山石防火墙的内核配置参考
snatrule id 5 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "公有云测试地址池(10.209)" service "Any" eif ethernet0/3 trans-to ip 172.36.224.37 mode dynamicport sticky log。ad
hostname "SG-6000"
admin:hillstone
pass:hillstone
默认IP:192.168.1.1 24
admin
bjjxcxsbgl@2023
adminbak
cisco@123
!
Version 5.5R4
ip vrouter "mgt-vr"
exit
ip vrouter "twin-mode-vr"
exit
ip vrouter "trust-vr"
exit
vswitch "vswitch1"
exit
zone "mgt"
exit
zone "trust"
exit
zone "untrust"
exit
zone "dmz"
exit
zone "l2-trust" l2
exit
zone "l2-untrust" l2
exit
zone "l2-dmz" l2
exit
zone "VPNHub"
exit
zone "HA"
exit
zone "twin-mode"
exit
vlan 619
exit
interface vswitchif1
exit
interface ethernet0/0
exit
interface ethernet0/1
exit
interface ethernet0/2 local
exit
interface ethernet0/3
exit
interface xethernet1/0
exit
interface xethernet1/1
exit
interface xethernet1/2
exit
interface xethernet1/3
exit
interface xethernet1/4
exit
interface xethernet1/5
exit
interface xethernet1/6
exit
interface xethernet1/7
exit
interface xethernet3/0 local
exit
interface xethernet3/1
exit
interface xethernet3/2
exit
interface xethernet3/3
exit
interface xethernet3/4
exit
interface xethernet3/5
exit
interface xethernet3/6
exit
interface xethernet3/7
exit
interface aggregate20
exit
address "旧内网资源"
exit
address "新内网资源"
exit
address "公有云标准区"
exit
address "公有云测试地址池(10.209)"
exit
address "VPN数据进入内网地址段"
exit
address "VPN真实地址池"
exit
aaa-server "local" type local
exit
url-profile "no-url"
exit
admin user "hillstone"
password ZXu+x55Yj3XRYDgfSUEkNt0gQs
password-expiration 12345678
role "admin"
access console
access telnet
access ssh
access http
access https
exit
admin user "admin"
password qc8iIvhAOG6+gptg5sQ2ODpQyR
password-expiration 1686901279
role "admin"
access console
access telnet
access ssh
access http
access https
exit
admin user "adminbak"
password H3zpjfaWrIU2CsFuXJsezdGwMd
password-expiration 1686901388
role "admin"
access console
access telnet
access ssh
access http
access https
description "管理备份"
exit
pki trust-domain "trust_domain_default"
keypair "Default-Key"
enrollment self
subject commonName "SG-6000"
subject organization "Hillstone Networks"
exit
pki trust-domain "trust_domain_ssl_proxy"
keypair "Default-Key"
enrollment self
subject commonName "SG-6000"
subject organization "Hillstone Networks"
exit
pki trust-domain "trust_domain_ssl_proxy_2048"
keypair "Default-Key-2048"
enrollment self
subject commonName "SG-6000"
subject organization "Hillstone Networks"
exit
pki trust-domain "network_manager_ca"
enrollment terminal
exit
address "旧内网资源"
ip 172.35.0.0/16
ip 172.36.0.0/16
ip 172.48.0.0/16
ip 172.50.0.0/16
ip 172.60.0.0/16
ip 172.64.0.0/16
exit
address "新内网资源"
ip 12.251.160.0/20
exit
address "公有云标准区"
ip 10.209.61.64/26
ip 10.199.64.0/24
ip 10.241.0.0/16
range 11.168.194.198 11.168.194.200
exit
address "公有云测试地址池(10.209)"
ip 10.209.69.64/27
exit
address "VPN数据进入内网地址段"
range 192.36.224.18 192.36.224.20
exit
address "VPN真实地址池"
ip 12.251.169.0/24
exit
zone "mgt"
vrouter "mgt-vr"
exit
zone "untrust"
type wan
ad tear-drop
ad ip-spoofing
ad land-attack
ad ip-option
ad ip-fragment
ad ip-directed-broadcast
ad winnuke
ad port-scan
ad syn-flood
ad icmp-flood
