华为usg2210防火墙配置实例
- 格式:doc
- 大小:60.50 KB
- 文档页数:15
detect h323
d
09:29:14 2016/03/17
detect qq
#
sysname USG2200
detect
#s
l2tp enabledetect netbi
undo l2tp domain suffix-separator @
undo tunnel authentic
#i
ike dpd interval 10
allow l2tp
#i
firewall packet-filter default permit interzone local trust direction inbound unicast
undo synchronization
#
firewall packet-filter default permit interzone local trust direction outbound
local-user user2
firewall packet-filter default permit interzone local untrust direction inbound
local-user user3 password cipher %$%$`;WkNM${E;O=5--=%y
firewall packet-filter default permit interzone local untrust direction outboundal-user user3 service-type ppp local-user use
authentication-mode vpndb
#
nat server 1 protocol udp global 218.56.104.*** any inside 192.100.7.73 anyheme test.scm
authorization-mode vpndb
#
ip df-unreachables enableaccounting-scheme default
domain dot1x
firewall ipv6 statistic system enable
authentication-scheme test.sc
#
dns resolve
firewall defend syn-flood enable
firewall defend arp-flood enable
firewall defend sip-flood enable
firewall defend udp-flood fingerprint-hit destination-max-rate 5
firewall defend udp-flood fingerprint-hit source-max-rate 3
firewall defend sip-flood port range 1 65535
#
firewall statistic system enable
#
pki certificate access-control-policy default permit
#
dns proxy enable
#
license-server domain
#
web-manager enable
web-manager security enable port 8443
#
user-manage web-authentication security port 8888
#
#
radius-server template test.tpl
#
#
ldap-server template test.tpl
ldap-server authentication base-dn dc=my-domain,dc=com ldap-server group-filter ou
ldap-server authentication-filter (objectclass=*) ldap-server user-filter cn
ldap-server server-type ad-ldap
#
acl number 2001
rule 5 permit source 192.100.7.0 0.0.0.255 rule 10 permit source 10.10.10.0 0.0.0.255
acl number 3000
rule 5 permit udp source-port eq 1701 rule 10 permit udp destination-port eq 1701 #
acl number 3001
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 group1
integrity-algorithm aes-xcbc-96 hmac-sha1-96 hmac-md5-96 #
ike peer ike20111583362
exchange-mode auto
ike negotiate compatible
pre-shared-key %$%$sEPH;hfv{*71&V3Zc:QS^C:1%$%$ ike-proposal 1
remote-id-type none
#
ipsec proposal prop20111583362
encapsulation-mode auto
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template tpl20111583362 1 security acl 3000
security acl public-ip-transparent
ike-peer ike20111583362
alias celue1
scenario point-to-multipoint l2tp-user-access proposal prop20111583362
local-address applied-interface
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy ipsec2011158331 10000 isakmp template tpl #
interface Cellular0/1/0
link-protocol ppp
#