网络工程师成长日记370-阿尔斯通
網(wǎng)絡(luò)工程師成長日記370-阿爾斯通
這是我的第370篇原創(chuàng)文章,記錄網(wǎng)絡(luò)工程師行業(yè)的點點滴滴,結(jié)交IT行業(yè)有緣之人
4月20日下午,我和老大一起去西高新的高科大廈去進(jìn)行H3C防火墻的安裝
這是我第一次做on job training
之前雖然老大給我了一些H3C的文檔,但是還是感覺心里沒底.
這次我們要做的內(nèi)容是一個F100-C的防火墻的安裝,和一個CISCO無線AP的連接(這個是去了以后客戶提出的).
F100-C防火墻上面已經(jīng)做好了配置,只要進(jìn)行安裝就行了,當(dāng)時我們認(rèn)為很簡單,只要一會就能完成,結(jié)果出現(xiàn)了無數(shù)的問題.
把防火墻連到電腦上,dis cur(就是SHOW RUN)了防火墻上的配置.
客戶告訴我們,電信給他們分配的撥號IP和密碼,怎么弄都不通.
隨后又進(jìn)行了多方面的嘗試.也是不通.
和北京方面的工程師溝通,告訴我們說他們和電信進(jìn)行聯(lián)系,因為他們也不太清楚電信給客戶方進(jìn)行的配置.
于是就聯(lián)系了N長時間.隨后,北京打過來電話進(jìn)行詢問,再試,還是不通,經(jīng)過多次反復(fù),只能自己打電話給電信詢問.
開始以為是撥號的密碼錯誤,遂打電話給電信,電信告訴我們說,要想知道密碼,必須給他們提供企業(yè)的證件等物品,
沒辦法,再和客戶進(jìn)行溝通,這時他們才提供了一張19號他們裝網(wǎng)線時電信給他們留下的IP地址,并告訴我們是電信安裝的專線.
對防火墻的設(shè)置進(jìn)行了修改,把WAN口和Dialer0進(jìn)行重新配置,再一次進(jìn)行嘗試,這次終于能PING通網(wǎng)關(guān)了,再PING客戶的內(nèi)網(wǎng),也通.
因為客戶沒有對網(wǎng)絡(luò)比較了解的,經(jīng)過與北京方面的溝通才知道他們昨天裝的是×××專線,而不是客戶一直號稱的撥號上網(wǎng).
被誤導(dǎo)了,囧死.
然后就是進(jìn)行無線的安裝并綁密碼,綁密碼的時候還出了點小問題,客戶要求5位的密碼
但是選擇的密碼協(xié)議只支持最少8位數(shù)的密碼,進(jìn)行了溝通,最后選擇了8位的密碼.
到此本次工程全部完工.
這次工程讓我理解到,工程中進(jìn)行溝通是非常重要的
然后就是要根據(jù)自己已知的信息對工程進(jìn)行了解,知道自己需要做什么
這樣才能成功快速的完成工作.