ad ip-sweep
ad ping-of-death
ad udp-flood
exit
zone "l2-untrust" l2
type wan
exit
zone "twin-mode"
vrouter "twin-mode-vr"
exit
hostname "JXCX_HLW_FW01"
admin host any any
admin ipv6-host ::/0 any
isakmp proposal "psk-sha256-aes128-g2"
hash sha256
encryption aes
exit
isakmp proposal "psk-sha256-aes256-g2"
hash sha256
encryption aes-256
exit
isakmp proposal "psk-sha256-3des-g2"
hash sha256
exit
isakmp proposal "psk-md5-aes128-g2"
hash md5
encryption aes
exit
isakmp proposal "psk-md5-aes256-g2"
hash md5
encryption aes-256
exit
isakmp proposal "psk-md5-3des-g2"
hash md5
exit
isakmp proposal "rsa-sha256-aes128-g2"
authentication rsa-sig
hash sha256
encryption aes
exit
isakmp proposal "rsa-sha256-aes256-g2"
authentication rsa-sig
hash sha256
encryption aes-256
exit
isakmp proposal "rsa-sha256-3des-g2"
authentication rsa-sig
hash sha256
exit
isakmp proposal "rsa-md5-aes128-g2"
authentication rsa-sig
hash md5
encryption aes
exit
isakmp proposal "rsa-md5-aes256-g2"
authentication rsa-sig
hash md5
encryption aes-256
exit
isakmp proposal "rsa-md5-3des-g2"
authentication rsa-sig
hash md5
exit
isakmp proposal "dsa-sha-aes128-g2"
authentication dsa-sig
encryption aes
exit
isakmp proposal "dsa-sha-aes256-g2"
authentication dsa-sig
encryption aes-256
exit
isakmp proposal "dsa-sha-3des-g2"
authentication dsa-sig
exit
ipsec proposal "esp-sha256-aes128-g2"
hash sha256
encryption aes
group 2
exit
ipsec proposal "esp-sha256-aes128-g0"
hash sha256
encryption aes
exit
ipsec proposal "esp-sha256-aes256-g2"
hash sha256
encryption aes-256
group 2
exit
ipsec proposal "esp-sha256-aes256-g0"
hash sha256
encryption aes-256
exit
ipsec proposal "esp-sha256-3des-g2"
hash sha256
encryption 3des
group 2
exit
ipsec proposal "esp-sha256-3des-g0"
hash sha256
encryption 3des
exit
ipsec proposal "esp-md5-aes128-g2"
hash md5
encryption aes
group 2
exit
ipsec proposal "esp-md5-aes128-g0"
hash md5
encryption aes
exit
ipsec proposal "esp-md5-aes256-g2"
hash md5
encryption aes-256
group 2
exit
ipsec proposal "esp-md5-aes256-g0"
hash md5
encryption aes-256
exit
ipsec proposal "esp-md5-3des-g2"
hash md5
encryption 3des
group 2
exit
ipsec proposal "esp-md5-3des-g0"
hash md5
encryption 3des
exit
interface ethernet0/0
zone "l2-trust"
bandwidth downstream 1000000000
bandwidth upstream 1000000000
exit
interface ethernet0/1
zone "mgt"
ip address 192.36.8.10 255.255.255.0
manage http
manage https
manage ping
manage ssh
manage telnet
manage traceroute
exit
interface ethernet0/2 local
zone "untrust"
ip address 192.36.224.5 255.255.255.248
bandwidth downstream 1000000000
bandwidth upstream 1000000000
combo fiber-forced
description "to-网康_EHT1接口"
manage telnet
manage ssh
manage ping
manage http
manage https
exit
interface ethernet0/3
zone "trust"
ip address 172.36.224.34 255.255.255.248
bandwidth downstream 1000000000
bandwidth upstream 1000000000
combo fiber-forced
description "to=生产核心交换机"
manage telnet
manage ssh
manage ping
manage http
manage https
manage snmp
exit
interface xethernet1/0
aggregate aggregate20
bandwidth downstream 10000000000
bandwidth upstream 10000000000
exit
interface xethernet1/1
aggregate aggregate20
exit
interface xethernet1/2
