Scribd Logo
Hochladen

Willkommen bei Scribd!

  • NSISG2000 Configuration

    Hochgeladen von

    xjdtd
    73 Ansichten10 Seiten
    This document contains configuration settings for two NetScreen ISG 2000 firewall devices (NSISG2000-1 and NSISG2000-2). Key details include: - NSISG2000-1 has interfaces in zones like "Untrust", "Trust", "DMZ", and custom zones like "menhu" and "database". Routing protocols, screen filters, policies and addresses are configured. - NSISG2000-2 has basic settings configured like authentication, zones, and OSPF routing. - Both devices use the "trust-vr" virtual router and have similar default configurations. NSISG2000-1 appears to be handling more interfaces and policies than NSISG2000

    Originalbeschreibung:

    Originaltitel

    netscreen ISG2000配置实例

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document contains configuration settings for two NetScreen ISG 2000 firewall devices (NSISG2000-1 and NSISG2000-2). Key details include: - NSISG2000-1 has interfaces in zones like "Untrust", "Trust", "DMZ", and custom zones like "menhu" and "database". Routing protocols, screen filters, policies and addresses are configured. - NSISG2000-2 has basic settings configured like authentication, zones, and OSPF routing. - Both devices use the "trust-vr" virtual router and have similar default configurations. NSISG2000-1 appears to be handling more interfaces and policies than NSISG2000

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    73 Ansichten10 Seiten

    NSISG2000 Configuration

    Hochgeladen von

    xjdtd
    This document contains configuration settings for two NetScreen ISG 2000 firewall devices (NSISG2000-1 and NSISG2000-2). Key details include: - NSISG2000-1 has interfaces in zones like "Untrust", "Trust", "DMZ", and custom zones like "menhu" and "database". Routing protocols, screen filters, policies and addresses are configured. - NSISG2000-2 has basic settings configured like authentication, zones, and OSPF routing. - Both devices use the "trust-vr" virtual router and have similar default configurations. NSISG2000-1 appears to be handling more interfaces and policies than NSISG2000

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 10

    NSISG2000

    2*SX

    Internet
    60.217.225.1/30 60.217.225.2/30

    (14F 6509)
    60.217.225.9/30 60.217.225.10/30

    Cisco7609
    61.217.226.1/25 60.217.225.17/30 60.217.225.18/30 60.217.225.129/25 60.217.225.130/25

    OSPF Area 101 stub

    61.217.226.2/25

    ISG2000-1
    192.168.11.254 192.168.13.254 192.168.14.254

    ISG2000-2

    61.217.225.254/25

    F5
    192.168.11.2

    Vlan 11
    192.168.11.3

    Vlan 13

    Vlan 14

    Vlan 15

    192.168.12.254

    NAT

    Vlan 12

    AP

    NSISG2000 SN: NS-ISG-SX2 SN: 0141062006000213 SN: 0141062006000211 software Software Version: 5.0.0r9.2 loader_version=1.1.3

    2 2

    Nsisg2000-1 set clock timezone 0 set vrouter trust-vr sharable unset vrouter "trust-vr" auto-route-export set vrouter "trust-vr" set protocol ospf set enable set area 0.0.0.101 stub set area 0.0.0.101 range 60.217.225.128 255.255.255.128 advertise set area 0.0.0.101 range 60.217.225.64 255.255.255.192 advertise set area 0.0.0.101 range 60.217.225.32 255.255.255.224 advertise set area 0.0.0.101 range 60.217.225.16 255.255.255.240 advertise exit exit set service "virtus" protocol tcp src-port 0-65535 dst-port 138-138 set service "virtus" + tcp src-port 0-65535 dst-port 139-139 set service "virtus" + udp src-port 0-65535 dst-port 139-139 set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set admin name "netscreen" set admin password "nJwlEZr1KayGcfjJ6sAFBQAtEbD1/n" set admin port 10081 set admin scs password disable username netscreen set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 1000 "menhu" set zone id 1001 "database" set zone id 1002 "ap16" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "DMZ" tcp-rst set zone "VLAN" block set zone "VLAN" tcp-rst unset zone "menhu" tcp-rst

