收藏
下载资源 加入VIP免费专享

MSR常见应用场景配置指导.doc

上传人:scccc 文档编号:12601236 上传时间:2021-12-04 格式:DOC 页数:8 大小:66KB
返回 下载 相关 举报
MSR常见应用场景配置指导.doc_第1页
第1页 / 共8页
MSR常见应用场景配置指导.doc_第2页
第2页 / 共8页
MSR常见应用场景配置指导.doc_第3页
第3页 / 共8页
亲,该文档总共8页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述

《MSR常见应用场景配置指导.doc》由会员分享,可在线阅读,更多相关《MSR常见应用场景配置指导.doc(8页珍藏版)》请在三一文库上搜索。

1、MSR 常见应用场景配置指导适用产品:H3C MSR20、MSR30、MSR50 各系列的所有产品适应版本:日之后正式公布的版本。绝大部分配置也适用之前公布的版 本。使用方法:按照实际应用场景,在本文配置指导基础上,做定制化修改后使用。 实际组网中可能存在专门要求,建议由专业人员或在专业人员指导下 操作。本文以 MSR2010 产品, 日 ESS 1710 软件版本为案例( 17 10 以后的版本同样支持) 。H3C Comware Platform SoftwareComware Software, Version 5.20, ESS 1710Comware Platform Softwar

2、e Version COMWAREV500R002B58D001S P01H3C MSR2010 Software Version V300R003B01D004SP01Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights re served.Compiled Aug 15 2008 13:57:11, RELEASE SOFTWARE目前大部分企业会在内部网络搭建各种应用服务器,女口: WWW、数据库和邮件服务器等,通过在网关设备上启用 NAT内部服务器映射功能,能 够使外网用户访咨询企业内部的服务器。然而这种配置下常

3、常会碰到一个咨询题,外网PC能够正常地访咨询内部服务器,然而内部 PC却无法通过 域名或者公网地址访咨询内部服务器,这是由于网关设备没有启用 NAT内 部地址转换功能导致的。典型组网如下:192.166.1.1/24192 J 68.1.2/24WWWSMTP192 J 6B.1.10/24192.168.1.1 1/24配 置需 求如 下:1、MSR采纳单条以太网线路接入In ternet;2、内部存在WWW和SMTP服务器,要求外部PC能够通过访咨询域名访咨询内部服务器;3、内部能够通过域名或者公网地址访咨询内部服务器;典型配置如下:<H3C>dis cur#version 5

4、.20, ESS 1711#sys name H3C#ipsec cpu-backup en able nat aging-time tcp 300nat aging-time udp 180nat aging-time pptp 300nat aging-time ftp-ctrl 300#domain default enable system#qos carl 1 source-ip-address range to per -addressqos carl 2 destination-ip-address range to per-address#acl number 3001 nam

5、e WANDefendrule 0 deny udp destination-port eq tftprule 1 deny tcp destination-port eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 deny udp destination-port eq 135rule 4 deny udp destination-port eq netbios-nsrule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq

6、 139 rule 7 deny udp destination-port eq netbios-ssn rule 8 deny tcp destination-port eq 445 rule 9 deny udp destination-port eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995ru

7、le 14 deny tcp destination-port eq 9996 rule 15 deny udp destination-port eq 1434 rule 16 deny tcp destination-port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23

8、 deny tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510 rule 25 deny udp destination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rule 30 deny

9、tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32 deny tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129 rule 37 deny tcp destin

10、ation-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39 deny tcp destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port eq 1433 rule 200 permit icmp icmp-t

11、ype echo rule 201 permit icmp icmp-type echo-reply rule 202 permit icmp icmp-type ttl-exceeded rule 210 deny icmprule 300 permit udp source-port eq dnsrule 1000 permit ip destination rule 2000 deny ipacl number 3003 name LANDefendrule 0 deny udp destination-port eq tftp rule 1 deny tcp destination-p

12、ort eq 4444 rule 2 deny tcp destination-port eq 135 rule 3 deny udp destination-port eq 135 rule 4 deny udp destination-port eq netbios-ns rule 5 deny udp destination-port eq netbios-dgm rule 6 deny tcp destination-port eq 139 rule 7 deny udp destination-port eq netbios-ssn rule 8 deny tcp destinati

13、on-port eq 445 rule 9 deny udp destination-port eq 445 rule 10 deny udp destination-port eq 593 rule 11 deny tcp destination-port eq 593 rule 12 deny tcp destination-port eq 5554 rule 13 deny tcp destination-port eq 9995 rule 14 deny tcp destination-port eq 9996 rule 15 deny udp destination-port eq

14、1434 rule 16 deny tcp destination-port eq 1068 rule 17 deny tcp destination-port eq 5800 rule 18 deny tcp destination-port eq 5900 rule 19 deny tcp destination-port eq 10080 rule 22 deny tcp destination-port eq 3208 rule 23 deny tcp destination-port eq 1871 rule 24 deny tcp destination-port eq 4510

15、rule 25 deny udp destination-port eq 4334 rule 26 deny tcp destination-port eq 4331 rule 27 deny tcp destination-port eq 4557 rule 28 deny udp destination-port eq 4444 rule 29 deny udp destination-port eq 1314 rule 30 deny tcp destination-port eq 6969 rule 31 deny tcp destination-port eq 137 rule 32

16、 deny tcp destination-port eq 389 rule 33 deny tcp destination-port eq 138 rule 34 deny udp destination-port eq 136 rule 35 deny tcp destination-port eq 1025 rule 36 deny tcp destination-port eq 6129 rule 37 deny tcp destination-port eq 1029 rule 38 deny tcp destination-port eq 20168 rule 39 deny tc

17、p destination-port eq 4899 rule 40 deny tcp destination-port eq 45576 rule 41 deny tcp destination-port eq 1433 rule 42 deny tcp destination-port eq 1434 rule 43 deny udp destination-port eq 1433 rule 200 permit icmp icmp-type echo rule 201 permit icmp icmp-type echo-reply rule 202 permit icmp icmp-

18、type ttl-exceeded rule 210 deny icmprule 1000 permit ip source rule 1001 permit udp destination-port eq bootps rule 2000 deny ipacl number 3200rule 0 permit ip source destination rule 1000 deny ip#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#user-g

19、roup system# local-user adminpassword cipher .USE=B,53Q=AQ'MAF4<1!authorization-attribute level 3#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0 port link-mode route firewall packet-filter 3001 inboundnat outboundwwnat server protocol tcp global smtp inside smtpip addr

20、ess #interface NULL0#interface Vlan-interface1ip address qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red di scardqos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discardnat outbound 3200firewall packet-filter 3003 inbound#interface Ethernet0/1port link-mode bridge#interf

21、ace Ethernet0/2port link-mode bridge#interface Ethernet0/3port link-mode bridge#interface Ethernet0/4port link-mode bridge#ip route-static ip route-static NULL0ip route-static NULL0ip route-static NULL0ip route-static NULL0ip route-static NULL0#arp anti-attack valid-check enablearp anti-attack sourc

22、e-mac filterarp anti-attack source-mac threshold 20arp static Ethernet0/4arp static Ethernet0/4 arp static 0088-0088-008a 1 Ethernet0/4 arp static 0088-0088-008b 1 Ethernet0/4 arp static 0088-0088-008c 1 Ethernet0/4 #load xml-configuration#user-interface aux 0 user-interface vty 0 4authentication-mode scheme

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 社会民生


经营许可证编号:宁ICP备18001539号-1