工程配置過程
由我們配通,再由北京的工程師遠(yuǎn)程登錄進(jìn)行修改
dis cur結(jié)果如下,IP地址等相關(guān)內(nèi)容進(jìn)行了修改
#
Sysname F100-C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable//H3C的分支網(wǎng)點智能管理解決方案
bims device-id F100-C
bims ip address 100.0.0.1 port 7000
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name F100-C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain my***
ca identifier CEC
certificate request url http://1.2.3.4/certsrv/mscep/mscep.dll //配證書
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 12345
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user 654321
password 123456
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer ***
exchange-mode aggressive
pre-shared-key xxxxx
id-type name
remote-name ***
remote-address 1.2.3.4
certificate domain my***
#
ipsec card-proposal s***
use encrypt-card 1/0
#
ipsec proposal ***
#
ipsec policy *** 10 isakmp
security acl 3000
ike-peer ***
proposal s***
//北京工程師在遠(yuǎn)程登錄后加入了
#
dhcp server ip-pool dhcppool
network 10.1.0.2 mask 255.255.255.0
gateway-list 10.1.0.1
dns-list 10.1.1.1 10.1.1.3 10.1.1.8
#
acl number 2000 match-order auto
rule 0 permit source 10.1.1.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.4 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 7654321 password simple xxxxx
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy ***
原有配置,由于是專線,后全部刪除
#
interface Ethernet0/0
description link to LAN
ip address 10.1.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4//修改為 interface Ethernet0/4
description link to WAN
ip address 121.1.1.1 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 34.1.1.1 255.255.255.252
source 1.1.1.4
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1//后刪除
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 43.1.1.1 preference 60// 修改后為Ethernet 0/4 121.1.1.1,原來為dialer1 口
ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 2.2.2.2 255.0.0.0 Tunnel 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 3.3.3.3 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 4.4.4.4 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 5.5.5.5 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 6.6.6.6 255.255.0.0 Tunnel 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static7.7.7.7 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 8.8.8.8 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
ip route-static 9.9.9.9 255.255.255.255 Dialer 1 preference 60// Dialer 1修改為Ethernet 0/4 121.1.1.1
#
snmp-agent
snmp-agent local-engineid 12345678
snmp-agent community write 101zhengou
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 1.1.1.1
ntp-service unicast-server 2.2.2.2
ntp-service unicast-server 3.3.3.3
ntp-service unicast-server 4.4.4.4
ntp-service unicast-server 5.5.5.5
ntp-service unicast-server 6.6.6.6
ntp-service unicast-server 7.7.7.7
ntp-service unicast-server 8.8.8.8
ntp-service unicast-server 9.9.9.9
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
此時PING內(nèi)網(wǎng)的深圳總部,,可以PING通,完成.
XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned up up(s) Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 117.22.255.106 up up link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up up Tunnel1 I...
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain my***
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer ***
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name ***
remote-address 218.96.249.201
certificate domain my***
#
ipsec card-proposal s***
use encrypt-card 1/0
#
ipsec proposal ***
#
ipsec policy *** 10 isakmp
security acl 3000
ike-peer ***
proposal s***
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
undo link-protocol ppp
undo ppp pap local-user 029xxxxx password simple xxxxxx
undo ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy ***
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60// 修改后,原來為dialer1 口
undo ip route-static 1.1.1.1 255.255.255.255 Dialer 1 preference 60
undo ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
undo ip route-static 61.237.232.242 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.100.9.2 255.255.255.255 Dialer 1 preference 60
undo ip route-static 131.107.1.10 255.255.255.255 Dialer 1 preference 60
undo ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
undo ip route-static 202.112.10.60 255.255.255.255 Dialer 1 preference 60
undo ip route-static 202.122.113.114 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.72.145.44 255.255.255.255 Dialer 1 preference 60
undo ip route-static 210.184.110.165 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.0.0 255.255.0.0 Dialer 1 preference 60
undo ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
undo ip route-static 218.96.249.201 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.202 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.249.203 255.255.255.255 Dialer 1 preference 60
undo ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
undo ip route-static 218.97.1.33 255.255.255.255 Dialer 1 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write xxxxxx
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple xxxxx
#
beijing xiugaihou
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain my***
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer ***
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name ***
remote-address 218.96.249.201
certificate domain my***
#
ipsec card-proposal s***
use encrypt-card 1/0
#
ipsec proposal ***
#
ipsec policy *** 10 isakmp
security acl 3000
ike-peer ***
proposal s***
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Dialer1
link-protocol ppp
ppp pap local-user 029xxxxx password simple xxxx
ip address ppp-negotiate
dialer user user
dialer-group 1
dialer bundle 1
nat outbound 2000
ipsec policy ***
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy ***
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Dialer1
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write xxxxx
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple cecipsec
#
return
[XiA110101-H3C]
%Apr 20 17:50:43:438 2009 XiA110101-H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain my*** is trusted.