    unset zone "database" tcp-rst unset zone "ap16" tcp-rst set zone "Untrust" screen icmp-flood set zone "Untrust" screen udp-flood set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death unset zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set zone "menhu" screen icmp-flood set zone "menhu" screen udp-flood set zone "menhu" screen tear-drop set zone "menhu" screen syn-flood set zone "menhu" screen ping-death set zone "menhu" screen icmp-large set zone "database" screen icmp-flood set zone "database" screen udp-flood set zone "database" screen syn-flood set zone "Untrust" screen icmp-flood threshold 100 set zone "menhu" screen icmp-flood threshold 100 set zone "database" screen icmp-flood threshold 50 set zone "Untrust" screen udp-flood threshold 100 set zone "menhu" screen udp-flood threshold 100 set zone "database" screen udp-flood threshold 50 set zone "Untrust" screen syn-flood timeout 2 set zone "Untrust" screen syn-flood source-threshold 200 set zone "Untrust" screen syn-flood destination-threshold 1000 set zone "menhu" screen syn-flood timeout 2 set zone "menhu" screen syn-flood source-threshold 50 set zone "menhu" screen syn-flood destination-threshold 1000 set zone "database" screen syn-flood timeout 2 set zone "database" screen syn-flood source-threshold 50 set zone "database" screen syn-flood destination-threshold 1000 set interface "ethernet1/1.1" tag 10 zone "Untrust" set interface "ethernet1/1.2" tag 20 zone "Untrust" set interface "ethernet1/1.3" tag 30 zone "Untrust" set interface "ethernet1/1.4" tag 40 zone "Untrust" set interface "loopback.1" zone "Trust" set interface "ethernet1/2.1" tag 11 zone "menhu"

    set interface "ethernet1/2.2" tag 13 zone "database" set interface "ethernet1/2.3" tag 16 zone "ap16" unset interface vlan1 ip set interface mgt ip 192.168.1.1/24 set interface ethernet1/1.1 ip 60.217.225.130/25 set interface ethernet1/1.1 route set interface ethernet1/1.2 ip 60.217.225.66/26 set interface ethernet1/1.2 route set interface ethernet1/1.3 ip 60.217.225.34/27 set interface ethernet1/1.3 route set interface ethernet1/1.4 ip 60.217.225.18/28 set interface ethernet1/1.4 route set interface loopback.1 ip 1.1.1.1/32 set interface loopback.1 route set interface ethernet1/2.1 ip 192.168.11.254/24 set interface ethernet1/2.1 route set interface ethernet1/2.2 ip 192.168.13.254/24 set interface ethernet1/2.2 route set interface ethernet1/2.3 ip 192.168.16.254/24 set interface ethernet1/2.3 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1.1 ip manageable set interface ethernet1/1.2 ip manageable set interface ethernet1/1.3 ip manageable set interface ethernet1/1.4 ip manageable set interface loopback.1 ip manageable set interface ethernet1/2.1 ip manageable set interface ethernet1/2.2 ip manageable set interface ethernet1/2.3 ip manageable set interface ethernet1/1.1 manage ping set interface ethernet1/1.1 manage ssh set interface ethernet1/1.1 manage telnet set interface ethernet1/1.1 manage web set interface ethernet1/1.2 manage ping set interface ethernet1/1.2 manage ssh set interface ethernet1/1.2 manage telnet set interface ethernet1/1.2 manage web set interface ethernet1/1.3 manage ping set interface ethernet1/1.3 manage ssh set interface ethernet1/1.3 manage telnet set interface ethernet1/1.3 manage web set interface ethernet1/1.4 manage ping set interface ethernet1/1.4 manage ssh

