网络工程师成长日记370-阿尔斯通
这是我的第370篇原创文章,记录网络工程师行业的点点滴滴,结交IT行业有缘之人
4月20日下午,我和老大一起去西高新的高科大厦去进行H3C防火墙的安装
这是我第一次做on job training
之前虽然老大给我了一些H3C的文档,但是还是感觉心里没底.
这次我们要做的内容是一个F100-C的防火墙的安装,和一个CISCO无线AP的连接(这个是去了以后客户提出的).
F100-C防火墙上面已经做好了配置,只要进行安装就行了,当时我们认为很简单,只要一会就能完成,结果出现了无数的问题.
把防火墙连到电脑上,dis cur(就是SHOW RUN)了防火墙上的配置.
客户告诉我们,电信给他们分配的拨号IP和密码,怎么弄都不通.
随后又进行了多方面的尝试.也是不通.
和北京方面的工程师沟通,告诉我们说他们和电信进行联系,因为他们也不太清楚电信给客户方进行的配置.
于是就联系了N长时间.随后,北京打过来电话进行询问,再试,还是不通,经过多次反复,只能自己打电话给电信询问.
开始以为是拨号的密码错误,遂打电话给电信,电信告诉我们说,要想知道密码,必须给他们提供企业的证件等物品,
没办法,再和客户进行沟通,这时他们才提供了一张19号他们装网线时电信给他们留下的IP地址,并告诉我们是电信安装的专线.
对防火墙的设置进行了修改,把WAN口和Dialer0进行重新配置,再一次进行尝试,这次终于能PING通网关了,再PING客户的内网,也通.
因为客户没有对网络比较了解的,经过与北京方面的沟通才知道他们昨天装的是VPN专线,而不是客户一直号称的拨号上网.
被误导了,囧死.
然后就是进行无线的安装并绑密码,绑密码的时候还出了点小问题,客户要求5位的密码
但是选择的密码协议只支持最少8位数的密码,进行了沟通,最后选择了8位的密码.
到此本次工程全部完工.
这次工程让我理解到,工程中进行沟通是非常重要的
然后就是要根据自己已知的信息对工程进行了解,知道自己需要做什么
这样才能成功快速的完成工作.
工程配置过程
由我们配通,再由北京的工程师远程登录进行修改
dis cur结果如下,IP地址等相关内容进行了修改
#
Sysname F100-C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable//H3C的分支网点智能管理解决方案
bims device-id F100-C
bims ip address 100.0.0.1 port 7000
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name F100-C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://1.2.3.4/certsrv/mscep/mscep.dll //配证书
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 12345
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user 654321
password 123456
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123457
id-type name
remote-name vpn
remote-address 1.2.3.4
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
---------------------------------------------
//北京工程师在远程登录后加入了
#
dhcp server ip-pool dhcppool
network 10.1.0.2 mask 255.255.255.0
gateway-list 10.1.0.1
dns-list 10.1.1.1 10.1.1.3 10.1.1.8
---------------------------------------------
#
acl number 2000 match-order auto
rule 0 permit source 10.1.1.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.4 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
------------------------------------------------------------------------------------
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 7654321 password simple 1234567
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
原有配置,由于是专线,后全部删除
-------------------------------------------------------------------------------------
#
interface Ethernet0/0
description link to LAN
ip address 10.1.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4//修改为 interface Ethernet0/4
description link to WAN
ip address 121.1.1.1 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 34.1.1.1 255.255.255.252
source 1.1.1.4
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1//后删除
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 43.1.1.1 preference 60// 修改后为Ethernet 0/4 121.1.1.1,原来为dialer1 口
ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 2.2.2.2 255.0.0.0 Tunnel 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 3.3.3.3 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 4.4.4.4 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 5.5.5.5 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 6.6.6.6 255.255.0.0 Tunnel 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static7.7.7.7 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 8.8.8.8 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 9.9.9.9 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
#
snmp-agent
snmp-agent local-engineid 12345678
snmp-agent community write 101zhengou
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 1.1.1.1
ntp-service unicast-server 2.2.2.2
ntp-service unicast-server 3.3.3.3
ntp-service unicast-server 4.4.4.4
ntp-service unicast-server 5.5.5.5
ntp-service unicast-server 6.6.6.6
ntp-service unicast-server 7.7.7.7
ntp-service unicast-server 8.8.8.8
ntp-service unicast-server 9.9.9.9
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
此时PING内网的深圳总部,,可以PING通,完成.
