本站已运行

攻城狮论坛

作者: 当当
查看: 5561|回复: 58

more +今日重磅推荐Recommend No.1

所有IT类厂商认证考试题库下载所有IT类厂商认证考试题库下载

more +随机图赏Gallery

【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器

[安全] 请求帮助:思科ASA 5520和华为eudemon 300建立L2L vpn不通

  [复制链接]
peinile [Lv4 初露锋芒] 发表于 2013-6-19 04:37:41 | 显示全部楼层
开通VIP 免金币+免回帖+批量下载+无广告
如何确认ipsec sa建立起来了?
CCNA考试 官方正规报名 仅需1500元
回复 支持 反对

使用道具 举报

gyf200311 [Lv5 不断成长] 发表于 2013-6-19 05:33:34 | 显示全部楼层
这是华为的配置:, e5 h( g) t. R
#+ T2 R: l5 h4 T$ i8 D8 X
acl number 2000
, a6 O" M: i6 P* j3 @4 C rule 0 permit source 172.16.14.1 0, E* \9 E1 H  f; T: Z6 T+ k
rule 1 permit source 172.16.1.0 0.0.0.255! u% p+ B1 m$ c0 `
rule 3 permit source 172.16.2.1 09 [8 Q  r: `* V2 @
rule 4 permit source 172.16.2.13 0' U: n4 L3 }9 b, _! m4 N. F
rule 5 permit source 172.16.10.0 0.0.0.255% N5 t$ {% |3 ~% S; g( k
rule 6 permit source 172.16.16.2 0
. m- i) f# f3 ]. @+ y rule 7 permit source 172.16.2.2 0/ w* v+ ^9 i( t1 |) k9 D
rule 8 permit source 172.16.14.50 0  @; t+ z7 u  P
rule 10 deny2 M5 d. c) O+ F4 M" X, a6 t
acl number 2001
4 L. O* o/ z9 g. _; | rule 0 permit source 172.16.12.51 0
2 I5 w% n% a, t$ {" l; _ rule 5 deny
8 I# T3 x5 ]( i- A, dacl number 2002/ ]; b3 j& ^% A5 F# h# N
rule 0 permit source 172.16.12.61 0
& G2 l+ j3 G* Z  F* ]/ N4 x) n rule 5 deny3 w: W4 n% j  n) f' E1 Z; ?
acl number 2003
" d: z% Y+ g$ v) [+ Q( c rule 0 permit source 172.15.10.4 0+ w: j7 ]9 @* ~' ~
rule 5 deny
( k& a7 u+ A% }- j# c/ Z2 z#( _* m7 R) M% e! @
acl number 3000$ s' e! Q) I2 v, y
description dmz-trust9 F$ V# ?$ ^( l3 r9 y
rule 0 permit tcp source 172.16.12.61 0 destination 172.16.10.71 0 destination-port eq 4008
5 |( f, T1 s) ]2 U rule 1 permit tcp source 172.16.12.61 0 destination 172.16.10.71 0 destination-port eq 8898
6 a% @' h3 A! O4 w- ?& ^ rule 2 permit tcp source 172.16.12.61 0 destination 172.16.10.71 0 destination-port eq 8868
% A' c$ r- w4 K- c3 s rule 3 permit tcp source 172.16.12.61 0 destination 172.16.10.71 0 destination-port eq 8858
& N6 I. [- A4 H# r4 j' J) e rule 4 permit tcp source 172.16.12.61 0 destination 172.16.14.155 0 destination-port eq 4008
& e3 {0 m% F4 ?8 N rule 5 permit tcp source 172.16.12.61 0 destination 172.16.14.155 0 destination-port eq 8898  B/ h% ]8 a) a
rule 6 permit tcp source 172.16.12.61 0 destination 172.16.14.155 0 destination-port eq 8868$ A; o2 `& Q/ _% m( O) P3 y
rule 7 permit tcp source 172.16.12.61 0 destination 172.16.14.155 0 destination-port eq 8858' }6 m: q% b2 ?' n6 E
rule 8 permit tcp source 172.16.12.51 0 destination 172.16.10.71 0 destination-port eq 4003- `! K8 B  |5 Q; _. A+ W
rule 9 permit tcp source 172.16.12.61 0 destination 172.16.10.71 0 destination-port eq ftp
6 {+ v* z+ O4 m3 B+ r* V+ ^9 p rule 10 permit tcp source 172.16.12.61 0 destination 172.16.10.51 0 destination-port eq ftp  |/ V3 v0 E) b9 @
rule 11 permit tcp source 172.16.12.61 0 destination 172.16.14.155 0 destination-port eq ftp
