#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
nat address-group 1 213.192.15.34 213.192.15.34
nat address-group 2 213.192.15.35 213.192.15.35
nat static inside ip 213.192.15.34 global ip 192.168.44.10
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user yang
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
nat address-group 1 213.192.15.34 213.192.15.34
nat address-group 2 213.192.15.35 213.192.15.35
nat static inside ip 213.192.15.34 global ip 192.168.44.10
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user yang
password simple xgx!Q@W#E
service-type telnet
level 3
#
acl number 2001
rule 1 permit source 192.168.1.0 0.0.0.255
acl number 2002
rule 0 permit source 192.168.2.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
ip address 213.192.15.34 255.255.255.252
ip address 213.192.15.35 255.255.255.252 sub
nat outbound static
nat outbound 2002 address-group 2
nat outbound 2001 address-group 1
nat server protocol tcp global 213.192.15.34 8082 inside 192.168.1.11 22
nat server protocol tcp global 213.192.15.34 7001 inside 192.168.1.13 7001
nat server protocol tcp global 213.192.15.34 8083 inside 192.168.1.12 22
nat server protocol tcp global 213.192.15.34 8085 inside 192.168.1.13 22
nat server protocol tcp global 213.192.15.34 telnet inside 192.168.1.1 telnet
nat server protocol tcp global 213.192.15.34 8089 inside 192.168.1.15 22
nat server protocol tcp global 213.192.15.34 8011 inside 192.168.1.11 tns
nat server protocol tcp global 213.192.15.34 8012 inside 192.168.1.12 tns
nat server protocol tcp global 213.192.15.34 8088 inside 192.168.1.16 22
nat server protocol tcp global 213.192.15.35 any inside 192.168.2.1 any
nat server protocol tcp global 213.192.15.34 7002 inside 192.168.1.13 7002
nat server protocol tcp global 213.192.15.34 7010 inside 192.168.1.13 7010
nat server protocol tcp global 213.192.15.34 7011 inside 192.168.1.13 7011
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet1/0
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
add interface Ethernet0/1
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 213.192.15.33 preference 60
ip route-static 0.0.0.0 0.0.0.0 213.192.15.33 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
service-type telnet
level 3
#
acl number 2001
rule 1 permit source 192.168.1.0 0.0.0.255
acl number 2002
rule 0 permit source 192.168.2.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
ip address 213.192.15.34 255.255.255.252
ip address 213.192.15.35 255.255.255.252 sub
nat outbound static
nat outbound 2002 address-group 2
nat outbound 2001 address-group 1
nat server protocol tcp global 213.192.15.34 8082 inside 192.168.1.11 22
nat server protocol tcp global 213.192.15.34 7001 inside 192.168.1.13 7001
nat server protocol tcp global 213.192.15.34 8083 inside 192.168.1.12 22
nat server protocol tcp global 213.192.15.34 8085 inside 192.168.1.13 22
nat server protocol tcp global 213.192.15.34 telnet inside 192.168.1.1 telnet
nat server protocol tcp global 213.192.15.34 8089 inside 192.168.1.15 22
nat server protocol tcp global 213.192.15.34 8011 inside 192.168.1.11 tns
nat server protocol tcp global 213.192.15.34 8012 inside 192.168.1.12 tns
nat server protocol tcp global 213.192.15.34 8088 inside 192.168.1.16 22
nat server protocol tcp global 213.192.15.35 any inside 192.168.2.1 any
nat server protocol tcp global 213.192.15.34 7002 inside 192.168.1.13 7002
nat server protocol tcp global 213.192.15.34 7010 inside 192.168.1.13 7010
nat server protocol tcp global 213.192.15.34 7011 inside 192.168.1.13 7011
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet1/0
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
add interface Ethernet0/1
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 213.192.15.33 preference 60
ip route-static 0.0.0.0 0.0.0.0 213.192.15.33 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return