韩啸.
XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned up up(s) Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 117.22.255.106 up up link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up up Tunnel1 I...
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 02988339052 password simple 123456
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60// 修改后,原来为dialer1 口
undo ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60
undo ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
undo ip route-static 61.237.232.242 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.100.9.2 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.107.1.10 255.255.255.255 Dialer 1 preference 60
undo ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
undo ip route-static 202.112.10.60 255.255.255.255 Dialer 1 preference 60
undo ip route-static 202.122.113.114 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.72.145.44 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.184.110.165 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.0.0 255.255.0.0 Dialer 1 preference 60
undo ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.249.201 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.202 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.203 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
undo ip route-static 218.97.1.33 255.255.255.255 Dialer 1 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
beijing xiugaihou
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
link-protocol ppp
ppp pap local-user 02988339052 password simple 123456
ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy vpn
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
return
[XiA110101-H3C]
%Apr 20 17:50:43:438 2009 XiA110101-H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain myvpn is trusted.
%Apr 20 17:50:49:830 2009 XiA110101-H3C PKI/4/Update_CA_Cert:Update CA certificates of the Domain myvpn successfully.
%Apr 20 17:50:49:831 2009 XiA110101-H3C PKI/4/CA_Cert_Retrieval:Retrieval CA certificates of the domain myvpn successfully.
%Apr 20 17:50:54:232 2009 XiA110101-H3C PKI/4/Local_Cert_Request:Request local certificate of the domain myvpn successfully.
===============================
内网所能PING出去的ip
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>ping 172.16.18.118
Pinging 172.16.18.118 with 32 bytes of data:
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=2ms TTL=255
Reply from 172.16.18.118: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.18.118:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
C:\Documents and Settings\Administrator>ping www.baidu.com
^C
C:\Documents and Settings\Administrator>nslookup www.baidu.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 218.30.19.40: Timed out
*** Default servers are not available
Server: UnKnown
Address: 218.30.19.40
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Documents and Settings\Administrator>ping 117.22.255.106
Pinging 117.22.255.106 with 32 bytes of data:
Reply from 117.22.255.106: bytes=32 time=2ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Ping statistics for 117.22.255.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Documents and Settings\Administrator>ping 117.22.255.105
Pinging 117.22.255.105 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 117.22.255.105:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Documents and Settings\Administrator>
======================================
最终配置
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
dhcp server ip-pool dhcppool
network 10.100.12.0 mask 255.255.255.0
gateway-list 10.100.12.1
dns-list 10.100.0.2 10.100.0.3 10.3.1.8
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy vpn
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
return
[XiA110101-H3C]
=================
ping 深圳总部
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 99ms, Average = 97ms
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=116ms TTL=248
Reply from 10.100.0.1: bytes=32 time=103ms TTL=248
Reply from 10.100.0.1: bytes=32 time=112ms TTL=248
Reply from 10.100.0.1: bytes=32 time=96ms TTL=248
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 116ms, Average = 106ms
C:\Documents and Settings\Administrator>
[XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned down down Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 unassigned up down link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up down Tunnel1 I...
[XiA110101-H3C]
#Apr 20 23:48:10:748 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1854 is Up
%Apr 20 23:48:10:750 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:10:954 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1854 is Down
%Apr 20 23:48:10:955 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
#Apr 20 23:48:29:056 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1862 is Up
%Apr 20 23:48:29:057 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:29:264 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1862 is Down
%Apr 20 23:48:29:266 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
这是我的第370篇原创文章,记录网络工程师行业的点点滴滴,结交IT行业有缘之人
4月20日下午,我和老大一起去西高新的高科大厦去进行H3C防火墙的安装
这是我第一次做on job training
之前虽然老大给我了一些H3C的文档,但是还是感觉心里没底.
