<USG2100>DIS CU
#
sysname USG2100
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
firewall ipv6 ssion link-state check
#
vlan batch 1 100 215
#
firewall ssion link-state check
#
#
runmode firewall
#
update schedule ips daily 2:26
update schedule av daily 2:26
curity rver domain
#
web-manager enable
#
l2fwdfast enable
#
acl number 3000 //银监开放端口
rule 0 permit tcp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2012
rule 5 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2012
rule 10 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 500
rule 15 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2011
rule 20 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 4500
rule 25 deny ip
#
acl number 3002 //银监转发配置
rule 5 permit rvice-t nat destination address-t ren30
#
interface Vlanif1
ip address 192.168.0.1 255.255.255.0
dhcp lect interface
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0 //本地网关
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet0/0/0.1 //启用子接口并绑定VLAN
vlan-type dot1q 215
ip address 9.16.71.250 255.255.255.252
#
interface Ethernet1/0/0
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/1
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/2
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/3
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/4
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/5
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/6
portswitch
port link-type access
port access vlan 100
#
interface Ethernet1/0/7
portswitch
port link-type access
port access vlan 100
#
interface NULL0
#
firewall zone local
t priority 100
#
firewall zone trust
t priority 85
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
add interface Vlanif100
#
firewall zone untrust
t priority 5
add interface Ethernet0/0/0
add interface Ethernet0/0/0.1
#
firewall zone dmz
t priority 50
#
aaa
local-ur admin password cipher ******
local-ur admin rvice-type web terminal
local-ur admin level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 9.16.71.249 //对端网关
#
banner enable
#
ur-interface con 0
ur-interface tty 2
authentication-mode none
modem both
ur-interface vty 0 4
#
ip address-t cw type object
address 0 192.168.1.0 mask 24
#
ip address-t ren30 type object
address 0 9.16.250.30 mask 32
#
ip rvice-t nat type object
rvice 0 protocol tcp destination-port 2012
rvice 1 protocol udp destination-port 500
rvice 2 protocol udp destination-port 4500
rvice 3 protocol udp destination-port 2011
rvice 4 protocol udp destination-port 2012
