!
Version 5.4
ip vrouter "trust-vr"
exit
vswitch "vswitch1"
exit
zone "trust"
exit
zone "untrust"
exit
zone "dmz"
exit
zone "l2-trust" l2
exit
zone "l2-untrust" l2
exit
zone "l2-dmz" l2
exit
zone "VPNHub"
exit
zone "HA"
exit
interface vswitchif1
exit
interface ethernet0/0
exit
interface ethernet0/1
exit
interface ethernet0/2
exit
interface ethernet0/3
exit
interface ethernet0/4
exit
interface tunnel1
exit
address id 3 "郑州业务"
exit
address id 4 "集团业务"
exit
address id 5 "集团销售"
exit
qos-profile "pro_ip_$in_-276404385" ip-qos-profile
exit
qos-profile "pro_ip_$ou_-276404385" ip-qos-profile
exit
qos-profile "pro_app_$in_-276404385" app-qos-profile
exit
qos-profile "pro_app_$ou_-276404385" app-qos-profile
exit
aaa-server "local" type local
exit
password-policy
admin min-length 4
admin complexity 0
exit
admin user "admin"
password Chko+5Auv+x3OtauThjtQ5IwiI
privilege RXW
access console
access telnet
access ssh
access http
access https
exit
pki trust-domain "trust_domain_default"
keypair "Default-Key"
enrollment self
subject commonName "DCFW-1800"
subject organization "DigitalChina Networks Limited"
exit
pki trust-domain "trust_domain_ssl_proxy"
keypair "Default-Key"
enrollment self
subject commonName "DCFW-1800"
subject organization "DigitalChina Networks Limited"
exit
pki trust-domain "network_manager_ca"
enrollment terminal
exit
address id 3 "郑州业务"
ip 172.30.30.0/24
exit
address id 4 "集团业务"
ip 10.30.220.0/24
ip 10.30.200.0/24
ip 10.30.50.0/24
ip 10.30.40.0/24
ip 10.30.30.0/24
ip 10.30.20.0/24
ip 10.30.10.0/24
exit
address id 5 "集团销售"
ip 10.30.10.0/24
exit
zone "untrust"
application-identify
qos-profile 1st-level input "pro_app_$in_-276404385"
qos-profile 1st-level output "pro_app_$ou_-276404385"
qos-profile 2nd-level input "pro_ip_$in_-276404385"
qos-profile 2nd-level output "pro_ip_$ou_-276404385"
type wan
ad tear-drop
ad ip-spoofing
ad land-attack
ad ip-option
ad ip-fragment
ad ip-directed-broadcast
ad winnuke
ad port-scan
ad syn-flood
ad icmp-flood
ad ip-sweep
ad ping-of-death
ad udp-flood
exit
zone "l2-untrust" l2
type wan
exit
hostname "FW-2"
admin host any any
isakmp proposal "psk-md5-des-g2"
hash md5
encryption des
exit
isakmp proposal "psk-md5-3des-g2"
hash md5
exit
isakmp proposal "psk-md5-aes128-g2"
hash md5
encryption aes
exit
isakmp proposal "psk-md5-aes256-g2"
hash md5
encryption aes-256
exit
isakmp proposal "psk-sha-des-g2"
encryption des
exit
isakmp proposal "psk-sha-3des-g2"
exit
isakmp proposal "psk-sha-aes128-g2"
encryption aes
exit
isakmp proposal "psk-sha-aes256-g2"
encryption aes-256
exit
isakmp proposal "rsa-md5-des-g2"
authentication rsa-sig
hash md5
encryption des
exit
isakmp proposal "rsa-md5-3des-g2"
authentication rsa-sig
hash md5
exit
isakmp proposal "rsa-md5-aes128-g2"
authentication rsa-sig
hash md5
encryption aes
exit
isakmp proposal "rsa-md5-aes256-g2"
authentication rsa-sig
hash md5
encryption aes-256
exit
isakmp proposal "rsa-sha-des-g2"
authentication rsa-sig
encryption des
exit
isakmp proposal "rsa-sha-3des-g2"
authentication rsa-sig
exit
isakmp proposal "rsa-sha-aes128-g2"
authentication rsa-sig
encryption aes
exit
isakmp proposal "rsa-sha-aes256-g2"
authentication rsa-sig
encryption aes-256
exit
isakmp proposal "dsa-sha-des-g2"
authentication dsa-sig
encryption des
exit
isakmp proposal "dsa-sha-3des-g2"
authentication dsa-sig
exit
isakmp proposal "dsa-sha-aes128-g2"
authentication dsa-sig
encryption aes
exit
isakmp proposal "dsa-sha-aes256-g2"
authentication dsa-sig
encryption aes-256
exit
isakmp proposal "ike1"
