常见应用场景配置指导

1、 可修改 欢迎下载 精品 Word 可修改 欢迎下载 精品 Word 可修改 欢迎下载 精品 WordMSR常见应用场景配置指导(内部效劳器访问典型配置篇)适用产品： H3C MSR20、MSR30、MSR50 各系列的所有产品适应版本：2021日之后正式发布的版本。绝大局部配置也适用之前发布的版本。使用方法：根据实际应用场景，在本文配置指导根底上，做定制化修改后使用。实际组网中可能存在特殊要求，建议由专业人员或在专业人员指导下操作。本文以MSR2021 产品， 2021日ESS 1710软件版本为案例1710以后的版本同样支持。H3CComware Software, Version 5.2

2、0, ESS 1710Comware Platform Software Version COMWAREV500R002B58D001SP01H3C MSR2021 Software Version V300R003B01D004SP01Copyright (c) 2004-2021 Hangzhou H3C Tech. Co., Ltd. All rights reserved.Compiled Aug 15 2021 13:57:11, RELEASE SOFTWARE 内部效劳器访问目前大局部企业会在内部网络搭建各种应用效劳器，如：WWW、数据库和邮件效劳器等，通过在网关设备上启用NAT

3、内部效劳器映射功能，可以使外网用户访问企业内部的效劳器。但是这种配置下常常会碰到一个问题，外网PC可以正常地访问内部效劳器，但是内部PC却无法通过域名或者公网地址访问内部效劳器，这是由于网关设备没有启用NAT内部地址转换功能导致的。典型组网如下：配置需求如下：1、 MSR采用单条以太网线路接入Internet；2、 内部存在WWW和SMTP效劳器，要求外部PC可以通过访问域名访问内部效劳器；3、 内部可以通过域名或者公网地址访问内部效劳器；典型配置如下：dis cur#version 5.20, ESS 1711#sysname H3C#ipsec cpu-backup enable#nat

4、aging-time tcp 300nat aging-time udp 180nat aging-time pptp 300nat aging-time ftp-ctrl 300#domain default enable system#telnet server enable#qos carl 1 source-ip-address range to 54 per-addressqos carl 2 destination-ip-address range to 54 per-address#acl number 3001 name WANDefendrule 0 deny udp des

5、tination-port eq tftprule 1 deny tcp destination-port eq 4444rule 2 deny tcp destination-port eq 135rule 3 deny udp destination-port eq 135rule 4 deny udp destination-port eq netbios-nsrule 5 deny udp destination-port eq netbios-dgmrule 6 deny tcp destination-port eq 139rule 7 deny udp destination-p

6、ort eq netbios-ssnrule 8 deny tcp destination-port eq 445rule 9 deny udp destination-port eq 445rule 10 deny udp destination-port eq 593rule 11 deny tcp destination-port eq 593rule 12 deny tcp destination-port eq 5554rule 13 deny tcp destination-port eq 9995rule 14 deny tcp destination-port eq 9996r

7、ule 15 deny udp destination-port eq 1434rule 16 deny tcp destination-port eq 1068rule 17 deny tcp destination-port eq 5800rule 18 deny tcp destination-port eq 5900rule 19 deny tcp destination-port eq 10080rule 22 deny tcp destination-port eq 3208rule 23 deny tcp destination-port eq 1871rule 24 deny

8、tcp destination-port eq 4510rule 25 deny udp destination-port eq 4334rule 26 deny tcp destination-port eq 4331rule 27 deny tcp destination-port eq 4557rule 28 deny udp destination-port eq 4444rule 29 deny udp destination-port eq 1314rule 30 deny tcp destination-port eq 6969rule 31 deny tcp destinati

9、on-port eq 137rule 32 deny tcp destination-port eq 389rule 33 deny tcp destination-port eq 138rule 34 deny udp destination-port eq 136rule 35 deny tcp destination-port eq 1025rule 36 deny tcp destination-port eq 6129rule 37 deny tcp destination-port eq 1029rule 38 deny tcp destination-port eq 20218r

10、ule 39 deny tcp destination-port eq 4899rule 40 deny tcp destination-port eq 45576rule 41 deny tcp destination-port eq 1433rule 42 deny tcp destination-port eq 1434rule 43 deny udp destination-port eq 1433rule 200 permit icmp icmp-type echorule 201 permit icmp icmp-type echo-replyrule 202 permit icm

11、p icmp-type ttl-exceededrule 210 deny icmprule 300 permit udp source-port eq dnsrule 310 permit tcp destination-port eq telnetrule 1000 permit ip destination .255rule 2000 deny ipacl number 3003 name LANDefendrule 0 deny udp destination-port eq tftprule 1 deny tcp destination-port eq 4444rule 2 deny

12、 tcp destination-port eq 135rule 3 deny udp destination-port eq 135rule 4 deny udp destination-port eq netbios-nsrule 5 deny udp destination-port eq netbios-dgmrule 6 deny tcp destination-port eq 139rule 7 deny udp destination-port eq netbios-ssnrule 8 deny tcp destination-port eq 445rule 9 deny udp

13、 destination-port eq 445rule 10 deny udp destination-port eq 593rule 11 deny tcp destination-port eq 593rule 12 deny tcp destination-port eq 5554rule 13 deny tcp destination-port eq 9995rule 14 deny tcp destination-port eq 9996rule 15 deny udp destination-port eq 1434rule 16 deny tcp destination-por

14、t eq 1068rule 17 deny tcp destination-port eq 5800rule 18 deny tcp destination-port eq 5900rule 19 deny tcp destination-port eq 10080rule 22 deny tcp destination-port eq 3208rule 23 deny tcp destination-port eq 1871rule 24 deny tcp destination-port eq 4510rule 25 deny udp destination-port eq 4334rul

15、e 26 deny tcp destination-port eq 4331rule 27 deny tcp destination-port eq 4557rule 28 deny udp destination-port eq 4444rule 29 deny udp destination-port eq 1314rule 30 deny tcp destination-port eq 6969rule 31 deny tcp destination-port eq 137rule 32 deny tcp destination-port eq 389rule 33 deny tcp d

16、estination-port eq 138rule 34 deny udp destination-port eq 136rule 35 deny tcp destination-port eq 1025rule 36 deny tcp destination-port eq 6129rule 37 deny tcp destination-port eq 1029rule 38 deny tcp destination-port eq 20218rule 39 deny tcp destination-port eq 4899rule 40 deny tcp destination-por

17、t eq 45576rule 41 deny tcp destination-port eq 1433rule 42 deny tcp destination-port eq 1434rule 43 deny udp destination-port eq 1433rule 200 permit icmp icmp-type echorule 201 permit icmp icmp-type echo-replyrule 202 permit icmp icmp-type ttl-exceededrule 210 deny icmprule 1000 permit ip source .25

18、5rule 1001 permit udp destination-port eq bootpsrule 2000 deny ipacl number 3200rule 0 permit ip source rule 1000 deny ip#vlan 1#domain systemaccess-limit disablestate activeidle-cut disableself-service-url disable#user-group system#local-user adminpassword cipher .USE=B,53Q=QMAF41!authorization-att

19、ribute level 3service-type telnet#interface Aux0async mode flowlink-protocol ppp#interface Ethernet0/0port link-mode routefirewall packet-filter 3001 inboundnat outboundnat server protocol tcp global www inside wwwnat server protocol tcp global smtp inside smtp#interface NULL0#interface Vlan-interfa

20、ce1qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discardqos car outbound carl 2 cir 1024 cbs 64000 ebs 0 green pass red discardnat outbound 3200firewall packet-filter 3003 inbound#interface Ethernet0/1port link-mode bridge#interface Ethernet0/2port link-mode bridge#interface Ethernet0/3port l