这次我们要做的内容是一个F100-C的防火墙的安装,和一个CISCO无线AP的连接(这个是去了以后客户提出的).
F100-C防火墙上面已经做好了配置,只要进行安装就行了,当时我们认为很简单,只要一会就能完成,结果出现了无数的问题.
把防火墙连到电脑上,dis cur(就是SHOW RUN)了防火墙上的配置.
客户告诉我们,电信给他们分配的拨号IP和密码,怎么弄都不通.
随后又进行了多方面的尝试.也是不通.
和北京方面的工程师沟通,告诉我们说他们和电信进行联系,因为他们也不太清楚电信给客户方进行的配置.
于是就联系了N长时间.随后,北京打过来电话进行询问,再试,还是不通,经过多次反复,只能自己打电话给电信询问.
开始以为是拨号的密码错误,遂打电话给电信,电信告诉我们说,要想知道密码,必须给他们提供企业的证件等物品,
没办法,再和客户进行沟通,这时他们才提供了一张19号他们装网线时电信给他们留下的IP地址,并告诉我们是电信安装的专线.
对防火墙的设置进行了修改,把WAN口和Dialer0进行重新配置,再一次进行尝试,这次终于能PING通网关了,再PING客户的内网,也通.
因为客户没有对网络比较了解的,经过与北京方面的沟通才知道他们昨天装的是VPN专线,而不是客户一直号称的拨号上网.
被误导了,囧死.
然后就是进行无线的安装并绑密码,绑密码的时候还出了点小问题,客户要求5位的密码
但是选择的密码协议只支持最少8位数的密码,进行了沟通,最后选择了8位的密码.
到此本次工程全部完工.
这次工程让我理解到,工程中进行沟通是非常重要的
然后就是要根据自己已知的信息对工程进行了解,知道自己需要做什么
这样才能成功快速的完成工作.
工程配置过程
由我们配通,再由北京的工程师远程登录进行修改
dis cur结果如下,IP地址等相关内容进行了修改
#
Sysname F100-C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable//H3C的分支网点智能管理解决方案
bims device-id F100-C
bims ip address 100.0.0.1 port 7000
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name F100-C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://1.2.3.4/certsrv/mscep/mscep.dll //配证书
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 12345
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user 654321
password 123456
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123457
id-type name
remote-name vpn
remote-address 1.2.3.4
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
---------------------------------------------
//北京工程师在远程登录后加入了
#
dhcp server ip-pool dhcppool
network 10.1.0.2 mask 255.255.255.0
gateway-list 10.1.0.1
dns-list 10.1.1.1 10.1.1.3 10.1.1.8
---------------------------------------------
#
acl number 2000 match-order auto
rule 0 permit source 10.1.1.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.4 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
------------------------------------------------------------------------------------
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 7654321 password simple 1234567
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
原有配置,由于是专线,后全部删除
-------------------------------------------------------------------------------------
#
interface Ethernet0/0
description link to LAN
ip address 10.1.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4//修改为 interface Ethernet0/4
description link to WAN
ip address 121.1.1.1 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 34.1.1.1 255.255.255.252
source 1.1.1.4
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1//后删除
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 43.1.1.1 preference 60// 修改后为Ethernet 0/4 121.1.1.1,原来为dialer1 口
ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 2.2.2.2 255.0.0.0 Tunnel 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 3.3.3.3 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 4.4.4.4 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 5.5.5.5 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 6.6.6.6 255.255.0.0 Tunnel 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static7.7.7.7 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 8.8.8.8 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
ip route-static 9.9.9.9 255.255.255.255 Dialer 1 preference 60// Dialer 1修改为Ethernet 0/4 121.1.1.1
#
snmp-agent
snmp-agent local-engineid 12345678
snmp-agent community write 101zhengou
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 1.1.1.1
ntp-service unicast-server 2.2.2.2
ntp-service unicast-server 3.3.3.3
ntp-service unicast-server 4.4.4.4
ntp-service unicast-server 5.5.5.5
ntp-service unicast-server 6.6.6.6
ntp-service unicast-server 7.7.7.7
ntp-service unicast-server 8.8.8.8
ntp-service unicast-server 9.9.9.9
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
此时PING内网的深圳总部,,可以PING通,完成.