    set interface ethernet1/1.4 manage telnet set interface ethernet1/1.4 manage web set interface ethernet1/2.1 manage ping set interface ethernet1/2.1 manage ssh set interface ethernet1/2.1 manage telnet set interface ethernet1/2.1 manage web set interface ethernet1/2.2 manage ping set interface ethernet1/2.2 manage ssh set interface ethernet1/2.2 manage telnet set interface ethernet1/2.2 manage web set interface ethernet1/2.3 manage ping set interface ethernet1/2.3 manage ssh set interface ethernet1/2.3 manage telnet set interface ethernet1/2.3 manage web unset interface loopback.1 manage snmp unset interface loopback.1 manage ssl set interface ethernet1/1.1 dip 4 60.217.225.253 60.217.225.253 set interface "ethernet1/1.3" mip 60.217.225.35 host 192.168.13.1 netmask 255.255.255.255 vrouter "trust-vr" set interface "ethernet1/1.3" mip 60.217.225.36 host 192.168.13.2 netmask 255.255.255.255 vrouter "trust-vr" set interface "ethernet1/1.4" mip 60.217.225.19 host 192.168.11.9 netmask 255.255.255.255 vrouter "trust-vr" set interface "ethernet1/1.4" mip 60.217.225.20 host 192.168.11.10 netmask 255.255.255.255 vrouter "trust-vr" set hostname isg2000-1 set address "menhu" "192.168.12.0/24" 192.168.12.0 255.255.255.0 set address "menhu" "menhu" 192.168.11.0 255.255.255.0 set address "menhu" "menhu-12" 192.168.12.0 255.255.255.0 set address "database" "database" 192.168.13.0 255.255.255.0 set address "ap16" "ap16" 192.168.16.0 255.255.255.0 set ike respond-bad-spi 1 set pki authority default scep mode "auto" set pki x509 default cert-path partial set policy id 1 name "menhutointernet" from "menhu" to "Untrust" "menhu" "Any" "ANY" nat src permit log set policy id 1 set src-address "menhu-12" exit set policy id 2 from "Untrust" to "Global" "Any" "MIP(60.217.225.19)" "ANY" permit log set policy id 3 from "database" to "Untrust" "database" "Any" "ANY" nat src permit log set policy id 4 from "menhu" to "database" "menhu" "database" "ANY" permit log

    set policy id 5 from "menhu" to "database" "menhu-12" "database" "ANY" permit log set policy id 6 from "database" to "menhu" "database" "menhu" "ANY" permit log set policy id 7 from "database" to "menhu" "database" "menhu-12" "ANY" permit log set policy id 8 from "ap16" to "Untrust" "ap16" "Any" "ANY" nat src dip-id 4 permit set policy id 9 from "Untrust" to "Global" "Any" "MIP(60.217.225.20)" "ANY" permit log set policy id 10 from "Untrust" to "Global" "Any" "MIP(60.217.225.35)" "ANY" permit log set policy id 11 from "Untrust" to "Global" "Any" "MIP(60.217.225.36)" "ANY" permit log set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 192.168.12.0/24 interface ethernet1/2.1 gateway 192.168.11.4 exit set interface loopback.1 protocol ospf area 0.0.0.101 set interface loopback.1 protocol ospf enable set interface loopback.1 protocol ospf cost 1 set interface ethernet1/1.1 protocol ospf area 0.0.0.101 set interface ethernet1/1.1 protocol ospf enable set interface ethernet1/1.1 protocol ospf cost 1 set interface ethernet1/1.2 protocol ospf area 0.0.0.101 set interface ethernet1/1.2 protocol ospf enable set interface ethernet1/1.2 protocol ospf cost 1 set interface ethernet1/1.3 protocol ospf area 0.0.0.101 set interface ethernet1/1.3 protocol ospf enable set interface ethernet1/1.3 protocol ospf cost 1 set interface ethernet1/1.4 protocol ospf area 0.0.0.101 set interface ethernet1/1.4 protocol ospf enable set interface ethernet1/1.4 protocol ospf cost 1

    Nsisg2000-2 set clock timezone 0 set vrouter trust-vr sharable unset vrouter "trust-vr" auto-route-export set vrouter "trust-vr" set protocol ospf set enable

    set area 0.0.0.101 stub set area 0.0.0.101 range 60.217.226.0 255.255.255.128 advertise set area 0.0.0.101 range 60.217.226.128 255.255.255.128 advertise exit exit set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set admin name "netscreen" set admin password "nJwlEZr1KayGcfjJ6sAFBQAtEbD1/n" set admin port 10081 set admin scs password disable username netscreen set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone id 1000 "nonat" set zone id 1001 "apnat" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "DMZ" tcp-rst set zone "VLAN" block set zone "VLAN" tcp-rst unset zone "nonat" tcp-rst unset zone "apnat" tcp-rst set zone "Untrust" screen icmp-flood set zone "Untrust" screen udp-flood set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set zone "nonat" screen icmp-flood set zone "nonat" screen udp-flood set zone "nonat" screen syn-flood