exit
isakmp peer "peer"
isakmp-proposal "ike1"
pre-share "kmfcan/wRtChDtZQtKMVCSIiGnABLe"
peer 202.99.192.1
interface ethernet0/1
exit
ipsec proposal "esp-md5-des-g2"
hash md5
encryption des
group 2
exit
ipsec proposal "esp-md5-des-g0"
hash md5
encryption des
exit
ipsec proposal "esp-md5-3des-g2"
hash md5
encryption 3des
group 2
exit
ipsec proposal "esp-md5-3des-g0"
hash md5
encryption 3des
exit
ipsec proposal "esp-md5-aes128-g2"
hash md5
encryption aes
group 2
exit
ipsec proposal "esp-md5-aes128-g0"
hash md5
encryption aes
exit
ipsec proposal "esp-md5-aes256-g2"
hash md5
encryption aes-256
group 2
exit
ipsec proposal "esp-md5-aes256-g0"
hash md5
encryption aes-256
exit
ipsec proposal "esp-sha-des-g2"
hash sha
encryption des
group 2
exit
ipsec proposal "esp-sha-des-g0"
hash sha
encryption des
exit
ipsec proposal "esp-sha-3des-g2"
hash sha
encryption 3des
group 2
exit
ipsec proposal "esp-sha-3des-g0"
hash sha
encryption 3des
exit
ipsec proposal "esp-sha-aes128-g2"
hash sha
encryption aes
group 2
exit
ipsec proposal "esp-sha-aes128-g0"
hash sha
encryption aes
exit
ipsec proposal "esp-sha-aes256-g2"
hash sha
encryption aes-256
group 2
exit
ipsec proposal "esp-sha-aes256-g0"
hash sha
encryption aes-256
exit
ipsec proposal "ike2"
hash sha
encryption 3des
exit
tunnel ipsec "ipsec" auto
isakmp-peer "peer"
ipsec-proposal "ike2"
id local 202.99.192.66/32 remote 202.99.192.1/32 service "GRE"
track-event-notify enable
accept-all-proxy-id
exit
tunnel gre "gre"
source 202.99.192.66
destination 202.99.192.1
interface ethernet0/1
next-tunnel ipsec ipsec
exit
interface ethernet0/0
zone "trust"
ip address 192.168.1.1 255.255.255.0
manage ssh
manage telnet
manage ping
manage snmp
manage http
manage https
exit
interface ethernet0/1
zone "untrust"
ip address 202.99.192.66 255.255.255.252
bandwidth downstream 1000000000
bandwidth upstream 100000000
manage ping
reverse-route prefer
exit
interface ethernet0/2
zone "trust"
ip address 172.30.30.254 255.255.255.0
manage ping
reverse-route prefer
exit
interface tunnel1
zone "VPNHub"
ip address 10.30.254.34 255.255.255.252
manage ping
tunnel gre "gre"
exit
ip vrouter "trust-vr"
snatrule id 1 from "Any" to "Any" service "Any" eif ethernet0/1 trans-to eif-ip mode dynamicport
ip route 0.0.0.0/0 202.99.192.65
ip route 10.30.10.0/24 tunnel1
exit
class-map "网速限制"
match address "郑州业务"
exit
class-map "http限速"
match application "HTTP"
exit
qos-profile "pro_ip_$in_-276404385" ip-qos-profile
class "网速限制"
flex-qos max-bandwidth 100000
ip-qos per-ip max-bandwidth 4096
match-priority 255
exit
exit
qos-profile "pro_ip_$ou_-276404385" ip-qos-profile
class "网速限制"
flex-qos max-bandwidth 100000
ip-qos per-ip max-bandwidth 4096
match-priority 255
exit
exit
qos-profile "pro_app_$in_-276404385" app-qos-profile
class "http限速"
police 10240 conform-action transmit exceed-action drop
match-priority 255
exit
exit
qos-profile "pro_app_$ou_-276404385" app-qos-profile
class "http限速"
bandwidth 10240
match-priority 255
exit
exit
rule id 1
action permit
src-zone "trust"
dst-zone "untrust"
src-addr "郑州业务"
dst-addr "Any"
service "Any"
exit
rule id 2
action permit
src-zone "trust"
dst-zone "VPNHub"
src-addr "郑州业务"
dst-addr "集团销售"
service "HTTP"
service "HTTPS"
exit
rule id 3
action permit
src-zone "trust"
dst-zone "VPNHub"
src-addr "郑州业务"
dst-addr "集团业务"
service "PING"
exit
rule id 4
action permit
src-zone "VPNHub"
dst-zone "trust"
src-addr "集团业务"
dst-addr "郑州业务"
service "PING"
exit
l2-nonip-action drop
alg auto
no alg sip
tcp-mss all 1448
ecmp-rout
评论5