aggregate aggregate20
exit
interface xethernet1/3
aggregate aggregate20
exit
interface xethernet3/0 local
bandwidth downstream 10000000000
bandwidth upstream 10000000000
switchmode trunk vlan 619
switchmode trunk native-vlan 619
exit
interface aggregate20
zone "trust"
ip address 192.36.255.2 255.255.255.252 local
bandwidth downstream 40000000000
bandwidth upstream 40000000000
description "test"
manage telnet
manage ssh
manage ping
manage http
manage https
exit
ip vrouter "trust-vr"
snatrule id 6 from address-book "VPN真实地址池" to address-book "Any" service "Any" trans-to ip 172.36.224.35 mode dynamicport sticky log
snatrule id 1 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "公有云标准区" service "Any" eif ethernet0/3 trans-to ip 172.36.224.35 mode dynamicport sticky log
snatrule id 2 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "旧内网资源" service "Any" eif ethernet0/3 trans-to ip 172.36.224.36 mode dynamicport sticky log
snatrule id 3 from address-book "VPN数据进入内网地址段" to address-book "新内网资源" service "Any" trans-to ip 172.36.224.36 mode dynamicport sticky log
snatrule id 4 from address-book "VPN数据进入内网地址段" to ip 10.0.1.1/24 service "Any" trans-to ip 172.36.224.35 mode dynamicport sticky log
snatrule id 5 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "公有云测试地址池(10.209)" service "Any" eif ethernet0/3 trans-to ip 172.36.224.37 mode dynamicport sticky log
ip route 12.251.160.0/24 ethernet0/3 172.36.224.33
ip route 12.251.161.0/24 ethernet0/3 172.36.224.33
ip route 12.251.165.0/24 ethernet0/3 172.36.224.33
ip route 12.251.174.0/24 ethernet0/3 172.36.224.33
ip route 12.251.175.0/24 ethernet0/3 172.36.224.33
ip route 172.36.0.0/16 ethernet0/3 172.36.224.33
ip route 10.0.0.0/8 ethernet0/3 172.36.224.33 description "总行路由"
ip route 11.0.0.0/8 ethernet0/3 172.36.224.33 description "总行路由"
ip route 0.0.0.0/0 192.36.224.2 description "互联网出口路由"
ip route 192.36.0.0/16 aggregate20 192.36.255.1 description "互联网聚合链路"
exit
qos-engine first
root-pipe "default" id 1
qos-mode "stat"
exit
exit
qos-engine second
disable
root-pipe "default" id 2
qos-mode "stat"
exit
exit
rule id 1
action permit
src-zone "Any"
dst-zone "Any"
src-addr "Any"
dst-addr "Any"
service "Any"
exit
l2-nonip-action drop
tcp-mss all 1448
tcp-mss tunnel 1380
ecmp-route-select by-src-and-dst
url-db-query server1 "url1.hillstonenet.com" port 8866 vrouter trust-vr
url-db-query server1 enable
url-db-query server2 "url2.hillstonenet.com" port 8866 vrouter trust-vr
url-db-query server2 enable
flow
icmp-unreachable-session-keep
exit
strict-tunnel-check
statistics-set "predef_if_bw"
target-data bandwidth id 0 record-history
group-by interface directional vsys
exit
statistics-set "predef_user_bw"
target-data bandwidth id 1 record-history
group-by user directional vsys
exit
statistics-set "predef_app_bw"
target-data bandwidth id 2 record-history
group-by application vsys
exit
statistics-set "predef_user_app_bw"
target-data bandwidth id 3
group-by user directional interface zone application vsys
exit
statistics-set "predef_zone_if_app_bw"
target-data bandwidth id 4
group-by interface zone directional application vsys
exit
longlife-sess-percent 10
no sms disable
End
更多推荐
所有评论(0)