%Apr 20 17:50:49:830 2009 XiA110101-H3C PKI/4/Update_CA_Cert:Update CA certificates of the Domain my*** successfully.
%Apr 20 17:50:49:831 2009 XiA110101-H3C PKI/4/CA_Cert_Retrieval:Retrieval CA certificates of the domain my*** successfully.
%Apr 20 17:50:54:232 2009 XiA110101-H3C PKI/4/Local_Cert_Request:Request local certificate of the domain my*** successfully.
===============================
內(nèi)網(wǎng)所能PING出去的ip
Microsoft Windows XP [版本 5.1.2600]
(C) 版權(quán)所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>ping 172.16.18.118
Pinging 172.16.18.118 with 32 bytes of data:
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=3ms TTL=255
Reply from 172.16.18.118: bytes=32 time=2ms TTL=255
Reply from 172.16.18.118: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.18.118:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
C:\Documents and Settings\Administrator>ping www.baidu.com
^C
C:\Documents and Settings\Administrator>nslookup www.baidu.com
DNS request timed out.
timeout was 2 seconds.
Can't find server name for address 218.30.19.40: Timed out
Default servers are not available
Server: UnKnown
Address: 218.30.19.40
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Documents and Settings\Administrator>ping 117.22.255.106
Pinging 117.22.255.106 with 32 bytes of data:
Reply from 117.22.255.106: bytes=32 time=2ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Reply from 117.22.255.106: bytes=32 time=1ms TTL=255
Ping statistics for 117.22.255.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Documents and Settings\Administrator>ping 117.22.255.105
Pinging 117.22.255.105 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 117.22.255.105:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Documents and Settings\Administrator>
======================================
最終配置
[XiA110101-H3C]dis cur
#
sysname XiA110101-H3C
#
clock timezone GMT+8 add 08:00:00
#
encrypt-card fast-switch
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
bims enable
bims device-id XiA110101-H3C
bims ip address 218.96.249.203 port 7777
bims interval 10
bims sharekey simple cec
#
dialer-rule 1 ip permit
#
firewall statistic system enable
#
pki entity mytest
common-name XiA110101-H3C
organization-unit ts
organization CEC
locality SX
state XA
country CN
#
pki domain my***
ca identifier CEC
certificate request url http://218.96.249.202/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity mytest
certificate request mode auto key-length 1024
root-certificate fingerprint sha1 268fed7ae09ce9fb3c187d917070bbea1f1f327a
crl check disable
#
radius scheme system
server-type extended
#
domain system
#
local-user cecipsec
password cipher RPZ^0"X<9]'Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 1
authentication-method rsa-signature
#
ike peer ***
exchange-mode aggressive
pre-shared-key xxxxxx
id-type name
remote-name ***
remote-address x.x.x.x
certificate domain my***
#
ipsec card-proposal s***
use encrypt-card 1/0
#
ipsec proposal ***
#
ipsec policy *** 10 isakmp
security acl 3000
ike-peer ***
proposal s***
#
dhcp server ip-pool dhcppool
network 10.100.12.0 mask 255.255.255.0
gateway-list 10.100.12.1
dns-list 10.100.0.2 10.100.0.3 10.3.1.8
#
acl number 2000 match-order auto
rule 0 permit source 10.100.12.0 0.0.0.255
rule 1 permit
#
acl number 3000
rule 0 permit ip source 1.1.1.37 0 destination 1.1.1.1 0
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description link to LAN
ip address 10.100.12.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
interface Ethernet0/4
description link to WAN
ip address 117.22.255.106 255.0.0.0
ipsec policy ***
ntp-service broadcast-server
#
interface Encrypt1/0
#
interface Tunnel1
ip address 172.16.18.118 255.255.255.252
source 1.1.1.37
destination 1.1.1.1
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.37 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet0/4
add interface Tunnel1
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 117.22.255.105 preference 60
