一、网络环境
防火墙:H3C F100-M-G5,Version 7.1.064, Release 9560P26
专线接口:GE1/0/9,固定公网 IP 61.141.76.238/24,网关 61.141.76.1
普通宽带:Dialer0(PPPoE拨号)
内网接口:
GE1/0/8:192.168.8.1/24(服务器网段)
GE1/0/6:192.168.6.1/24(办公网)
GE1/0/0:172.16.0.5/24(上联核心)
映射测试服务器:192.168.8.15:80,通过专线 IP 映射公网端口 36621(nat server protocol tcp global current-interface 36621 inside 192.168.8.15 80)
二、附全部配置:
#
version 7.1.064, Release 9560P26
#
sysname cxr
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
nat address-group 2 name Group1
address 61.141.76.238 61.141.76.238
#
undo ip fast-forwarding load-sharing
#
dhcp enable
#
ip subscriber access-user log enable successful-login
#
password-recovery enable
#
vlan 1
#
vlan 10
#
dhcp server ip-pool DHCP-90
gateway-list 192.168.90.1
network 192.168.90.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool DHCP-91
gateway-list 192.168.91.1
network 192.168.91.0 mask 255.255.255.0
dns-list 114.114.114.114
static-bind ip-address 192.168.91.6 mask 255.255.255.0 hardware-address a0c5-f2bd-af19
#
dhcp server ip-pool GE01
gateway-list 172.16.0.1
network 172.16.0.0 mask 255.255.255.0
dns-list 114.114.114.114
expired unlimited
#
dhcp server ip-pool GE06
gateway-list 192.168.6.1
network 192.168.6.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool GE08
gateway-list 192.168.8.1
network 192.168.8.0 mask 255.255.255.0
dns-list 114.114.114.114 223.5.5.5
#
policy-based-route neiwang permit node 10
if-match acl 3000
apply next-hop 61.141.76.238
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface Dialer0
mtu 1492
ppp chap password cipher $c$3$+q+gdyD/6Jnp4IhjVF4W1cxo1UaTOhRKrY8a
ppp chap user 07551456465445@163.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 07551227456467@163.gd password cipher $c$3$PL/r5Hq5TfJLpWN+tZloYB0ju7Ks1juruE1W
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
#
interface NULL0
#
interface Vlan-interface1
#
interface Vlan-interface10
ip address 192.168.70.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 172.16.0.5 255.255.255.0
nat hairpin enable
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage netconf-http inbound
manage netconf-https inbound
manage netconf-ssh inbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.60.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 192.168.90.1 255.255.255.0
gateway 192.168.90.1
#
interface GigabitEthernet1/0/4
port link-mode route
description GuideWan Interface
bandwidth 100000000
ip last-hop hold
nat outbound
manage http inbound
manage http outbound
manage netconf-http inbound
manage netconf-https inbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
pppoe-client dial-bundle-number 0
ip subscriber routed enable
ip subscriber initiator unclassified-ip enable
#
interface GigabitEthernet1/0/5
port link-mode route
ip address 211.162.72.61 255.255.255.252
ip last-hop hold
nat outbound
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage netconf-http inbound
manage netconf-https inbound
manage netconf-ssh inbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/6
port link-mode route
description GuideLan Interface
ip address 192.168.6.1 255.255.255.0
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
ip address 192.168.8.1 255.255.255.0
ip policy-based-route neiwang
#
interface GigabitEthernet1/0/9
port link-mode route
ip address 61.141.76.238 255.255.255.0
ip last-hop hold
nat outbound
nat server protocol tcp global current-interface 10235 inside 192.168.8.90 8082 rule 192.168.8.90-8082-TCP disable counting description 192.168.8.90
nat server protocol tcp global current-interface 51821 inside 192.168.8.113 51821 rule 192.168.8.113-51821
nat server protocol tcp global current-interface 53363 inside 192.168.8.66 3389 rule 192.168.8.66-3389-TCP counting description 3389win2012
nat server protocol tcp global current-interface 63366 inside 192.168.8.10 3389 rule 192.168.8.10-3389-TCP counting description 3389-win10
nat server protocol udp global current-interface 51820 inside 192.168.8.113 51820 rule 192.168.8.113-51820-udp counting description wg
nat hairpin enable
manage ping inbound
manage ping outbound
gateway 61.141.76.238
ipsec no-nat-process enable
#
interface GigabitEthernet1/0/10
port link-mode route
shutdown
ip address 192.168.166.1 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage netconf-http inbound
manage netconf-https inbound
manage netconf-ssh inbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
gateway 192.168.166.1
#
interface GigabitEthernet1/0/11
port link-mode route
ip address 220.112.42.41 255.255.255.248
ip last-hop hold
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage netconf-http inbound
manage netconf-https inbound
manage netconf-ssh inbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
gateway 220.112.42.46
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/3
import interface GigabitEthernet1/0/6
import interface GigabitEthernet1/0/8
import interface Vlan-interface10
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer0
import interface GigabitEthernet1/0/4
import interface GigabitEthernet1/0/5
import interface GigabitEthernet1/0/9
import interface GigabitEthernet1/0/11
#
security-zone name Management
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer0
#
customlog format dpi terminal
#
performance-management
#
ssh server enable
sftp server enable
sftp server idle-timeout 35791
scp server enable
#
arp ip-conflict log prompt
#
time-range 1 15:54 to 15:56 Mon
#
ntp-service enable
ntp-service source GigabitEthernet1/0/4
ntp-service refclock-master
ntp-service unicast-server 8.8.8.8
#
acl advanced 3000
rule 10 deny ip source 192.168.8.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 20 deny ip source 192.168.8.0 0.0.0.255 destination 172.16.0.0 0.15.255.255
rule 30 deny ip source 192.168.8.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
rule 100 permit ip source 192.168.8.0 0.0.0.255
#
acl advanced 3333
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$RSm9QJjB8BVuupSR$tOK7DI5RgQz9mP3Qc/veeA9Z4BhSjtpwmrqgwxsT5NJejvbekWadeFWrjVeihm8iV6FGnus4CYPp9m+TWfdnfw==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
ftp server enable
ftp timeout 35791
#
session statistics enable
#
ipsec logging negotiation enable
#
nat global-policy
rule name GlobalPolicyRule_3
source-zone Trust
destination-zone Untrust
action snat easy-ip
#
ike logging negotiation enable
#
ip https enable
web idle-timeout 999
#
blacklist ip 46.149.200.15
blacklist destination-ip 46.149.200.15
blacklist destination-ip 103.235.46.96
blacklist global enable
#
url-filter policy 钓鱼网站屏蔽
default-action block-source parameter-profile url_block_default_parameter
add blacklist 1 host text ***.***
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect logging parameter-profile waf_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
source-zone Trust
destination-zone DMZ
destination-zone Untrust
profile name guideavcprofile1
bandwidth downstream guaranteed 100000000
bandwidth downstream maximum 100000000
#
packet-capture max-bytes 4096
packet-capture max-file-packets 1000
packet-capture storage local limit 10240
#
waf logging parameter-profile waf_logging_default_parameter
#
security-policy ip
rule 0 name Any_Any_0_IPv4
action pass
logging enable
rule 1 name Any_Any_1_IPv4
action pass
#
dac log-collect service dpi traffic enable
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
domain-reputation
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
求大佬提供下完整修复命令
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论