Você está na página 1de 5

FWNISIND01#sh run

!
service password-encryption
!
hostname FWNISIND01
!
no banner motd
!
username administrator privilege 15 password 8 $1$dwVqsxBn$C0eouWv8fez0psoIdJgki/
username aul privilege 15 password 8 $1$FlB5q.zn$165t5Gh8o7d6Z02HheF5c0
no username manager
!
no service ssh
!
service telnet
!
service http
!
clock timezone GMT plus 7:00
!
snmp-server
!
radius-server host 127.0.0.1 key awplus-local-radius-server
!
!
aaa authentication enable default local
aaa authentication login default local
aaa authentication openvpn default group radius
!
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group nhk1
attribute Framed-IP-Address 172.16.254.201
attribute Framed-IP-Netmask 255.255.255.0
attribute Framed-Route "192.168.0.0/24 172.16.254.2"
attribute MS-Primary-DNS-Server 172.16.254.2
attribute Service-Type Authenticate-Only
user tunnel encrypted password 4JSd0rErs+hmvnqtQKQL5CBW021v/CfhRO9QMIqAcT0= group
nhk1
!
!
zone dmzthai
network dmzthai
ip subnet 192.168.0.0/24
!
zone VLAN1-SERVER
network SERVER
ip subnet 10.78.1.0/24
ip subnet 224.0.0.18/32
host FILESHARE
ip address 10.78.1.5
host NASINSIND01
ip address 10.78.1.7
!
zone VLAN2-USER
network USER
ip subnet 10.78.2.0/24
ip subnet 224.0.0.18/32
host BV7K
ip address 10.78.2.67
!
zone VLAN3-GUEST
network GUEST
ip subnet 10.78.3.0/24 interface vlan3
ip subnet 224.0.0.18/32
host fw01-gw
ip address 10.78.3.252
host fw02-gw
ip address 10.78.3.253
host vrrp-gw
ip address 10.78.3.254
!
zone WAN1
network wan
ip subnet 0.0.0.0/0 interface eth1
host eth1
ip address 112.78.147.202
network WAN1
ip subnet 0.0.0.0/0 interface eth1
host Japan1
ip address 210.254.107.131
host Japan2
ip address 220.110.191.138
host Japan3
ip address 210.227.41.140
host kid-management
ip address 202.169.55.130
host KID2
ip address 110.137.206.198
!
application esp
protocol 50
!
application fstcp
protocol tcp
sport any
dport 139
dport 445
!
application fsudp
protocol udp
sport any
dport 137
dport 138
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
application nat-t
protocol udp
sport 4500
dport 4500
!
application ssh
protocol tcp
dport 22
!
application telnet
protocol tcp
dport 23
!
web-control
provider digitalarts
!
malware-protection
provider kaspersky
update-interval days 1
protect
!
firewall
rule 11 permit isakmp from WAN1.wan.eth1 to WAN1
rule 12 permit isakmp from WAN1 to WAN1.wan.eth1
rule 13 permit esp from WAN1.wan.eth1 to WAN1
rule 14 permit esp from WAN1 to WAN1.wan.eth1
rule 15 permit nat-t from WAN1.wan.eth1 to WAN1
rule 16 permit nat-t from WAN1 to WAN1.wan.eth1
rule 17 permit l2tp from WAN1.wan.eth1 to WAN1
rule 18 permit l2tp from WAN1 to WAN1.wan.eth1
rule 21 permit icmp from VLAN1-SERVER to dmzthai log
rule 22 permit icmp from dmzthai to VLAN1-SERVER log
rule 23 permit icmp from VLAN2-USER to dmzthai log
rule 24 permit icmp from dmzthai to VLAN2-USER log
rule 25 permit fstcp from VLAN1-SERVER to dmzthai log
rule 26 permit fstcp from dmzthai to VLAN1-SERVER log
rule 27 permit fsudp from VLAN1-SERVER to dmzthai log
rule 28 permit fsudp from dmzthai to VLAN1-SERVER log
rule 31 permit fstcp from VLAN2-USER to dmzthai log
rule 32 permit fstcp from dmzthai to VLAN2-USER log
