09:54:21 2010/04/27
# 增加acl 2001允許內網用戶NAT上Internet
acl number 2001
rule 0 permit source 172.40.0.0 0.0.255.255
rule 2 permit source 192.168.0.0 0.0.255.255
# 增加ACL 3001允許通過外網訪問內部服務器指定端口
acl number 3001
rule 0 permit tcp destination 172.40.1.16 0 destination-port eq 9080
rule 1 permit tcp destination 172.40.1.16 0 destination-port eq 5631
rule 2 permit tcp destination 172.40.1.16 0 destination-port eq 5632
rule 3 permit tcp destination 172.40.1.17 0 destination-port eq 5631
rule 4 permit tcp destination 172.40.1.17 0 destination-port eq 5632
rule 5 permit tcp destination 172.40.1.18 0 destination-port eq 5631
rule 6 permit tcp destination 172.40.1.18 0 destination-port eq 5632
rule 7 permit tcp destination 172.40.1.16 0 destination-port eq 6129
acl number 3010 //ACL 3010允許公網用戶通過ssh訪問防火牆
rule 0 permit tcp destination 11.18.13.4 0 destination-port eq ssh
#
sysname Eudemon
#設置local到trust區域的默認防火牆包過濾規則
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
#配置全局NAT和指定端口映射。
nat address-group 1 11.18.13.4 11.18.13.4
nat server zone untrust protocol tcp global 11.18.13.4 9080 inside 172.40.1.16 9080
nat server zone untrust protocol tcp global 11.18.13.4 5631 inside 172.40.1.16 5631
nat server zone untrust protocol tcp global 11.18.13.4 5632 inside 172.40.1.16 5632
nat server zone untrust protocol tcp global 11.18.13.4 5633 inside 172.40.1.17 5631
nat server zone untrust protocol tcp global 11.18.13.4 5634 inside 172.40.1.17 5632
nat server zone untrust protocol tcp global 11.18.13.4 5635 inside 172.40.1.18 5631
nat server zone untrust protocol tcp global 11.18.13.4 5636 inside 172.40.1.18 5632
nat server zone untrust protocol tcp global 11.18.13.4 6129 inside 172.40.1.16 6129
#
firewall statistic system enable
#G0/0/0連接到外網,配置IP;
interface GigabitEthernet0/0/0
description link_to_internet
ip address 11.18.13.4 255.255.255.0
#G0/0/1連接到內網,配置IP;
interface GigabitEthernet0/0/1
description Link_to_inside
ip address 192.168.10.2 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface NULL0
#
firewall zone local
set priority 100
#將G0/0/1加入trust
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#將G0/0/0加入untrust
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#應用ACL 3010
firewall interzone local untrust
packet-filter 3010 inbound
#應用ACL 3001 、ACL 2001、NAT 2001
firewall interzone trust untrust
packet-filter 3001 inbound
packet-filter 2001 outbound
nat outbound 2001 address-group 1
#配置aaa用戶,用於ssh登錄
aaa
local-user admin password simple admin
local-user admin service-type web ssh
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
right-manager server-group
#
slb
#配置靜態路由及默認路由
ip route-static 0.0.0.0 0.0.0.0 11.18.13.1
ip route-static 172.40.1.0 255.255.255.0 192.168.10.1
ip route-static 192.168.0.0 255.255.0.0 192.168.10.1
#設置ssh user認證方式
ssh user admin authentication-type password
#配置vty,設置認證模式爲aaa,允許ssh登錄vty
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return