《MSR常见应用场景配置指导.doc》由会员分享,可在线阅读,更多相关《MSR常见应用场景配置指导.doc(8页珍藏版)》请在三一文库上搜索。
1、MSR 常见应用场景配置指导适用产品:H3C MSR20、MSR30、MSR50 各系列的所有产品适应版本:日之后正式公布的版本。绝大部分配置也适用之前公布的版 本。使用方法:按照实际应用场景,在本文配置指导基础上,做定制化修改后使用。 实际组网中可能存在专门要求,建议由专业人员或在专业人员指导下 操作。本文以 MSR2010 产品, 日 ESS 1710 软件版本为案例( 17 10 以后的版本同样支持) 。H3C Comware Platform SoftwareComware Software, Version 5.20, ESS 1710Comware Platform Softwar
2、e Version COMWAREV500R002B58D001S P01H3C MSR2010 Software Version V300R003B01D004SP01Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights re served.Compiled Aug 15 2008 13:57:11, RELEASE SOFTWARE目前大部分企业会在内部网络搭建各种应用服务器,女口: WWW、数据库和邮件服务器等,通过在网关设备上启用 NAT内部服务器映射功能,能 够使外网用户访咨询企业内部的服务器。然而这种配置下常
3、常会碰到一个咨询题,外网PC能够正常地访咨询内部服务器,然而内部 PC却无法通过 域名或者公网地址访咨询内部服务器,这是由于网关设备没有启用 NAT内 部地址转换功能导致的。典型组网如下:192.166.1.1/24192 J 68.1.2/24WWWSMTP192 J 6B.1.10/24192.168.1.1 1/24配 置需 求如 下:1、MSR采纳单条以太网线路接入In ternet;2、内部存在WWW和SMTP服务器,要求外部PC能够通过访咨询域名访咨询内部服务器;3、内部能够通过域名或者公网地址访咨询内部服务器;典型配置如下:<H3C>dis cur#version 5
4、.20, ESS 1711#sys name H3C#ipsec cpu-backup en able nat aging-time tcp 300nat aging-time udp 180nat aging-time pptp 300nat aging-time ftp-ctrl 300#domain default enable system#qos carl 1 source-ip-address range to per -addressqos carl 2 destination-ip-address range to per-address#acl number 3001 nam
5、e WANDefendrule 0 deny udp destination-port eq tftprule 1 deny tcp destination-port eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 deny udp destination-port eq 135rule 4 deny udp destination-port eq netbios-nsrule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq
6、 139 rule 7 deny udp destination-port eq netbios-ssn rule 8 deny tcp destination-port eq 445 rule 9 deny udp destination-port eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995ru
7、le 14 deny tcp destination-port eq 9996 rule 15 deny udp destination-port eq 1434 rule 16 deny tcp destination-port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23
8、 deny tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510 rule 25 deny udp destination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rule 30 deny
9、tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32 deny tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129 rule 37 deny tcp destin
10、ation-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39 deny tcp destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port eq 1433 rule 200 permit icmp icmp-t
11、ype echo rule 201 permit icmp icmp-type echo-reply rule 202 permit icmp icmp-type ttl-exceeded rule 210 deny icmprule 300 permit udp source-port eq dnsrule 1000 permit ip destination rule 2000 deny ipacl number 3003 name LANDefendrule 0 deny udp destination-port eq tftp rule 1 deny tcp destination-p
12、ort eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 deny udp destination-port eq 135 rule 4 deny udp destination-port eq netbios-ns rule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq 139 rule 7 deny udp destination-port eq netbios-ssn rule 8 deny tcp destinati
13、on-port eq 445 rule 9 deny udp destination-port eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995 rule 14 deny tcp destination-port eq 9996 rule 15 deny udp destination-port eq
14、1434 rule 16 deny tcp destination-port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23 deny tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510
15、rule 25 deny udp destination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rule 30 deny tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32
16、 deny tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129 rule 37 deny tcp destination-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39 deny tc
17、p destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port eq 1433 rule 200 permit icmp icmp-type echo rule 201 permit icmp icmp-type echo-reply rule 202 permit icmp icmp-
18、type ttl-exceeded rule 210 deny icmprule 1000 permit ip source rule 1001 permit udp destination-port eq bootps rule 2000 deny ipacl number 3200rule 0 permit ip source destination rule 1000 deny ip#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#user-g
19、roup system# local-user adminpassword cipher .USE=B,53Q=AQ'MAF4<1!authorization-attribute level 3#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0 port link-mode route firewall packet-filter 3001 inboundnat outboundwwnat server protocol tcp global smtp inside smtpip addr
20、ess #interface NULL0#interface Vlan-interface1ip address qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red di scardqos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discardnat outbound 3200firewall packet-filter 3003 inbound#interface Ethernet0/1port link-mode bridge#interf
21、ace Ethernet0/2port link-mode bridge#interface Ethernet0/3port link-mode bridge#interface Ethernet0/4port link-mode bridge#ip route-static ip route-static NULL0ip route-static NULL0ip route-static NULL0ip route-static NULL0ip route-static NULL0#arp anti-attack valid-check enablearp anti-attack sourc
22、e-mac filterarp anti-attack source-mac threshold 20arp static Ethernet0/4arp static Ethernet0/4 arp static 0088-0088-008a 1 Ethernet0/4 arp static 0088-0088-008b 1 Ethernet0/4 arp static 0088-0088-008c 1 Ethernet0/4 #load xml-configuration#user-interface aux 0 user-interface vty 0 4authentication-mode scheme