《100F防火墙配置.doc》由会员分享,可在线阅读,更多相关《100F防火墙配置.doc(4页珍藏版)》请在三一文库上搜索。
1、刚刚调试的一台100F防火墙,满足学校的需求满足的要求。网段1教室 192.168.0.0(192.168.0.1)只能访问218.30.31.235 61.187.51.222 218.75.149.133这几个地址其他都不能访问。qq也不能上 网段2直播 192.168.2.0(192.168.2.1)和网段1的要求一样 网段3机房可以任意访问192.168.3.0(192.168.3.1) 网段4家属区可以任意访问192.168.4.0(192.168.4.1) 内部服务器对外提供web和ftp服务。 学校2条线路 一条电信 一条广电互为备份,电信的优先。当电信断了自动切换到广电* Al
2、l rights reserved (1998-2006) * Without the owners prior written consent, *no decompiling or reverse-engineering shall be allowed.*Login authentication Password:dis cu#sysname Quidway#firewall packet-filter enablefirewall packet-filter default permit#insulate#nat dns-map 218.75.149.133 80 tcp#firew
3、all statistic system enable#dns server 220.168.208.3dns server 220.168.96.68dns server 211.142.210.98dns server 211.142.210.99dns-proxyenable#radius scheme system#domain system#dhcp server ip-pool 1network 192.168.0.0 mask 255.255.255.0gateway-list 192.168.0.1dns-list 192.168.0.1#dhcp server ip-pool
4、 2network 192.168.2.0 mask 255.255.255.0gateway-list 192.168.2.1dns-list 192.168.2.1#dhcp server ip-pool 3network 192.168.3.0 mask 255.255.255.0gateway-list 192.168.3.1dns-list 192.168.3.1#dhcp server ip-pool 4network 192.168.4.0 mask 255.255.255.0gateway-list 192.168.4.1dns-list 192.168.4.1#acl num
5、ber 2000rule 0 permit source 192.168.0.0 0.0.0.255rule 1 permit source 192.168.2.0 0.0.0.255rule 2 permit source 192.168.3.0 0.0.0.255rule 3 permit source 192.168.4.0 0.0.0.255rule 4 deny#acl number 3000rule 0 permit ip destination 218.30.31.235 0rule 1 permit ip destination 61.187.51.222 0rule 2 pe
6、rmit ip destination 192.168.0.0 0.0.0.255rule 3 permit ip destination 192.168.2.0 0.0.0.255rule 4 permit ip destination 192.168.3.0 0.0.0.255rule 5 permit ip destination 192.168.4.0 0.0.0.255rule 6 permit ip destination 192.168.0.2 0rule 7 permit ip destination 192.168.0.3 0rule 8 permit ip destinat
7、ion 218.75.149.133 0rule 9 permit ip destination 255.255.255.255 0rule 10 deny ip#interface Aux0async mode flow#interface Ethernet0/0ip address 192.168.0.1 255.255.255.0firewall packet-filter 3000 inbound#interface Ethernet0/1ip address 192.168.2.1 255.255.255.0firewall packet-filter 3000 inbound#in
8、terface Ethernet0/2ip address 192.168.3.1 255.255.255.0#interface Ethernet0/3ip address 192.168.4.1 255.255.255.0#interface Ethernet1/0ip address 211.143.0.173 255.255.255.224nat outbound 2000#interface Ethernet1/1ip address 218.75.149.133 255.255.255.128nat outbound 2000nat server protocol tcp glob
9、al 218.75.149.133 www inside 192.168.4.2 wwwnat server protocol tcp global 218.75.149.133 ftp inside 192.168.4.2 ftpnat server protocol tcp global 218.75.149.133 8080 inside 192.168.4.3 8080#interface Ethernet1/2#interface NULL0#firewall zone localset priority 100#firewall zone trustadd interface Et
10、hernet0/0add interface Ethernet0/1add interface Ethernet0/2add interface Ethernet0/3set priority 85statistic enable ip inzonestatistic enable ip outzone#firewall zone untrustadd interface Ethernet1/0add interface Ethernet1/1set priority 5statistic enable ip inzonestatistic enable ip outzone#firewall
11、 zone DMZset priority 50#firewall interzone local trust#firewall interzone local untrust#firewall interzone local DMZ#firewall interzone trust untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#ip route-static 0.0.0.0 0.0.0.0 218.75.149.129 preference 10ip route-static 0.0.0.0 0.0.0.0 211.143.0.174 preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4user privilege level 3set authentication password cipher 0:F0!-.-O,!2ZWK6Q!#return