) T8 e( P8 e! X/ j rule 12 permit tcp source 172.16.12.51 0 destination 172.16.14.155 0 destination-port eq ftp
: @; g, V: `( {( d8 C  e rule 13 permit tcp source 172.16.12.51 0 destination 172.16.10.71 0 destination-port eq ftp
/ E$ g4 e& T: M  J2 X rule 14 permit tcp source 172.16.12.51 0 destination 172.16.10.51 0 destination-port eq ftp
9 y8 i4 {3 M. S1 k' n5 u rule 15 permit tcp source 172.16.12.51 0 destination 172.16.14.155 0 destination-port eq 4003% O. k3 d, R/ T& V, V
rule 16 permit ospf
6 W7 M& l4 w7 z% e# k4 ?& b' J rule 17 permit tcp source 172.16.12.51 0 destination 172.16.10.101 0 destination-port eq 8$ Y6 p' T& W+ _6 Q  r* P' e
rule 18 deny tcp
/ s+ }1 c, F5 v8 facl number 3001
! j0 D* `0 |4 h! L: k' E1 q+ e description For Untrust-dmz4 [' c1 s0 }& {
rule 0 permit tcp source 172.16.20.0 0.0.0.255 destination 172.16.12.51 0 destination-port eq 5000* x9 R4 N  ?5 b8 C, `( G/ N
rule 5 permit icmp
, d$ K2 U3 Y0 U2 A- y# T rule 10 permit ospf                      ) B7 t0 M6 m+ ~9 y/ O
rule 15 deny tcp source 172.16.20.0 0.0.0.255* d7 v9 S0 z2 [, \
acl number 3002
* K8 M4 W2 I: `/ }1 X0 k# W description To_Yinlian, u' Z" E# |1 `% Z: [8 H, c) r
rule 0 permit ip source 9.234.21.63 0 destination 144.234.97.33 0+ M5 o/ j0 l6 D
rule 5 permit ip source 9.234.21.64 0 destination 144.234.97.33 0
! t9 }! u2 l( f- p6 Z2 v# W rule 10 permit ip source 9.234.21.66 0 destination 144.234.97.33 0; V+ J. h9 y( o: z/ d5 F
rule 15 deny ip% N/ h3 G) s! ~4 ?# S9 w
acl number 30032 \* G- j$ S+ k8 a; Z  r& s6 n
description for Untrust-Trust
- I- _# |$ L4 V7 ~# h" D/ \' x rule 0 permit ip source 10.78.72.70 0 destination 172.15.10.4 0
3 j' r( {2 x0 z& G4 O rule 1 permit ip source 172.16.2.26 0 destination 172.16.10.111 0$ f1 F# F  ~* I/ j; N" j
rule 2 permit ip source 172.16.2.26 0 destination 172.16.14.1 0& E; ?9 ?; M) @! @1 o$ t; w
rule 3 permit ip source 10.78.72.153 0 destination 172.15.10.4 0
: t8 ~# Y  i! m5 s9 ?+ H: c1 W7 ? rule 4 permit ip source 10.78.72.157 0 destination 172.15.10.4 0" u1 a& w: t8 C3 N, K# a
rule 5 permit ip source 192.168.100.43 0 destination 172.15.10.4 07 p, B# @* h2 Q# R' d
rule 6 permit ip source 10.16.2.7 0 destination 172.15.10.4 04 v2 t/ p2 @3 J% ~# Z
rule 7 permit ip source 10.16.2.5 0 destination 172.15.10.4 0" O# L$ }7 r- w/ h" S4 K* M" N0 \
rule 8 permit ip source 10.16.2.6 0 destination 172.15.10.4 0
; E2 D! j2 u$ `# r* m$ d1 t: d5 d rule 9 permit ip source 10.16.2.8 0 destination 172.15.10.4 0
$ K1 V2 z9 L( H rule 11 permit ip source 10.139.25.26 0 destination 172.15.10.4 0* R/ D: s9 i$ [6 @5 D
rule 13 permit ip source 10.143.10.183 0 destination 172.15.10.4 0
5 r; ]- A7 ~8 D rule 50 deny ip
4 j3 o1 v3 c9 N- n& j$ K' Nacl number 3004                           & ?7 k  x0 l$ I8 K/ A; q
rule 0 permit ip source 172.16.1.7 0 destination 172.16.10.111 02 U( l3 B, R! q+ l2 B5 `
acl number 30052 Y& x5 e- Q2 l' Y2 q
description TO_dudubao
- r5 n  _$ R  j/ [! S: X rule 0 permit tcp destination 172.15.10.4 0 destination-port eq 6868
