[ak135]dis cu # version 7.1.064, Release 9323P28 # sysname ak135 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # security-zone intra-zone default permit # dhcp enable dhcp server forbidden-ip 192.168.20.1 192.168.20.100 # dns server 211.228.255.1 dns server 114.114.114.114 # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 200 # object-group ip address 服务器 security-zone Trust 0 network host address 192.168.10.1 10 network host name 192.168.10.10 20 network host address 192.168.10.11 30 network host name 192.168.20.20 40 network host address 114.67.106.20 50 network host address 114.67.108.13 60 network host address 114.67.107.16 70 network host address 114.67.119.12 # object-group ip address 内网 0 network subnet 172.16.0.0 255.255.0.0 10 network subnet 192.168.0.0 255.255.0.0 # object-group service 端口 0 service tcp destination eq 3389 10 service tcp destination eq 52626 20 service tcp destination eq 8092 30 service tcp destination eq 8180 40 service udp destination eq 8092 50 service udp destination eq 8080 60 service tcp destination eq 8133 70 service tcp destination eq 7001 80 service udp destination eq 8180 # dhcp server ip-pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 221.228.255.1 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route ip address 22290.159.138 255.255.255.252 nat outbound nat outbound 2000 nat server protocol tcp global 222.90.159.138 3389 inside 192.168.10.1 3389 nat server protocol tcp global 222.90.159.138 7001 inside 192.168.20.20 7001 nat server protocol tcp global 222.90.159.138 8092 inside 192.168.10.10 8092 nat server protocol tcp global 222.90.159.138 8133 inside 192.168.10.10 8133 nat server protocol tcp global 222.90.159.138 8180 inside 192.168.10.11 8180 nat server protocol tcp global 222.90.159.138 52626 inside 192.168.10.1 52626 nat server protocol udp global 222.90.159.138 8080 inside 192.168.10.10 8080 nat server protocol udp global 222.90.159.138 8092 inside 192.168.10.10 8092 nat server protocol udp global 222.90.159.138 8180 inside 192.168.10.11 8180 # interface GigabitEthernet1/0/2 port link-mode route ip address 172.16.0.254 255.255.255.0 nat hairpin enable # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route # interface GigabitEthernet1/0/17 port link-mode route # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/2 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-zone name Management import interface GigabitEthernet1/0/0 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin idle-timeout 35000 0 # line vty 0 4 authentication-mode scheme user-role level-15 user-role network-admin user-role network-operator idle-timeout 35000 0 # line vty 5 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 222.90.159.137 ip route-static 172.16.0.0 16 172.16.0.1 ip route-static 192.168.0.0 16 172.16.0.1 ip route-static 192.168.10.0 24 172.16.0.1 ip route-static 192.168.20.0 24 172.16.0.1 # ssh server enable # acl basic 2000 rule 0 permit # acl advanced 3000 rule 0 permit ip source 192.168.0.0 0.0.255.255 rule 1 permit ip source 172.16.1.0 0.0.0.255 rule 5 permit ip # undo password-control length enable # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$Jvfba9zz1a9hqmR2$3fIJnoybRtaDM3IeJqvWTPMU7F35D+GO2k078VXPEItYInth9WDkfEDZPth16d1Ysi5j+36xQkY+Eadc/xw7/w== service-type ssh telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user h3c class manage password hash $h$6$BWm0rl/2tjYxuh3j$JZSb+Ychtozqj2i5TgDVmvcpO8vADSMWtlbizgfypDTBG5QU38/yBTnEKj+/rqKFPGuaeTY1IDfifxrZyQWiFA== service-type ssh telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # session statistics enable # l2tp enable # apr signature auto-update update schedule weekly sun start-time 03:00:00 tingle 120 # ip http enable ip https port 11443 ip https enable webui log enable # url-filter signature auto-update update schedule weekly sun start-time 03:30:00 tingle 120 # app-profile 0_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 1_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 2_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 3_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 4_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # security-policy ip rule 0 name 内网互通 action pass counting enable profile 0_IPv4 source-zone Local source-zone Trust destination-zone Trust destination-zone Local rule 1 name 上网 action pass counting enable profile 1_IPv4 source-zone Trust destination-zone Untrust source-ip 内网 rule 2 name 服务器访问 action pass counting enable profile 2_IPv4 source-zone Untrust destination-zone Trust destination-ip 服务器 rule 3 name 防火墙升级 action pass counting enable profile 3_IPv4 source-zone Local destination-zone Untrust rule 4 name 内网互访 action pass counting enable profile 4_IPv4 source-zone Trust destination-zone Trust # anti-virus signature auto-update update schedule weekly sun start-time 02:30:00 tingle 120 # return
(0)
策略没问题应该是运营商关端口了
(0)
加微15069770019帮看
加微15069770019帮看
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明