MSR常见应用场景配置指导(内部服务器访问典型配置篇).docx-资源下载-咨信网-让知识获取变得高效

MSR常见应用场景配置指导(内部服务器访问典型配置篇).docx

1、MSR常见应用场景配置指导(内部服务器访问典型配置篇) 适用产品： H3C MSR20、MSR30、MSR50 各系列的所有产品适应版本： 2008.8.15日之后正式发布的版本。绝大部分配置也适用之前发布的版本。使用方法：根据实际应用场景，在本文配置指导基础上，做定制化修改后使用。实际组网中可能存在特殊要求，建议由专业人员或在专业人员指导下操作。本文以MSR2010 产品， 2008.8.15日ESS 1710软件版本为案例（1710以后的版本同样支持）。 H3C Comware Platform Software C

2、omware Software, Version 5.20, ESS 1710 Comware Platform Software Version COMWAREV500R002B58D001SP01 H3C MSR2010 Software Version V300R003B01D004SP01 Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. Compiled Aug 15 2008 13:57:11, RELEASE SOFTWARE 1.1 内部服务

3、器访问目前大部分企业会在内部网络搭建各种应用服务器，如：WWW、数据库和邮件服务器等，通过在网关设备上启用NAT内部服务器映射功能，可以使外网用户访问企业内部的服务器。但是这种配置下常常会碰到一个问题，外网PC可以正常地访问内部服务器，但是内部PC却无法通过域名或者公网地址访问内部服务器，这是由于网关设备没有启用NAT内部地址转换功能导致的。典型组网如下：配置需求如下： 1、 MSR采用单条以太网线路接入Internet； 2、内部存在WWW和SMTP服务器，要求外部PC可以通过访问域名访问内部服务器； 3、内部可以通过域名或者公网地址访问内部服务器；典型

4、配置如下： dis cur # version 5.20, ESS 1711 # sysname H3C # ipsec cpu-backup enable # nat aging-time tcp 300 nat aging-time udp 180 nat aging-time pptp 300 nat aging-time ftp-ctrl 300 # domain default enable system # telnet server enable # qos carl 1 source-ip-address ran

5、ge 192.168.1.1 to 192.168.1.254 per-address qos carl 2 destination-ip-address range 192.168.1.1 to 192.168.1.254 per-address # acl number 3001 name WANDefend rule 0 deny udp destination-port eq tftp rule 1 deny tcp destination-port eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 d

6、eny udp destination-port eq 135 rule 4 deny udp destination-port eq netbios-ns rule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq 139 rule 7 deny udp destination-port eq netbios-ssn rule 8 deny tcp destination-port eq 445 rule 9 deny udp destination-port

7、eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995 rule 14 deny tcp destination-port eq 9996 rule 15 deny udp destination-port eq 1434 rule 16 deny tcp destination-

8、port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23 deny tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510 rule 25 deny udp des

9、tination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rule 30 deny tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32 deny

10、tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129 rule 37 deny tcp destination-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39

11、 deny tcp destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port eq 1433 rule 200 permit icmp icmp-type echo rule 201 permit icmp icmp-type echo-reply rule

12、 202 permit icmp icmp-type ttl-exceeded rule 210 deny icmp rule 300 permit udp source-port eq dns rule 310 permit tcp destination-port eq telnet rule 1000 permit ip destination 192.168.1.0 0.0.0.255 rule 2000 deny ip acl number 3003 name LANDefend rule 0 deny udp destination-port eq tft

13、p rule 1 deny tcp destination-port eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 deny udp destination-port eq 135 rule 4 deny udp destination-port eq netbios-ns rule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq 139 rule 7 deny udp destination-

14、port eq netbios-ssn rule 8 deny tcp destination-port eq 445 rule 9 deny udp destination-port eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995 rule 14 deny tcp des

15、tination-port eq 9996 rule 15 deny udp destination-port eq 1434 rule 16 deny tcp destination-port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23 den

16、y tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510 rule 25 deny udp destination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rul

17、e 30 deny tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32 deny tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129

18、 rule 37 deny tcp destination-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39 deny tcp destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port

19、 eq 1433 rule 200 permit icmp icmp-type echo rule 201 permit icmp icmp-type echo-reply rule 202 permit icmp icmp-type ttl-exceeded rule 210 deny icmp rule 1000 permit ip source 192.168.1.0 0.0.0.255 rule 1001 permit udp destination-port eq bootps rule 2000 deny ip acl number 3200 rul

20、e 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 1000 deny ip # vlan 1 # domain system access-limit disable state active idle-cut disable self-service-url disable # user-group system # local-user admin password cipher .]@USE=B,53Q=^Q`MAF4<1!! au

21、thorization-attribute level 3 service-type telnet # interface Aux0 async mode flow link-protocol ppp # interface Ethernet0/0 port link-mode route firewall packet-filter 3001 inbound nat outbound nat server protocol tcp global 142.1.1.1 www inside 192.168.1.1 www nat server protoc

22、ol tcp global 142.1.1.1 smtp inside 192.168.1.2 smtp ip address 142.1.1.2 255.255.255.0 # interface NULL0 # interface Vlan-interface1 ip address 192.168.1.1 255.255.255.0 qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard qos car outbound carl 2 cir 1024 cbs 64000 ebs

23、0 green pass red discard nat outbound 3200 firewall packet-filter 3003 inbound # interface Ethernet0/1 port link-mode bridge # interface Ethernet0/2 port link-mode bridge # interface Ethernet0/3 port link-mode bridge # interface Ethernet0/4 port link-mode bridge # ip route-sta

24、tic 0.0.0.0 0.0.0.0 142.1.1.1 ip route-static 10.0.0.0 255.0.0.0 NULL0 ip route-static 169.254.0.0 255.255.0.0 NULL0 ip route-static 172.16.0.0 255.240.0.0 NULL0 ip route-static 192.168.0.0 255.255.0.0 NULL0 ip route-static 198.18.0.0 255.254.0.0 NULL0 # arp anti-attack valid-check enab

25、le arp anti-attack source-mac filter arp anti-attack source-mac threshold 20 arp static 192.168.1.3 0088-0088-0088 1 Ethernet0/4 arp static 192.168.1.4 0088-0088-0089 1 Ethernet0/4 arp static 192.168.1.5 0088-0088-008a 1 Ethernet0/4 arp static 192.168.1.6 0088-0088-008b 1 Ethernet0/4 arp static 192.168.1.7 0088-0088-008c 1 Ethernet0/4 # load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme #

邮箱/手机：
温馨提示：	快捷下载时，用户名和密码都是您填写的邮箱或者手机号，方便查询和重复下载（系统自动生成）。如填写123，账号就是123，密码也是123。
特别说明：	请自助下载，系统不会自动发送文件的哦；如果您已付费，想二次下载，请登录后访问：我的下载记录
支付方式：
验证码：	换一换

账号：
密码：
验证码：	换一换
当日自动登录忘记密码？