拓扑图
实验代码
FW2<USG6000V1>dis cu
!Software Version V500R001C10
#
sysname USG6000V1
#
l2tp enable
undo l2tp sendaccm enable
l2tp domain suffix-separator @
#
undo info-center enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
firewall packet-filter basic-protocol enable
#
firewall detect ftp
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
isp name "china mobile"
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom"
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom"
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet"
isp name "china educationnet" set filename china-educationnet.csv
#
snmp-agent session history-max-number enable
snmp-agent session trap threshold 4000
snmp-agent session-rate trap threshold 24000
#
web-manager security version tlsv1 tlsv1.1
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 07:52
update schedule av-sdb daily 07:52
update schedule sa-sdb daily 07:52
update schedule cnc daily 07:52
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ip pool 1
section 0 192.168.3.1 192.168.3.10
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type l2tp ike
reference user current-domain
manager-user password-modify enable
manager-user audit-admin
password cipher @%@%_2s{3z.rQ/i;6eTu:\/4KVfWJTxj'{j1rB5F;vM;f)<$VfZK@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%X[fs$(._k8,`cM5+Qn[ALB=w`yCt~d0aF#hA$<Ge.X+"B=zL@%@%
service-type api
level 15
manager-user admin
password cipher @%@%L06(/w:^2A5)LVB)9x'HIjUQG("686}9S~[uo8Nk.P6IjUTI@%@%
service-type web terminal
level 15
role system-admin
dashboard read-write
monitor read-write
policy read-write
object read-write
network read-write
system read-write
role device-admin
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-write
object read-write
network read-write
system read-write high-reliability
system none configuration vsys license update-center mail-send feedback
role device-admin(monitor)
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-only
object read-only
network read-only
system read-only high-reliability
system none configuration vsys license update-center mail-send feedback
role audit-admin
dashboard read-only
monitor read-write log-audit
monitor read-only log log-traffic log-threat log-syslog log-policy-matching re
port traffic-map threat-map
monitor none session statistic statistic-acl diagnose
policy none
object none
network none
system none
bind manager-user audit-admin role audit-admin
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 61.67.1.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
l2tp-group 1
tunnel name LNS
#
l2tp-group default-lns
#
ip route-static 0.0.0.0 0.0.0.0 61.67.1.1
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode password
set authentication password cipher $1a$6a,J-D6DR5$4MLT/){&w7P\1Q2eP^)'M{cY9ZB,*
4XdkW9j;m`7$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
sa
#
location
#
multi-interface
mode proportion-of-weight
#
security-policy
rule name T_UN
source-zone trust
destination-zone untrust
action permit
rule name UN_LOCAL
source-zone untrust
destination-zone local
action permit
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name N_W
source-zone trust
destination-zone untrust
action nat easy-ip
#
pcp-policy
#
dns-transparent-policy
#
return
FW3[USG6000V1]dis cu
!Software Version V500R001C10
#
sysname USG6000V1
#
undo l2tp sendaccm enable
l2tp domain suffix-separator @
#
undo info-center enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
firewall packet-filter basic-protocol enable
#
firewall detect ftp
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
isp name "china mobile"
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom"
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom"
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet"
isp name "china educationnet" set filename china-educationnet.csv
#
snmp-agent session history-max-number enable
snmp-agent session trap threshold 4000
snmp-agent session-rate trap threshold 24000
#
web-manager security version tlsv1 tlsv1.1
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 02:11
update schedule av-sdb daily 02:11
update schedule sa-sdb daily 02:11
update schedule cnc daily 02:11
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type l2tp ike
reference user current-domain
manager-user password-modify enable
manager-user audit-admin
password cipher @%@%U*eEK<|Xk6]Q[25%tt[><.u*HyBw~g7/7(fP.5B|4<JL.u-<@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%rs#k=5lq5-@{PK,@SVFW=ezJ=l)B~TrT,,b&gJ*'oi:LezM=@%@%
service-type api
level 15
manager-user admin
password cipher @%@%JNJB*6zo2+Jv;3Q8d%fB!P#htp<BD`K882_`saA*B-ZLP#k!@%@%
service-type web terminal
level 15
role system-admin
dashboard read-write
monitor read-write
policy read-write
object read-write
network read-write
system read-write
role device-admin
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-write
object read-write
network read-write
system read-write high-reliability
system none configuration vsys license update-center mail-send feedback
role device-admin(monitor)
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-only
object read-only
network read-only
system read-only high-reliability
system none configuration vsys license update-center mail-send feedback
role audit-admin
dashboard read-only
monitor read-write log-audit
monitor read-only log log-traffic log-threat log-syslog log-policy-matching re
port traffic-map threat-map
monitor none session statistic statistic-acl diagnose
policy none
object none
network none
system none
bind manager-user audit-admin role audit-admin
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 61.67.2.3 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
l2tp-group default-lns
#
ip route-static 0.0.0.0 0.0.0.0 61.67.2.1
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode password
set authentication password cipher $1a$,6;N&se_S8$4Z)_<I~}r*08_jXTcIn*0*db=Gv3z
QztnQ/b7DvC$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
sa
#
location
#
multi-interface
mode proportion-of-weight
#
security-policy
default action permit
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name N_W
source-zone trust
destination-zone untrust
action nat easy-ip
#
pcp-policy
#
dns-transparent-policy
#
return
<ar1>dis cu
[V200R003C00]
#
sysname ar1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 61.67.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 61.67.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 61.67.1.2
ip route-static 0.0.0.0 0.0.0.0 61.67.2.3
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return