7 @6 ^' v! p4 s6 V3 |3 t rule 1 permit tcp destination 172.15.10.4 0 destination-port eq ftp-data1 E/ m6 r5 b' Q7 G
rule 2 permit tcp destination 172.15.10.4 0 destination-port eq ftp
5 A& T+ c+ A& E2 [acl number 3006
( m7 S$ a- u% N6 J- F) v! M9 l5 T rule 0 permit ip source 172.16.12.0 0.0.0.255 destination 10.0.1.0 0.0.0.255) n7 x5 e( Q8 e8 U/ E
acl number 3007) C; W4 S+ N0 i  c: J
rule 0 deny ip source 172.16.12.0 0.0.0.255 destination 10.0.1.0 0.0.0.2553 \6 C$ o* S/ ?9 J
rule 1 permit ip source 172.16.12.0 0.0.0.255
! {5 M) m+ m4 r' Z#
* x  m# E! g0 k, B! H- f sysname NB_Eudemon300-A
, i% y" m" c! |9 J$ l, t7 x: }. h- K- {#
0 n8 |2 m6 j, [7 Q3 b: n5 ~5 H super password level 3 cipher '._1D9P1YCQ=^Q`MAF4<1!!4 E$ d# F6 U: \2 J
#2 y$ c9 I& _0 V% R
info-center loghost 172.16.10.192
0 F; D: [* @4 R# x2 u7 C info-center loghost 172.16.10.111
. V  E9 B9 t1 l( D#2 j+ O8 A/ x0 W$ f
hrp enable% W8 ]5 \" D" x  j+ }+ c! B! r
hrp interface Ethernet2/0/7
, o6 n6 T' R$ B3 n: D$ n/ {#
: U- D* M. z5 z. U+ Q! Y* ]) E router id 172.16.1.3                     6 L: b& g8 o) I( g. c# c
#
$ s8 Y  N+ V* P. y1 P& v$ P3 s firewall packet-filter default permit interzone local trust direction inbound4 U, R/ Z6 K9 ]7 s7 ]- t
firewall packet-filter default permit interzone local trust direction outbound) j# A7 V# x8 C  i
firewall packet-filter default permit interzone local untrust direction inbound
% @( N/ D  c% d( r* g firewall packet-filter default permit interzone local untrust direction outbound1 [7 _+ w7 C0 Z3 _# D: T: H* |
firewall packet-filter default permit interzone local dmz direction inbound
; f  J& B4 P+ ?6 q# o3 H, k firewall packet-filter default permit interzone local dmz direction outbound, t  o- |+ V# o) t8 P- g6 o3 |8 o
firewall packet-filter default permit interzone local hrp direction inbound+ }) ^$ e  t9 d. m8 v
firewall packet-filter default permit interzone local hrp direction outbound
; G: G( q, v/ y7 v* I$ S firewall packet-filter default permit interzone local gprs direction inbound
$ _/ g- h- M0 ?$ c7 w8 |( I* W firewall packet-filter default permit interzone local gprs direction outbound
  P, H$ o5 Y4 Y! q2 g firewall packet-filter default permit interzone local dudubao direction inbound
, l& }, h# y: ~$ @ firewall packet-filter default permit interzone local dudubao direction outbound4 s) u9 f3 q  a5 m/ m2 b
firewall packet-filter default permit interzone trust untrust direction outbound
  q6 P! a/ Z0 S$ } firewall packet-filter default permit interzone trust dmz direction inbound
! |+ b1 \8 p6 Z1 |" V2 B firewall packet-filter default permit interzone trust dmz direction outbound5 C. [7 c3 G# z
firewall packet-filter default permit interzone trust gprs direction inbound
- t8 B' S5 H0 K) ^  ^2 e0 G firewall packet-filter default permit interzone trust gprs direction outbound8 {8 T# M- [8 C5 _- G* Q8 t
