action drop logging signature detect snork action drop logging signature detect fraggle action drop logging # netshare-control policy name 1 per-ip-shared max-terminals 1 source-zone neiwang # inspect block-source parameter-profile ips_block_default_parameter # inspect block-source parameter-profile url_block_default_parameter # inspect capture parameter-profile ips_capture_default_parameter # inspect logging parameter-profile av_logging_default_parameter log email # inspect logging parameter-profile ips_logging_default_parameter log email # inspect logging parameter-profile url_logging_default_parameter undo log syslog # inspect redirect parameter-profile av_redirect_default_parameter # inspect redirect parameter-profile ips_redirect_default_parameter # inspect redirect parameter-profile url_redirect_default_parameter # loadbalance snat-pool mazida ip range start 192.168.1.1 end 192.168.1.254 # traffic-policy rule 1 name xianzhi action qos profile xianzhi source-zone neiwang profile name xianzhi traffic-priority 7 bandwidth upstream guaranteed per-ip 5000 bandwidth upstream maximum per-ip 10000 bandwidth downstream guaranteed per-ip 5000 bandwidth downstream maximum per-ip 10000 # ip-mac binding enable ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 vlan 1 ip-mac binding ipv4 192.168.1.8 mac-address 1098-c3e3-24d6 # uapp-control policy name quanbu audit source-zone neiwang rule 1 any behavior any bhcontent any keyword include any action permit # security-policy ip rule 0 name neiwanghutong-0 action pass disable rule 1 name neiwang-Any-1 action pass counting enable source-zone neiwang rule 2 name Any-neiwang-2 action pass logging enable counting enable destination-zone neiwang destination-ip 1 # ips policy 1 object-dir server client severity-level high protect-target ApplicationSoftware MailClient protect-target Database ACCESS protect-target Database MS-SQL protect-target Database MySQL protect-target Database Oracle protect-target Database Other protect-target FTPServer Any protect-target MailServer LotusNotes protect-target NetworkProtocol FTP protect-target NetworkProtocol HTTP protect-target NetworkProtocol TELNET protect-target Other Other protect-target WebApplication Any protect-target WebApplication Blog protect-target WebApplication CMS protect-target WebApplication Other protect-target WebApplication PHP protect-target WebServer Any protect-target WebServer Other protect-target WebServer WebLogic attack-category Other Other attack-category Vulnerability SQLInjection attack-category Vulnerability XSS # ips logging parameter-profile ips_logging_default_parameter # anti-virus logging parameter-profile av_logging_default_parameter #
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
感兴趣流是两边的私网地址,NAT是修改出口的,先拒绝感兴趣流,再通过其他的