韩啸.
XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned up up(s) Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 117.22.255.106 up up link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up up Tunnel1 I...
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 02988339052 password simple 123456
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60// 修改后,原来为dialer1 口
undo ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60
undo ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
undo ip route-static 61.237.232.242 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.100.9.2 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.107.1.10 255.255.255.255 Dialer 1 preference 60
undo ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
undo ip route-static 202.112.10.60 255.255.255.255 Dialer 1 preference 60
undo ip route-static 202.122.113.114 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.72.145.44 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.184.110.165 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.0.0 255.255.0.0 Dialer 1 preference 60
undo ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.249.201 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.202 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.203 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
undo ip route-static 218.97.1.33 255.255.255.255 Dialer 1 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
beijing xiugaihou
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
link-protocol ppp
ppp pap local-user 02988339052 password simple 123456
ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy vpn
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy vpn
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
return
[XiA110101-H3C]
%Apr 20 17:50:43:438 2009 XiA110101-H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain myvpn is trusted.
%Apr 20 17:50:49:830 2009 XiA110101-H3C PKI/4/Update_CA_Cert:Update CA certificates of the Domain myvpn successfully.
%Apr 20 17:50:49:831 2009 XiA110101-H3C PKI/4/CA_Cert_Retrieval:Retrieval CA certificates of the domain myvpn successfully.
%Apr 20 17:50:54:232 2009 XiA110101-H3C PKI/4/Local_Cert_Request:Request local certificate of the domain myvpn successfully.
===============================
内网所能PING出去的ip
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>ping 172.16.18.118
Pinging 172.16.18.118 with 32 bytes of data:
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=2ms TTL=255
Reply from 172.16.18.118: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.18.118:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
C:\Documents and Settings\Administrator>ping www.baidu.com
^C
C:\Documents and Settings\Administrator>nslookup www.baidu.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 218.30.19.40: Timed out
*** Default servers are not available
Server: UnKnown
Address: 218.30.19.40
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Documents and Settings\Administrator>ping 117.22.255.106
Pinging 117.22.255.106 with 32 bytes of data:
Reply from 117.22.255.106: bytes=32 time=2ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Ping statistics for 117.22.255.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Documents and Settings\Administrator>ping 117.22.255.105
Pinging 117.22.255.105 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 117.22.255.105:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Documents and Settings\Administrator>
======================================
最终配置
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain myvpn
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer vpn
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name vpn
remote-address 218.96.249.201
certificate domain myvpn
#
ipsec card-proposal svpn
use encrypt-card 1/0
#
ipsec proposal vpn
#
ipsec policy vpn 10 isakmp
security acl 3000
ike-peer vpn
proposal svpn
#
dhcp server ip-pool dhcppool
network 10.100.12.0 mask 255.255.255.0
gateway-list 10.100.12.1
dns-list 10.100.0.2 10.100.0.3 10.3.1.8
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy vpn
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
return
[XiA110101-H3C]
=================
ping 深圳总部
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 99ms, Average = 97ms
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=116ms TTL=248
Reply from 10.100.0.1: bytes=32 time=103ms TTL=248
Reply from 10.100.0.1: bytes=32 time=112ms TTL=248
Reply from 10.100.0.1: bytes=32 time=96ms TTL=248
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 116ms, Average = 106ms
C:\Documents and Settings\Administrator>
[XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned down down Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 unassigned up down link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up down Tunnel1 I...
[XiA110101-H3C]
#Apr 20 23:48:10:748 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1854 is Up
%Apr 20 23:48:10:750 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:10:954 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1854 is Down
%Apr 20 23:48:10:955 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
#Apr 20 23:48:29:056 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1862 is Up
%Apr 20 23:48:29:057 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:29:264 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1862 is Down
%Apr 20 23:48:29:266 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