firewall packet-filter default permit interzone trust dudubao direction inbound5 S3 K/ [+ T5 ^6 m1 R& O8 \
firewall packet-filter default permit interzone trust dudubao direction outbound/ b! j7 C/ r5 B, E# `7 I' ^' b
firewall packet-filter default permit interzone dmz untrust direction inbound
4 J# M& X; C/ W3 L3 K+ T5 ?7 g firewall packet-filter default permit interzone dmz untrust direction outbound
9 q- x" @. d# h5 O5 p1 V" X firewall packet-filter default permit interzone dmz gprs direction inbound% a3 P* ]# A- h8 U
firewall packet-filter default permit interzone dmz gprs direction outbound
5 J& {) k7 m' h2 ]7 z0 R0 E firewall packet-filter default permit interzone dmz dudubao direction inbound7 C/ s8 E. H3 K& w
firewall packet-filter default permit interzone dmz dudubao direction outbound
1 {6 W; c& D9 l5 Z  ^, x+ A$ ?" m/ @* ^#
& u8 t6 R! y& a  }1 Y( P/ @ nat address-group 3 145.234.97.33 145.234.97.337 W- `6 t; n. Y/ V. `& ]
nat address-group 5 144.234.97.33 144.234.97.339 y2 {+ t. O  Z& v
nat server zone gprs  global 144.234.97.33 inside 172.16.12.61" ^; `, C1 t- _; S" f8 x& z
#9 ^% A: r  g* j& h, z
bypass switch-back auto( P3 a2 a8 q2 n  F7 D
#1 I  |. I+ A% A2 m" o- l
firewall mode route
' A( V% Y5 D8 U5 z+ ]8 i#
6 k# V( J6 g/ h firewall defend ip-spoofing enable! z" C1 R* `" j# `& O; Q3 ~; u: U
firewall defend land enable! X9 O  t7 y+ A9 k# `- l7 ?- _9 g
firewall defend smurf enable% A5 m' e4 }1 h2 U
firewall defend fraggle enable
" n4 t4 V  H- F! U5 J$ a" ^ firewall defend winnuke enable# @( g( T. b; q+ d3 b$ e$ d
firewall defend syn-flood enable
- ~( R  Q, _) A* X4 \0 a2 r+ s) S firewall defend udp-flood enable
- o" U4 K( I) g firewall defend icmp-redirect enable& B9 ^* |$ G! J  @# |) g
firewall defend icmp-unreachable enable
0 V; `, p/ e/ v firewall defend ip-sweep enable         
7 o; c5 m$ P& ]7 Y: h5 Z firewall defend port-scan enable' ~5 }, D: l2 }. F' v
firewall defend route-record enable0 W* u/ H  G' n) S: v* j
firewall defend ping-of-death enable
3 g8 ]) ^1 l8 n! v firewall defend teardrop enable
5 c( a; N: p. K+ v# f  l# |: q firewall defend tcp-flag enable3 v; ~' y# Q% {) m4 w, @$ q; }
firewall defend large-icmp enable
7 O2 E; Y/ |. e. u7 C$ d#: O9 x! n7 X) Y. h; k' R
firewall statistic system enable7 F6 H, ]  d! P: N; {
#
( `$ W) O' R- S+ ?3 D6 ?% }ike proposal 1
; G" F+ s; Q( `: s% R9 ?#
8 Q& h- x! K% f+ m& Y4 f! D; }ike peer a( G$ s( j4 {1 f" j
pre-shared-key cnnbtk
2 _  O" Z7 {/ x; k ike-proposal 1
" z) c0 t: o" j6 ^! e4 f! y remote-address 119.57.5.5
( c  t) `$ R* `, d# i& f& Z#
+ z# I- |. Z3 S5 nipsec proposal tran1
$ H% p/ u0 w1 u! p2 \  ^#
& S, L3 P1 N' a# M; K8 Aipsec policy map1 1 isakmp
6 q$ r( ^' \, o: n: }0 @ security acl 3006
5 _! ?) [+ a- `9 V' x/ p  \ pfs dh-group2) n0 R8 K$ }3 A* t; C( q) r6 E% P
ike-peer a4 K$ F5 {6 E7 X9 R# I$ \
proposal tran1                           1 a' z7 _8 z) X0 v
local-address 60.12.194.14! P$ b; L1 e9 E: O2 F: S2 p# N
