HC防火墙配置.doc

H3C防火墙配置 ?sysname SecPath1070 # context Admin id 1 # ip vpn-instance management route-distinguisher 1000000000:1 vpn-target 1000000000:1 import-extcommunity vpn-target 1000000000:1 export-extcommunity # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # ip unreachables enable ip ttl-expires enable # dns server # lldp global enable lldp mode service-bridge # password-recovery enable # vlan 1 # object-group ip address 集群网段 10 network subnet 30 network host address 2 40 network host address 3 50 network host address 2 # object-group ip address 数据备份服务器 description 本地数据备份服务器 0 network host address 6 # object-group ip address 远端数据备份服务器 0 network subnet # object-group service 端口 0 service tcp source range xxx destination range xxx # policy-based-route gzxj permit node 5 if-match acl 3004 apply next-hop X.X.X.X # policy-based-route gzxj permit node 10 if-match acl 2002 apply next-hop X.X.X.X # policy-based-route gzxj permit node 20 if-match acl 2001 apply next-hop X.X.X.X # policy-based-route test permit node 10 if-match acl 3001 apply next-hop X.X.X.X # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route # interface GigabitEthernet1/0/1 port link-mode route ip address X.X.X.X ip last-hop hold nat outbound 3000 nat server protocol tcp global X.X.X.X 20 inside 48 20 ipsec apply policy GE1/0/1 # interface GigabitEthernet1/0/2 port link-mode route bandwidth 100000 ip address X.X.X.X 48 ip last-hop hold nat outbound 3000 nat server protocol tcp global X.X.X.X 20 inside 48 20 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitE