1、概述网络防火墙Nescreen2081IDC主过滤防火墙网络防火墙Netscreen 50B2IDC办公区VPN端设备网络防火墙Netscreen 5GT办公网VPN端设备机房连接使用的防火墙设备列表IDC3. 需求说明我们的防火墙主要有两个大的用途:1 将内部的Web服务器向外提供映射及IDC服务器出局访问2 VPN互通在上面的列表中,netscreen208主要用向外映射WEB服务器及控制IDC服务器出局访问50B主要用于与办公网5GT的VPN互通4. 配置说明4.1. Netscreen208配置说明映射说明:set interface ethernet1 vip 211.144.149
2、.11 25 MAIL 172.16.12.8映射25端口set interface ethernet1 vip 211.144.149.11 + 80 HTTP 172.16.12.8映射80端口set interface ethernet1 vip 211.144.149.11 + 110 POP3 172.16.12.8 映射110端口set interface ethernet1 vip 211.144.149.12 80 172.16.1.21 映射80端口网站set interface ethernet1 vip 211.144.149.13 80 172.16.1.23映射80端
3、口网站set interface ethernet1 vip 211.144.149.14 80 172.16.4.14映射80端口网站策略说明:set policy id 1 name webnat from Trust to Untrust 172.16.1.1/25Any permit set policy id 1set service ICMP-ANYexit内网所有出局80及icmp访问均可set policy id 3 name smtpnetworkANYset policy id 3set src-address network2允许内网地址network(172.16.12
4、.9)网管服务器及network2(172.16.12.8)邮件服务器全部访问出局set policy id 5 from GlobalVIP(211.144.149.11) permit log set policy id 5SMTP允许外部访问VIP(211.144.149.11)mail/web服务set policy id 6 from VIP(211.144.149.12)set policy id 6允许外部访问VIP(211.144.149.12)web服务set policy id 7 from VIP(211.144.149.13)set policy id 7允许外部访问V
5、IP(211.144.149.13)web服务set policy id 8 from VIP(211.144.149.14)set policy id 8允许外部访问VIP(211.144.149.14)web服务set policy id 9 from 172.16.4.14/32set policy id 9暂时不生效set policy id 10 from 172.16.1.25211.144.158.218/32set policy id 10set policy id 11 from MIP(211.144.149.6)set policy id 11暂时不生效,以后用于主从DN
6、S服务器set policy id 12 name deny203.196.128.49/32 deny log set policy id 124.2. Netscreen50B配置说明(国研机房)50B主要是用于跟办公网的VPN通信,主要是用于VPN策略详细配置说明相对较复杂,我们只在附表中给出配置文件。4.3. Netscreen5gt配置说明(办公网)5GT主要是用于跟国研机房的VPN通信,主要是用于VPN策略5. 配置附表5.1. Netscreen208set clock timezone 7set vrouter trust-vr sharableset vrouter untr
7、ust-vrtrust-vrunset auto-route-export8080 protocol tcpsrc-port 0-65535 dst-port 8080-8080 set auth-server Local id 0 server-name set auth default auth server set auth radius accounting port 1646set admin name testadminset admin password nGV2PirHHhcNcrOM9sTB+rJt/6OPrnset admin port 8000set admin auth
8、 timeout 10set admin auth server set admin format dosset zone vrouter DMZVLANUntrust-Tun tcp-rst block unset zone MGT screen tear-drop screen syn-flood screen ping-death screen ip-filter-src screen landV1-Untrust screen limit-session source-ip-based 1000 screen limit-session destination-ip-based 100
9、0 screen syn-ack-ack threshold 1000set interface ethernet1 zone ethernet2ethernet3unset interface vlan1 ipset interface ethernet1 ip 211.144.149.2/25set interface ethernet1 routeset interface ethernet2 ip 172.16.1.2/24set interface ethernet2 natunset interface vlan1 bypass-others-ipsecunset interfac
10、e vlan1 bypass-non-ipset interface ethernet1 ip manageableset interface ethernet2 ip manageableset interface ethernet1 manage sshset interface ethernet1 manage ssl 172.16.12.8 172.16.1.21 172.16.1.23 172.16.4.14 mip 211.144.149.6 host 172.16.1.25 netmask 255.255.255.255 vr unset flow no-tcp-seq-chec
11、kset flow tcp-syn-checkset address 172.16.1.1 255.255.255.128 172.16.1.25 255.255.255.255172.16.12.0/24 172.16.12.0 255.255.255.0 172.16.4.14 255.255.255.255bbs 172.16.12.9 255.255.255.255 172.16.12.10 255.255.255.255 172.16.12.8 255.255.255.255 203.196.128.49 255.255.255.255 211.144.158.218 255.255
12、.255.255set ike respond-bad-spi 1unset ikeikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access
13、-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset url protocol websenseset pki authority default scep mode autoset pki x509 default cert-path partialset syslog config 172.16.12.9 facilities local0 local0set syslog src-interface ethernet2set s
14、yslog enableunset log module system level notification destination syslogunset log module system level information destination syslogunset log module system level debugging destination syslogset nsmgmtbulkcli reboot-timeout 60set ssh version v2set ssh enableset config lock timeout 5set snmp communit
15、y testsnmp Read-Write Trap-on traffic version v2cset snmp host 172.16.12.9 255.255.255.255 src-interface ethernet2 trap v2 192.168.21.102 255.255.255.255 src-interface ethernet2 trap v2set snmp name uns208set snmp port listen 161set snmp port trap 162unset add-default-routeset route 172.16.12.0/24 i
16、nterface ethernet2 gateway 172.16.1.1 preference 20set route 0.0.0.0/0 interface ethernet1 gateway 211.144.149.1 preference 20set route 192.168.0.0/16 interface ethernet2 gateway 172.16.1.3 preference 20set route 172.16.4.14/32 interface ethernet2 gateway 172.16.1.1 preference 205.2. Netscreen50B5222 protocol tcpsrc-port 0-65535 dst-port 5222-5222 6664 protocol tcpsrc-port 0-65535 dst-port 6664-6664 t
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1