#) b# R8 j% k$ z3 d( P; f* @
interface Aux0- m6 ^6 E* \9 c
async mode flow
0 m7 B7 A6 L6 [6 B! Y link-protocol ppp
6 K2 A* n; L- k+ ?1 ~#
) H7 P7 d* h, X: ]# W: Binterface Ethernet0/0/04 V: _# C" Q& N- k" E, ]2 L+ A; `
#8 L5 D7 I1 F% Z. U# c, N/ ^
interface Ethernet0/0/1
0 @, l# q/ Z' d+ D& Q. A#( J( ?- @5 |1 r7 Q) O1 n
interface Ethernet2/0/0
* J" O9 A7 U  I1 K  Y: n: n% s description To_S5624-A(1/0/24)% Y! z$ ]+ R7 P+ d8 \
ip address 172.16.2.9 255.255.255.252
8 T- f$ u! E0 J+ I: E# w  B ospf cost 1003 z8 f9 G, K/ c- \$ n
#7 M$ t0 T: f0 E) w
interface Ethernet2/0/12 Z2 t) y: U$ q
description To_Yinlian
4 b6 |- E+ M( M8 ]8 k8 ] ip address 145.234.132.154 255.255.255.252' U" w7 }3 H) z
#
3 W: C, b& Z# [" s, N6 `- kinterface Ethernet2/0/2
( w6 T8 @3 b3 ?# Q description To_S6506R_A(7/0/48)
7 w, j" G. P" T5 L  k% _9 Y: f ip address 172.16.2.2 255.255.255.252
2 L) X% \; F9 s, P ospf cost 100                           
- T) W- ^9 N" }7 \7 O* w$ o1 |#1 i  W, |- a( s- V% m2 ~  L: t& s" V
interface Ethernet2/0/36 X9 F; R1 A4 P% f) F) S5 M
description To-dudubao! v, T7 t% X) b- E0 Q
ip address 60.12.194.14 255.255.255.240, q+ W6 M% U( ~5 A: Z( j0 A
ipsec policy map1' ^, u( _7 L! u3 b* l
#
5 s! T4 z" A) qinterface Ethernet2/0/49 h, p2 U- N: X8 |
#
; \# Z+ Y! y; s5 H1 Ainterface Ethernet2/0/5
6 z( t! d2 A* s6 M: w  y8 b" X( Z#
- D+ ]2 f  v" ~" i) Q) ]! ginterface Ethernet2/0/6/ J. \, i# V% W/ Q$ N! E
#- i. q* Q/ {9 u1 b
interface Ethernet2/0/7+ }  z6 ^8 m7 X4 n, b
description To_Eudemon300-B_E2/0/7
* L0 T' ^+ b* {! q$ P9 R  _ ip address 172.16.2.201 255.255.255.248
2 Y9 s: T2 J4 l' L2 `$ A* H vrrp vrid 1 virtual-ip 172.16.2.203. ^5 |; b7 C8 r4 }4 q+ D
vrrp vrid 1 priority 150  w; I& ?" o8 c- i
vrrp vrid 1 preempt-mode timer delay 60
8 T( B" s$ C9 [6 Z) y+ f vrrp vrid 2 virtual-ip 172.16.2.204
- c$ z( s2 i9 g1 F#
% L; K+ h, R! G  M* xinterface GigabitEthernet1/0/0
- N! D4 j" k6 @ shutdown                                 9 n4 ~5 Y/ z$ x6 t  ~
#0 l# A  g6 F$ ]" ~- x! ^& h4 b( q0 z
interface GigabitEthernet1/0/1! _4 W" \) o$ R2 ^; V: O; v5 x
description To_S5624-B(1/0/25)
) F& ?% I; q/ j) t ip address 172.16.2.25 255.255.255.252
" |7 Q$ Y8 d2 A ospf cost 500. @& k1 Y' z; D- [3 P8 B  f
#
  F  Y* g' t8 Einterface NULL05 }. j" }1 e' r' V8 E
#
3 a5 B( Q* D- K3 R) r9 n6 Y  rinterface LoopBack02 ^+ s! p! \5 F- V* i
ip address 172.16.1.3 255.255.255.255
* q; C9 y  S. ^#( ^9 o/ S3 B- [2 j+ s- g. E
firewall zone local
  T. N1 R0 L0 i" D; x7 [: B" U  X1 q set priority 100% V- {1 t8 X- Z4 f# V9 A( o
#
# s8 I3 A; V% G" h" ?firewall zone trust
( i7 [4 U0 I" @, X set priority 85
/ ]0 D  P, h' k6 U# b7 H detect ftp
# x" M' [# I% d8 Z/ J+ W add interface Ethernet2/0/2  S, i" a4 [" T8 Q
#7 n5 g! }( a5 u7 H. I) c
firewall zone untrust
0 w8 X+ R# V. @% V( {) }5 g set priority 5
# S3 P8 k/ v) X% a6 L detect ftp                              
: N( P+ q& }* l4 Z add interface GigabitEthernet1/0/14 R5 Q' i$ \5 T6 g7 n  G! ~" ~0 H