    set zone "apnat" screen icmp-flood set zone "apnat" screen udp-flood set zone "apnat" screen syn-flood set zone "Untrust" screen icmp-flood threshold 100 set zone "nonat" screen icmp-flood threshold 50 set zone "apnat" screen icmp-flood threshold 50 set zone "Untrust" screen udp-flood threshold 100 set zone "nonat" screen udp-flood threshold 50 set zone "apnat" screen udp-flood threshold 50 set zone "Untrust" screen syn-flood timeout 2 set zone "Untrust" screen syn-flood source-threshold 50 set zone "Untrust" screen syn-flood destination-threshold 1000 set zone "nonat" screen syn-flood timeout 2 set zone "nonat" screen syn-flood source-threshold 50 set zone "nonat" screen syn-flood destination-threshold 1000 set zone "apnat" screen syn-flood timeout 2 set zone "apnat" screen syn-flood source-threshold 50 set zone "apnat" screen syn-flood destination-threshold 1000 set interface "ethernet1/1" zone "Untrust" set interface "loopback.1" zone "Trust" set interface "ethernet1/2.1" tag 14 zone "apnat" set interface "ethernet1/2.2" tag 15 zone "nonat" unset interface vlan1 ip set interface mgt ip 192.168.1.1/24 set interface ethernet1/1 ip 60.217.226.2/25 set interface ethernet1/1 route set interface loopback.1 ip 2.2.2.2/32 set interface loopback.1 nat set interface ethernet1/2.1 ip 192.168.14.254/24 set interface ethernet1/2.1 route set interface ethernet1/2.2 ip 60.217.226.254/25 set interface ethernet1/2.2 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 ip manageable set interface loopback.1 ip manageable set interface ethernet1/2.1 ip manageable set interface ethernet1/2.2 ip manageable set interface ethernet1/1 manage ping set interface ethernet1/1 manage ssh set interface ethernet1/1 manage telnet set interface ethernet1/1 manage web set interface ethernet1/2.1 manage ping set interface ethernet1/2.1 manage ssh

    set interface ethernet1/2.1 manage telnet set interface ethernet1/2.1 manage web set interface ethernet1/2.2 manage ping set interface ethernet1/2.2 manage ssh set interface ethernet1/2.2 manage telnet set interface ethernet1/2.2 manage web set interface "ethernet1/1" mip 60.217.226.3 host 192.168.14.3 netmask 255.255.255.255 vrouter "trust-vr" set interface "ethernet1/1" mip 60.217.226.4 host 192.168.14.4 netmask 255.255.255.255 vrouter "trust-vr" set hostname isg2000-2 set address "nonat" "nonat" 60.217.226.128 255.255.255.128 set address "apnat" "apnat" 192.168.14.0 255.255.255.0 set ike respond-bad-spi 1 set pki authority default scep mode "auto" set pki x509 default cert-path partial set policy id 1 from "Untrust" to "Global" "Any" "Any" "ANY" permit log set policy id 4 from "apnat" to "Untrust" "apnat" "Any" "ANY" nat src permit log set policy id 2 from "nonat" to "Untrust" "nonat" "Any" "ANY" permit log set policy id 3 from "Untrust" to "nonat" "Any" "nonat" "ANY" permit log set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route exit set interface ethernet1/1 protocol ospf area 0.0.0.101 set interface ethernet1/1 protocol ospf enable set interface ethernet1/1 protocol ospf cost 1 set interface loopback.1 protocol ospf area 0.0.0.101 set interface loopback.1 protocol ospf enable set interface loopback.1 protocol ospf cost 1 set interface ethernet1/2.2 protocol ospf area 0.0.0.101 set interface ethernet1/2.2 protocol ospf enable set interface ethernet1/2.2 protocol ospf cost 1

    Das könnte Ihnen auch gefallen