MSR常见应用场景配置指导(内部服务器访问典型配置篇)

1、msr常见应用场景配置指导（内部服务器访问典型配置篇）适用产品：ii3c msr20、msr30、msr50各系列的所有产品适应版本：2008. &15日z后正式发布的版本。绝大部分配置也适用z前发布的版 本。使用方法：根据实际应用场景，在本文配置指导基础上，做定制化修改后使用。实际组网中可能存在特殊要求，建议由专业人员或在专业人员指导下操 作。本文以msr2010产品，2008. 8. 15日ess 1710软件版本为案例(1710以 后的版本同样支持)。h3c comwarc platform softwarecomwarc software, version 5. 20, ess

2、 1710comware platform software version comwarev500r002b58d001spo1h3c msr2010 software version v300r003b01d004sp01copyright (c) 2004 2008 hangzhou h3c tech. co., ltd. all rights reserved.compiled aug 15 2008 13:57:11, release software1.1内部服务器访问目前人部分企业会在内部网络搭建各种应用服务器，女n： www.数据库和邮 件服务器等，通过在网关设备上启用nat内

3、部服务器映射功能，叮以使外网用户 访问企业内部的服务器。但是这种配置下常常会碰到一个问题，外网pc可以正 常地访问内部服务器，但是内部pc却无法通过域名或者公网地址访问内部服务 器，这是由于网关设备没冇启用nat内部地址转换功能导致的。典型组网如下:bm/omsr201o/24192.166.1 _2«4pc2iv24192.16q.1.11/24配置需求如下：1、msr采用单条以太网线路接入internet；2、内部存在www和smtp服务器，要求外部pc可以通过访问域名访问内部 服务器；3、内部可以通过域名或者公网地址访问内部服务器；典

4、型配置如下：<h3c>dis cur#vcrsion 5.20, ess 1711sysname h3c#ipsec cpu-backup enableaging-time aging-time agingtime aging-timetep 300udp 180 pptp 300 ftp-ctrl 300#natnatnatnat#domain default enable system#telnet server enableqos carl 1 source-ip-address range to 54 peraddressqos

5、 carl 2 dcstination-ip-addrcss range 192. 168. 1. 1 to 192. 168. i. 254 per-addressacl number 3001 name wandefendrulerulerulerulerulerulerulerulerulerule0123456789deny udp deny tep deny tep deny udp deny udp deny udp deny tep deny udp deny tep deny udpdestination-pott destination-pott destination-po

6、rt destinat ion-port desti nati on-port dest i nat i on-port destination-port destination-port destination-port destirrntion-porteq eq eq eq eq cq eq eq eq eqtftp4444135135netbios-ns netbios-dgm 139netbios-ssn445445rule10 denyudp destination-porteq593rule11denytopdest i nat i on-porteq593rule12denyt

7、epdest i nat i on-portcq5554rule13denytepdestination-porteq9995rule14denytepdestination-portcq9996rule15deny udpdestination-porteq1434rule16denytepdestination-porteq1068rule17denytepdestination-porteq5800rule18denytepdestination-porteq5900rule19denytepdestinat ion-porteq10080rule22denytopdest i nat

8、i on-porteq3208rule23denytepdest i nat i on-portcq1871rule24denytepdestination-porteq4510rule25deny udpdestination-porteq4334rule26deny tepdestination-porteq4331rule27deny tepdestination-porteq4557rule28deny udpdestination-porteq4444rule29deny udpdest i nat i on-porteq1314rule30denytepdest i nat i o

9、n-portcq6969rule31denytepdestination-porteq137rule32denytepdestination-portcq389rule33denytepdestination-porteq138rule34deny udpdestinationporteq136rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule353637383940414243200201202210300310deny deny deny deny deny deny de

10、ny deny denytcp tcp tcp tcp tcp tcp tcp tcp udpdestination-port destination-port destination-port destination-port destination-port destination-port destination-port destination-port destination-portpermit iemp permit iemp permit iemp deny iemp permi t udp permit tcpcq eq eq eq eq eq eq cq eq1025 61