#
3 j! c$ C) }9 J' M2 {# zfirewall zone dmz, \  k4 J" F, q% |
set priority 50
8 B! v. B1 I( i: ]0 n( [ add interface Ethernet2/0/0
7 m$ V0 K2 U7 J1 S1 p, O1 G#$ v& v  v: l" F! t3 E; \$ W
firewall zone name hrp# t8 ~) U, y! P
set priority 40, i+ ~# R; j2 d, c5 Q/ ^
add interface Ethernet2/0/7
" [+ S. y9 d6 _2 ]( b#% H' i: B$ k. _  ?! S
firewall zone name gprs; }' _+ M* ?2 D, z8 C
set priority 4
: y$ M0 h( i" y" @& x! ` detect ftp
3 z5 O5 Y% g/ v5 w( o add interface Ethernet2/0/1
0 H4 g# X0 t! O#
9 C0 w. P( t( U# D/ l$ Afirewall zone name dudubao
7 F$ ]! M' ]/ B1 h& Q set priority 3
7 M) c; v9 A# o9 t detect ftp
- Y! H) e4 S6 g7 b" y add interface Ethernet2/0/3# \6 ?$ h- Z. a! H  K+ J
#
9 n, g+ S. W+ x  \2 [firewall interzone local trust: S) _8 o- _! k- z5 [( G* k
#8 @- l( j  J& b' f  F
firewall interzone local untrust         
6 Z; k: H; K. a  b6 h) G#
/ J9 f% l9 f' C  }* f, i) L" @firewall interzone local dmz
9 Z- w7 ]( Z8 M5 {& I; `#
8 g/ C+ T9 U" |& ~$ _$ x: ~firewall interzone local hrp
% b* G$ d7 x3 |" m0 X. z- o#
# m8 d3 u4 v( U* t- e% wfirewall interzone local gprs* O. J, V0 @, N( `( f
#1 E7 T8 U5 a! n" E2 ~. e; y: i
firewall interzone local dudubao
$ p7 R1 E8 |) D#
; l. Y" a' ]( b  Z* r: o/ tfirewall interzone trust untrust% `9 k7 e( v( v+ ]' ?: `& W2 ~/ a& f
packet-filter 3003 inbound
0 v  e0 R9 f0 E$ X9 D5 G detect ftp; d- f: t  n; H
#
" N. w9 }5 A' T" Z5 jfirewall interzone trust dmz0 W7 q2 L& t9 A4 z8 L5 h9 \; h* `- h
#
0 t  }' D  J3 R: Efirewall interzone trust hrp
. {: G3 `0 b7 h- y/ C! X#) O3 F4 B/ V# `6 r7 v2 T7 p  _
firewall interzone trust gprs
) i' H( d* S8 x6 ?/ \ nat outbound 2003 address-group 3  i/ T, b4 U7 r- q
detect ftp, P. W4 C0 M0 g7 p' `! R
#
5 }+ K$ K$ R1 o  y; z2 U( L$ Qfirewall interzone trust dudubao2 ^3 W. w. M+ o* K! ?7 ^4 j
packet-filter 3005 inbound               
$ V, a; G1 s: b& h' N1 A detect ftp) j# o8 ~: }+ k; f& M
#6 i2 G# t6 b/ j7 y
firewall interzone dmz untrust
# S3 T, C0 f6 i* u* J6 T) T#4 `, j+ B$ [; R- ]" ]
firewall interzone hrp untrust
4 v$ {! ^7 g2 Q9 \#
# C8 F( u/ T6 e5 h: s/ Qfirewall interzone untrust gprs3 \+ q  b4 ~( S+ ~
#5 D: {8 u$ b% |/ a
firewall interzone untrust dudubao. l/ f+ e" ^0 R  m' m8 i/ a8 P
#
6 z0 b3 N/ Z  J, L9 wfirewall interzone dmz hrp
" p* T0 o1 V( E#5 R! m2 A. i, N4 E" i
firewall interzone dmz gprs
0 Q1 L  V! K) h, v- w) D packet-filter 3002 inbound
: e3 `6 X" A7 Z3 t nat outbound 2002 address-group 5
, P5 K6 S; n- j detect ftp+ a" \4 P! f- E2 S( x" B
#
4 V: v7 [/ N4 P0 i' ]firewall interzone dmz dudubao6 k8 m* i, D  ?- s2 F( N
packet-filter 3006 outbound
/ @- O, ?$ ]7 i  F( u5 P#( R4 E. Q5 L$ z) @2 h, U
firewall interzone hrp gprs
! \$ \$ v. K6 y. F. V* l#
1 h' d6 y/ [/ h( v, j" K/ qfirewall interzone hrp dudubao            
) w$ `7 q* `, Z# G+ E#3 [7 U6 ]% U5 [" H! c  g
firewall interzone gprs dudubao
: e! L/ g$ s1 J, j" @6 s  N#
8 _" G7 Q- L" avrrp group 1( z6 J& {& x6 y, a$ H# ]4 H3 Q: c
add interface Ethernet2/0/7 vrrp vrid 1 data; t$ k- i9 x" Y* c
vrrp-group enable
  J! Y6 ^5 n& a# e+ ` vrrp-group priority 105
% Y0 H/ I- }) `  T vrrp-group preempt delay 60& D1 t/ y. s3 j2 s! P  _3 V% X
undo vrrp-group group-send( t* E8 `8 a1 z. e, E" Q1 w# x
vrrp group 2
9 H0 `+ h. V. @$ U! I add interface Ethernet2/0/7 vrrp vrid 2 data# S& d' d6 }+ S1 d( W3 l" f
vrrp-group enable0 n4 Y& p  `4 W( v* t
undo vrrp-group preempt2 [2 t( w% z$ a* P( N
undo vrrp-group group-send
- C! W/ N$ ^2 t" H2 a1 k1 m! G#
# [( u/ u  T8 s/ V* s' [9 P+ |aaa) u' O( c+ X8 Q/ }' e& ]/ u* l, I
local-user huawei password cipher 1_`%CO&$8@7&quot;+C5`;6XL!!!
" E, E  Y  f* _: ^  w local-user huawei service-type terminal telnet ssh1 {4 A- r9 C% ]# f& T/ W$ \1 h  i
local-user huawei level 11 `* t+ N- x6 Y# I+ y" g$ p$ _
authentication-scheme default
, t, g4 m7 Q9 x3 i#$ s# L6 M0 w- G1 N- J5 X
authorization-scheme default
2 W; E5 z3 n# E. U) Z3 u) P#                                         
! f8 r0 Q2 D& R+ M) _: {' b accounting-scheme default
* F2 k2 \' V* u% M0 k& x#& ?' Z+ `6 j" F' _
domain default
4 y& W$ O$ E( ]. Q  o0 S#
) {5 t5 @& o  U9 B7 q* U; L#
7 A# z# u+ b( p0 q; a1 d* x% J5 Qospf 1
( Y  y( L, f+ q8 J) P import-route static
* ?  K6 z; k# V area 0.0.0.01 Z; Q" S3 b' H) x( S$ d3 b9 i
  network 172.16.1.3 0.0.0.0
2 l% [8 Q2 H" o0 g5 \  network 172.16.2.0 0.0.0.3
$ f: y% h# h9 {6 o/ d- j, c  network 172.16.2.8 0.0.0.3
' D  H& @9 V  n  network 172.16.2.24 0.0.0.3
0 W; N6 @% j5 f$ S( L  A# [#( ~3 |+ Q, w; e$ |' x
ip route-static 9.234.21.0 255.255.255.0 145.234.132.153$ o/ c- g- m. u5 v- j% ?+ s5 ~* A
ip route-static 10.0.1.0 255.255.255.0 60.12.194.129& Q" S. ~; n" a7 U
ip route-static 61.14.10.218 255.255.255.255 60.12.194.129
4 T0 W9 w  x5 P) c. c: ? ip route-static 119.57.5.0 255.255.255.0 60.12.194.129& {! l: c* r8 o
ip route-static 172.15.10.4 255.255.255.255 172.16.2.1' |3 m7 ?6 M* C
ip route-static 221.136.75.25 255.255.255.255 60.12.194.129+ V9 {& l3 S* m9 f- m6 V0 X
#7 A3 [" K; n, f* |$ N, I% `
snmp-agent1 Q8 m( B, ]. o
snmp-agent local-engineid 000007DB7F00000100001BEE
& K  n' w5 j$ R, K8 y2 F snmp-agent community read  nbcardro      ( n2 {( g$ _3 \+ S
snmp-agent sys-info version all
# g: _9 t3 S7 o! ~#
" Q- o; ]) ]! b1 ^, T/ W9 N ssh server timeout 300 F9 H- b. a1 b' n* E$ N. Q3 q
ssh server rekey-interval 24$ _% p8 P7 ]6 X) e+ i$ M8 t
ssh user huawei authentication-type password
. X+ U& Y( b, @$ @. Y3 @/ w/ y/ v#
% ~/ T/ d! f6 K% R. S" H+ g  quser-interface con 0
6 P! ?! d( L, _8 I0 h* v$ n) } authentication-mode aaa
1 O* E- B2 @. t. L0 f9 {user-interface aux 0
* [* _% M- J: W' |( Y) O. U4 a authentication-mode none& ^2 P$ _( u) F& I
user-interface vty 0 4
* F+ L# S4 Y- g. Y9 {6 K0 h7 H2 O; b acl 2000 inbound
' v8 Z4 w" I  T0 S authentication-mode aaa+ l, S- g3 p9 c4 C5 q
idle-timeout 5 0
5 n; x2 ~7 M+ `! J0 A4 N. Z" J#  ?5 @  Z* \4 H, H7 q- `
return
回复 支持 反对

