资源描述
MSR常见应用场景配置指导(内部服务器访问典型配置篇)
适用产品:
H3C MSR20、MSR30、MSR50 各系列的所有产品
适应版本:
2008.8.15日之后正式发布的版本。绝大部分配置也适用之前发布的版本。
使用方法:
根据实际应用场景,在本文配置指导基础上,做定制化修改后使用。
实际组网中可能存在特殊要求,建议由专业人员或在专业人员指导下操作。
本文以MSR2010 产品, 2008.8.15日ESS 1710软件版本为案例(1710以后的版本同样支持)。
H3C Comware Platform Software
Comware Software, Version 5.20, ESS 1710
Comware Platform Software Version COMWAREV500R002B58D001SP01
H3C MSR2010 Software Version V300R003B01D004SP01
Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
Compiled Aug 15 2008 13:57:11, RELEASE SOFTWARE
1.1 内部服务器访问
目前大部分企业会在内部网络搭建各种应用服务器,如:WWW、数据库和邮件服务器等,通过在网关设备上启用NAT内部服务器映射功能,可以使外网用户访问企业内部的服务器。但是这种配置下常常会碰到一个问题,外网PC可以正常地访问内部服务器,但是内部PC却无法通过域名或者公网地址访问内部服务器,这是由于网关设备没有启用NAT内部地址转换功能导致的。典型组网如下:
配置需求如下:
1、 MSR采用单条以太网线路接入Internet;
2、 内部存在WWW和SMTP服务器,要求外部PC可以通过访问域名访问内部服务器;
3、 内部可以通过域名或者公网地址访问内部服务器;
典型配置如下:
<H3C>dis cur
#
version 5.20, ESS 1711
#
sysname H3C
#
ipsec cpu-backup enable
#
nat aging-time tcp 300
nat aging-time udp 180
nat aging-time pptp 300
nat aging-time ftp-ctrl 300
#
domain default enable system
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.1 to 192.168.1.254 per-address
qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address
#
acl number 3001 name WANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 300 permit udp source-port eq dns
rule 310 permit tcp destination-port eq telnet
rule 1000 permit ip destination 192.168.1.0 0.0.0.255
rule 2000 deny ip
acl number 3003 name LANDefend
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 4444
rule 2 deny tcp destination-port eq 135
rule 3 deny udp destination-port eq 135
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny tcp destination-port eq 139
rule 7 deny udp destination-port eq netbios-ssn
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 5554
rule 13 deny tcp destination-port eq 9995
rule 14 deny tcp destination-port eq 9996
rule 15 deny udp destination-port eq 1434
rule 16 deny tcp destination-port eq 1068
rule 17 deny tcp destination-port eq 5800
rule 18 deny tcp destination-port eq 5900
rule 19 deny tcp destination-port eq 10080
rule 22 deny tcp destination-port eq 3208
rule 23 deny tcp destination-port eq 1871
rule 24 deny tcp destination-port eq 4510
rule 25 deny udp destination-port eq 4334
rule 26 deny tcp destination-port eq 4331
rule 27 deny tcp destination-port eq 4557
rule 28 deny udp destination-port eq 4444
rule 29 deny udp destination-port eq 1314
rule 30 deny tcp destination-port eq 6969
rule 31 deny tcp destination-port eq 137
rule 32 deny tcp destination-port eq 389
rule 33 deny tcp destination-port eq 138
rule 34 deny udp destination-port eq 136
rule 35 deny tcp destination-port eq 1025
rule 36 deny tcp destination-port eq 6129
rule 37 deny tcp destination-port eq 1029
rule 38 deny tcp destination-port eq 20168
rule 39 deny tcp destination-port eq 4899
rule 40 deny tcp destination-port eq 45576
rule 41 deny tcp destination-port eq 1433
rule 42 deny tcp destination-port eq 1434
rule 43 deny udp destination-port eq 1433
rule 200 permit icmp icmp-type echo
rule 201 permit icmp icmp-type echo-reply
rule 202 permit icmp icmp-type ttl-exceeded
rule 210 deny icmp
rule 1000 permit ip source 192.168.1.0 0.0.0.255
rule 1001 permit udp destination-port eq bootps
rule 2000 deny ip
acl number 3200
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1000 deny ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
firewall packet-filter 3001 inbound
nat outbound
nat server protocol tcp global 142.1.1.1 www inside 192.168.1.1 www
nat server protocol tcp global 142.1.1.1 smtp inside 192.168.1.2 smtp
ip address 142.1.1.2 255.255.255.0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard
qos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discard
nat outbound 3200
firewall packet-filter 3003 inbound
#
interface Ethernet0/1
port link-mode bridge
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1
ip route-static 10.0.0.0 255.0.0.0 NULL0
ip route-static 169.254.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.240.0.0 NULL0
ip route-static 192.168.0.0 255.255.0.0 NULL0
ip route-static 198.18.0.0 255.254.0.0 NULL0
#
arp anti-attack valid-check enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 20
arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4
arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4
arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4
arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4
arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