11、29 1029 20168 4899 45576143314341433icmp-typc echo icmp-type echo-reply icmp-type ttl-exceededsource-port eq dnsdestination-port eq telnet destination 192. 168. 1. 0 0. 0. 0. 255acl number 3003 name landefendrule0deny iudp(destination-porteqtftprule1denytcp <destination-porteq4444rule2denytcp(des

12、tination-porteq135rule3deny idp(destination-porteq135rule4deny idp <desti nation-porteqnetbios-nsrule5deny iudp(dcstination-portcqnctbios-dgmrule6denytcp(destination-porteq139rule7deny udp (dcstination-portcqnetbios-ssnrule8denytcp(destination-porteq445rule9deny udp (destination-porteq445rule10de

13、nyudpdestination-porteq593rule11denytcpdestination-porteq593rule12denytcpdestinat ion-porteq5554rule13denytcpdestination-porteq9995rule14denytcpdcstination-portcq9996rule15denyudpdestination-porteq1434rule16denytcpdestination-porteq1068rule17denytcpdestination-porteq5800rule18denytcpdestination-port

14、eq5900rule19denytcpdestination-porteq10080rule22denytcpdestination-porteq3208rule23denytcpdcstination-portcq1871rule24denytcpdestination-porteq4510rule25deny udpdestination-portcq4334rule26denytcpdestination-porteq4331rule27denytcpdestination-porteq45571000 permi t ip2000 deny iprule28denyudpdcsti n

15、eiti on-portcq4444rule29denyudpdestination-porteq1314rule30denytepdestination-porteq6969rule31denytepdestination-porteq137rule32denytepdestination-porteq389rule33denytepdestination-porteq138rule34denyudpdestination-porteq136rule35denytepdcsti neiti on-portcq1025rule36denytepdestination-porteq6129rul

16、e37denytepdestination-portcq1029rule38denytepdestination-porteq20168rule39denytepdestination-porteq4899rule40denytepdestination-porteq45576rule41denytepdestination-porteq1433rule42denytopdestinat ion-porteq1434rule43denyudpdestination-porteq1433rulerulerulerulerulerulerule200201202210100010012000per

17、mit icmppermit icmppermit icmp deny icmppermit ip source 192. 168. 1. 0 0. 0. 0. 255 permit udp destination-port eq bootps deny ip3200icmp-type echo iemp-type echo-reply iemp-type ttl-exceededacl numberrule 0 permit ip source 55 destination192. 168. 1.0 0. 0. 0. 255rule 1000 deny

18、ip#vlan 1domain systemaccess-1imit disable state activeidle-cut disable self-service-url disableuser-group system#local-user adminpassword cipher . use=b, 53q=*q maf4<1!authorization-attribute level 3 service-type telnetinterface auxoasync mode flowlink-protocol ppp#interface etherneto/oport link

19、-mode routefirewall packet-filter 3001 inboundnat outboundnat server proto col tep global 142. i. i. 1 www in side 192. 168- 1. 1 wwwnat server proto col tep global 142. 1. 1. 1 smtp inside 192. 168. 1. 2 smtp ip address 142. 1. 1. 2 255. 255. 255. 0# interface nullo#interface vlan-interfacelip addr

20、ess 192. 168. 1. 1 255. 255. 255. 0qos car inbound carl 1 cir 512 ebs 32000 ebs 0 green pass red discard qos car out bound carl 2 cir 1024 ebs 64000 ebs 0 gre cn pass red discard nat outbound 3200firewall packet-filter 3003 inbound#interface ethernet0/lport link-mode bridge#intcrfacc ethcrncto/2port link-mode bridgeinterface etherneto/3port link-mode bridge#interface etherneto/4port link-mode bridge0. 0. 0. 0 0. 0. 0. 0 142. 1. 1. 110. 0. 0. 0 255. 0. 0. 0 nullo16