使用道具 举报

honey8064 [Lv8 技术精悍] 发表于 2013-6-19 06:24:03 | 显示全部楼层
帮看看
回复 支持 反对

使用道具 举报

bumingxin [Lv4 初露锋芒] 发表于 2013-6-19 07:29:47 | 显示全部楼层
帮看看172.16.12.71到达60.12.194.140的路由有什么问题?
回复 支持 反对

使用道具 举报

xsdlng [Lv4 初露锋芒] 发表于 2013-6-19 07:31:32 | 显示全部楼层
sh crypto ipsec sa detail
: ], i* a: l; w$ M4 N  b: q: N8 C% F& L
Crypto map tag: mymap, seq num: 20, local addr: 119.57.5.5! n( a2 k& K+ p4 `9 A
0 w8 B2 S; ~' t: q  {1 d
      access-list outside_20_cryptomap permit ip host 10.0.1.17 172.16.12.0 255.255.255.0 4 \9 v' R. u3 r7 @: z0 U- C5 M
      local ident (addr/mask/prot/port): (10.0.1.17/255.255.255.255/0/0): q( M- K, |, }0 `9 `0 z7 ~
      remote ident (addr/mask/prot/port): (172.16.12.0/255.255.255.0/0/0)& J4 T4 N# X( D. m0 Q- I' N
      current_peer: 60.12.194.14
" L; {' l2 a1 {3 L. A, C$ r/ Z              2 s9 Z0 N: e+ Z4 R9 f( T
      #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18/ x4 N& b5 N# P' T5 t( ]
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0      #pkts compressed: 0, #pkts decompressed: 0
1 ]; Y0 i" m$ K      #pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
9 x3 }3 F2 S9 ^3 p. U' o      #pkts no sa (send): 0, #pkts invalid sa (rcv): 01 I2 h  e5 S) R$ ^* O+ v7 C
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0/ a  h5 i6 F" _+ o' u
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
, {5 m4 e0 B) y: r; [0 ~5 u1 l      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
7 Z( w- _7 t) ~' o3 W      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
# J3 ]2 U4 E; V* M! B' o      #pkts replay failed (rcv): 0
. p- A7 H& C0 k! Z, `3 y      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
9 p9 R; V' D: ?' H' h* g% r2 n) C# ^      #pkts internal err (send): 0, #pkts internal err (rcv): 0
! {' }7 \; W, U9 K  W3 \
% i# x8 |" \" C( L0 E2 d      local crypto endpt.: 119.57.5.5, remote crypto endpt.: 60.12.194.145 `  x- ^! J  w7 @' v  i2 F
, g0 {7 X, ^( v" z/ A
      path mtu 1500, ipsec overhead 58, media mtu 1500
. n  @  u( E0 G/ B- A* l0 y' v      current outbound spi: ED424D37  ^5 N8 \2 C2 J/ A* [7 a

% w1 t" U2 b) ~& _    inbound esp sas:
) l# I0 \& \. _  T! ?% {* J      spi: 0xFE26B574 (4263949684)# |4 S  Q6 j! E
         transform: esp-des esp-md5-hmac none 5 t5 H# O" b8 e
         in use settings ={L2L, Tunnel, PFS Group 2, }4 h( W( Q1 ?7 z4 {; H3 Q8 ~2 K2 [
         slot: 0, conn_id: 26, crypto-map: mymap
" k' f0 I) X  |& {1 K         sa timing: remaining key lifetime (kB/sec): (1710000/3582)+ o8 r3 S; V: i" E8 [
         IV size: 8 bytes* ~0 Z6 z0 S3 ?
         replay detection support: Y
! z* R. t6 F- h* d- |- Q" r! p: X    outbound esp sas:- w% b4 s+ h2 \9 u1 T! [5 a
      spi: 0xED424D37 (3980545335)+ v3 T$ Z+ ~5 M; o2 l
         transform: esp-des esp-md5-hmac none
: F- W$ B9 O# F$ h( A2 Q8 K9 y0 J         in use settings ={L2L, Tunnel, PFS Group 2, }
8 b+ O) R; m8 E2 [         slot: 0, conn_id: 26, crypto-map: mymap# P6 M  t# J; N3 L6 e
         sa timing: remaining key lifetime (kB/sec): (1709998/3580)5 Z5 o0 q! a3 Z, G. H; K1 n
         IV size: 8 bytes# i7 o7 ]% o6 R* o
         replay detection support: Y
回复 支持 反对

使用道具 举报

mjf1125 [Lv8 技术精悍] 发表于 2014-3-22 20:49:39 | 显示全部楼层
真是 收益 匪浅
回复 支持 反对

使用道具 举报

isslee [Lv8 技术精悍] 发表于 2014-3-25 13:12:46 | 显示全部楼层
看帖回帖是美德!:lol
回复 支持 反对

使用道具 举报

润土 [Lv8 技术精悍] 发表于 2014-3-26 10:05:32 | 显示全部楼层
这是什么东东啊
回复 支持 反对

使用道具 举报

该用户不存在 [VIP@钻石] 发表于 2014-3-26 12:04:40 | 显示全部楼层
我抢、我抢、我抢沙发~
回复 支持 反对

使用道具 举报

dtdonald [Lv8 技术精悍] 发表于 2014-3-26 22:35:41 | 显示全部楼层
好好 学习了 确实不错
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|无图浏览|手机版|网站地图|攻城狮论坛

GMT+8, 2026-7-4 11:35 , Processed in 0.125132 second(s), 12 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4 © 2001-2013 Comsenz Inc.

Designed by ARTERY.cn