ip route-static 1.1.1.1 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 10.0.0.0 255.0.0.0 Tunnel 1 preference 60
ip route-static 61.237.232.242 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.100.9.2 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 131.107.1.10 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 159.217.0.0 255.255.0.0 Tunnel 1 preference 60
ip route-static 202.112.10.60 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 202.122.113.114 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.72.145.44 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 210.184.110.165 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.0.0 255.255.0.0 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.50.84 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.70.100 255.255.255.252 Tunnel 1 preference 60
ip route-static 218.96.249.201 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.202 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.249.203 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
ip route-static 218.96.253.160 255.255.255.224 Tunnel 1 preference 60
ip route-static 218.97.1.33 255.255.255.255 Ethernet 0/4 117.22.255.105 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F0000010000176B
snmp-agent community write zqw101
snmp-agent sys-info version all
snmp-agent trap source Ethernet0/4
#
ntp-service unicast-server 61.237.232.242
ntp-service unicast-server 131.107.1.10
ntp-service unicast-server 133.100.9.2
ntp-service unicast-server 202.112.10.60
ntp-service unicast-server 202.122.113.114
ntp-service unicast-server 210.72.145.44
ntp-service unicast-server 210.184.110.165
ntp-service unicast-server 218.96.249.201
ntp-service unicast-server 218.97.1.33
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
set authentication password simple xxxxxx
#
return
[XiA110101-H3C]
ping 深圳總部
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=96ms TTL=249
Reply from 10.100.0.1: bytes=32 time=99ms TTL=249
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 99ms, Average = 97ms
C:\Documents and Settings\Administrator>ping 10.100.0.1
Pinging 10.100.0.1 with 32 bytes of data:
Reply from 10.100.0.1: bytes=32 time=116ms TTL=248
Reply from 10.100.0.1: bytes=32 time=103ms TTL=248
Reply from 10.100.0.1: bytes=32 time=112ms TTL=248
Reply from 10.100.0.1: bytes=32 time=96ms TTL=248
Ping statistics for 10.100.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 116ms, Average = 106ms
C:\Documents and Settings\Administrator>
[XiA110101-H3C]dis ip int bri
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
Aux0 unassigned down up(s) Aux0 Inte...
Dialer1 unassigned down down Dialer1 I...
Encrypt1/0 unassigned up up Encrypt1/...
Ethernet0/0 10.100.12.1 up up link to LAN
Ethernet0/1 unassigned down down Ethernet0...
Ethernet0/2 unassigned down down Ethernet0...
Ethernet0/3 unassigned down down Ethernet0...
Ethernet0/4 unassigned up down link to WAN
LoopBack0 1.1.1.37 up up(s) LoopBack0...
Tunnel1 172.16.18.118 up down Tunnel1 I...
[XiA110101-H3C]
#Apr 20 23:48:10:748 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1854 is Up
%Apr 20 23:48:10:750 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:10:954 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1854 is Down
%Apr 20 23:48:10:955 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
#Apr 20 23:48:29:056 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.4Interface 1862 is Up
%Apr 20 23:48:29:057 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is UP
#Apr 20 23:48:29:264 2009 XiA110101-H3C IFNET/4/TRAP:1.3.6.1.6.3.1.1.5.3Interface 1862 is Down
%Apr 20 23:48:29:266 2009 XiA110101-H3C IFNET/4/UPDOWN:Line protocol on the interface Dialer1:0 is DOWN
轉(zhuǎn)載于:https://blog.51cto.com/13448371/2083820
總結(jié)
以上是生活随笔為你收集整理的网络工程师成长日记370-阿尔斯通的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 王者荣耀s17赛季皮肤怎么获得 2017
- 下一篇: 龙族幻想刀片异闻寄给谁 龙族小说在线全文