防火墙作为出口网关,联通光纤、电信光纤、电信ADSL出口,防火墙接H3C二层交换机,H3C二层交换机接内网服务器和下面的二层交换机(内网用户都接这里)。由于客户是静态设置地址,所以这里是没有DHCP配置的。一、上网设置:#域配置zonenameManagementid0priority100importinterfaceGigabitEthernet0/0zonenameLocalid1priority100zonenameTrustid2priority85importinterfaceGigabitEthernet0/2zonenameDMZid3priority50zonenameUntrustid4priority5importinterfaceDialer1importinterfaceGigabitEthernet0/3importinterfaceGigabitEthernet0/4importinterfaceGigabitEthernet0/5#内网网关interfaceGigabitEthernet0/2ipaddress192.168.100.254255.255.0.0portlink-moderoutenatoutbound3090#电信出口interfaceGigabitEthernet0/3portlink-moderouteipaddress219.137.182.2xx255.255.255.248natoutbound2000address-group1#联通出口interfaceGigabitEthernet0/4portlink-moderouteipaddress218.107.10.xx255.255.255.248natoutbound2000address-group2#PPPOE电信ADSLinterfaceGigabitEthernet0/5portlink-moderoutepppoe-clientdial-bundle-number1#设定拨号访问组的拨号控制列表dialer-rule1ippermit#PPPOE配置interfaceDialer1natoutbound2000link-protocolppppppchapusergzDSLxxxxxxxx@163.gdpppchappasswordcipher$c$3$cft8cT2sYcO4XYUDKRgfw0R0HOSTSDh69HbNppppaplocal-usergzDSLxxxxxxxx@163.gdpasswordcipher$c$3$mXUOjqFP3BKfa52muz92y7JBlMMsjjNzxGVLpppipcpdnsrequestipaddressppp-negotiatedialeruserpppoeclientdialer-group1dialerbundle1#DNS服务器dnsresolvednsproxyenablednsserver202.96.128.166dnsserver8.8.8.8#NAT动态地址池nataddress-group1219.137.182.2xx219.137.182.206level1nataddress-group2218.107.10.xx218.107.10.xylevel1#NAT使用的ACLaclnumber2000rule0permitsource192.168.0.00.0.255.255#出口路由iproute-static0.0.0.00.0.0.0Dialer1iproute-static0.0.0.00.0.0.0219.137.182.201iproute-static0.0.0.00.0.0.0218.107.10.41preference100二、策略路由#策略路由使用的ACLaclnumber3088//匹配内部服务器地址rule0permitipsource192.168.16.390rule1permitipsource192.168.100.10rule2permitipsource192.168.100.1610rule3permitipsource192.168.100.1620rule4permitipsource192.168.100.1640rule101denyipaclnumber3089//匹配内网用户地址段rule0permitipsource192.168.0.00.0.255.255rule101denyip#新建策略路由policy-based-routewanpermitnode10if-matchacl3088applyip-addressnext-hop219.137.182.201//服务器走电信出口policy-based-routewanpermitnode11if-matchacl3089applyip-addressnext-hop218.107.10.41//内网用户走联通出口#策略路由的应用interfaceGigabitEthernet0/2ippolicy-based-routewan三、外网访问内部服务器NATinterfaceGigabitEthernet0/3natserverprotocoltcpglobal219.137.182.2xx5872inside192.168.100.1645872natserverprotocoltcpglobal219.137.182.2xx81inside192.168.100.16481natserverprotocoltcpglobal219.137.182.2xx89inside192.168.100.189natserverprotocoltcpglobal219.137.182.2xx5366inside192.168.100.1625366natserver1protocoltcpglobalcurrent-interface8081inside192.168.100.1628081natserverprotocoltcpglobal219.137.182.2xx8088inside192.168.100.18088ipaddress219.137.182.2xx255.255.255.248#interfaceGigabitEthernet0/4natserverprotocoltcpglobal218.107.10.xx8088inside192.168.100.18088natserverprotocoltcpglobal218.107.10.xx81inside192.168.100.16481natserverprotocoltcpglobal218.107.10.xx5872inside192.168.100.1645872natserver1protocoltcpglobalcurrent-interface89inside192.168.100.189natserver2protocoltcpglobalcurrent-interface5366inside192.168.100.1625366natserver3protocoltcpglobalcurrent-interface8081inside192.168.100.1628081#允许Untrust区域访问内网服务器地址组地址interzonesourceUntrustdestinationTrustrule0permitsource-ipany_addressdestination-ipserver_groupserviceany_serviceruleenable四、内网用户通过公网地址访问内部服务器NAT#公网地址访问内网服务器NAT使用的ACLaclnumber3090rule0permitipsource192.168.0.00.0.255.255destination192.168.16.390rule1permitipsource192.168.0.00.0.255.255destination192.168.100.10rule2permitipsource192.168.0.00.0.255.255destination192.168.100.1610rule3permitipsource192.168.0.00.0.255.255destination192.168.100.1620rule4permitipsource192.168.0.00.0.255.255destination192.168.100.1640aclnumber3091rule0permitipsource192.168.0.00.0.255.255destination192.168.16.390rule1permitipsource192.168.0.00.0.255.255destination192.168.100.10rule2permitipsource192.168.0.00.0.255.255destination192.168.100.1610rule3permitipsource192.168.0.00.0.255.255destination192.168.100.1620rule4permitipsource192.168.0.00.0.255.255destination192.168.100.1640rule5permitipsource192.168.16.390destination192.168.0.00.0.255.255rule6permitipsource192.168.100.10destination192.168.0.00.0.255.255rule7permitipsource192.168.100.1610destination192.168.0.00.0.255.255rule8permitipsource192.168.100.1620destination192.168.0.00.0.255.255rule9permitipsource192.168.100.1640destination192.168.0.00.0.255.255interfaceGigabitEthernet0/2natoutbound3090natserverprotocoltcpglobal219.137.182.2xx8088inside192.168.100.18088natserverprotocoltcpglobal218.107.10.xx8088inside192.168.100.18088natserverprotocoltcpglobal218.107.10.xx81inside192.168.100.16481natserverprotocoltcpglobal219.137.182.2xx81inside192.168.100.16481#匹配源地址为内网服务器目的地址为内网用户地址的数据包不作下一跳修改policy-based-routewandenynode9if-matchacl3091五、IPSecVPN#IPSec匹配流量aclnumber3501rule0permitipsource192.168.0.00.0.255.255destination192.160.10.00.0.0.255aclnumber3502rule0permitipsource192.168.0.00.0.255.255destination192.160.55.00.0.0.255#IKE本端名称ikelocal-namef100#健康检测ikedpdto_fg100_dpdtime-out3#第一阶段ike提议ikeproposal1encryption-algorithm3des-cbcdhgr