rule 33 permit fsudp from VLAN2-USER to dmzthai log
rule 34 permit fsudp from dmzthai to VLAN2-USER log
rule 55 permit any from VLAN2-USER.USER to WAN1
rule 100 permit openvpn from WAN1 to WAN1
rule 110 permit any from VLAN1-SERVER.SERVER to WAN1
rule 120 permit dns from WAN1.wan.eth1 to WAN1
rule 130 permit nat-t from WAN1.wan.eth1 to WAN1
rule 131 permit nat-t from WAN1 to WAN1.wan.eth1
rule 210 permit any from VLAN1-SERVER.SERVER to VLAN1-SERVER.SERVER
rule 310 permit any from VLAN2-USER.USER to VLAN2-USER.USER
rule 410 permit any from VLAN1-SERVER.SERVER to VLAN2-USER.USER
rule 460 deny any from VLAN2-USER.USER to VLAN1-SERVER.SERVER.NASINSIND01
rule 510 permit any from VLAN2-USER.USER to VLAN1-SERVER.SERVER
rule 610 deny telnet from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.vrrp-gw
rule 710 deny https from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.vrrp-gw
rule 810 deny telnet from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.fw01-gw
rule 910 deny https from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.fw01-gw
rule 1010 deny telnet from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.fw02-gw
rule 1110 deny https from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST.fw02-gw
rule 20100 permit ping from WAN1 to WAN1
rule 40100 permit any from VLAN3-GUEST.GUEST to WAN1
rule 40200 permit any from VLAN3-GUEST.GUEST to VLAN3-GUEST.GUEST
rule 40220 permit any from WAN1.WAN1.kid-management to WAN1 log
protect
!
nat
rule 50 masq any from VLAN2-USER.USER to WAN1
rule 60 masq any from VLAN3-GUEST.GUEST to WAN1
rule 70 masq any from VLAN1-SERVER.SERVER to WAN1
rule 80 masq any from bgp to WAN1
enable
!
crypto isakmp key 8 y1JY7tseSnvhFNmieFTOLybsp58TN5fX/5289pCDUtU= address
58.181.136.106
!
!
!
ntp server 10.78.1.3
!
ip name-server 203.142.82.222
ip name-server 203.142.84.222
ip name-server 10.78.1.3
ip domain-lookup
!
ip dhcp pool VLAN2-USER
network 10.78.2.0 255.255.255.0
range 10.78.2.51 10.78.2.100
dns-server 10.78.1.3
dns-server 10.78.1.5
dns-server 203.142.82.222
default-router 10.78.2.254
lease 3 0 0
subnet-mask 255.255.255.0
!
ip dhcp pool VLAN3-GUEST
network 10.78.3.0 255.255.255.0
range 10.78.3.51 10.78.3.100
dns-server 203.142.82.222
dns-server 203.142.84.222
default-router 10.78.3.254
lease 3 0 0
subnet-mask 255.255.255.0
!
!
!
service dhcp-server
!
no ip multicast-routing
!
spanning-tree mode rstp
!
lacp global-passive-mode enable
!
vlan database
vlan 1 name SERVER
vlan 2 name USER
vlan 3 name GUEST
vlan 1-3 state enable
!
l2tp tunnel tunnel1
version 2
ip-version 4
encapsulation ppp 10
source 112.78.147.202
destination 58.181.136.106
protection ipsec
!
interface port1.0.1
switchport
switchport mode trunk
switchport trunk allowed vlan add 1-3
switchport trunk native vlan none
!
interface port1.0.2-1.0.8
switchport
switchport mode access
!
interface eth1
description BizNet
ip address 112.78.147.202/29
!
interface vlan1
ip address 10.78.1.252/24
!
interface vlan2
ip address 10.78.2.252/24
!
interface vlan3
ip address 10.78.3.252/24
!
interface ppp10
ip address 10.0.0.2/30
!
router vrrp 1 vlan1
virtual-ip 10.78.1.254 backup
circuit-failover eth1 50
ha associate
enable
router vrrp 2 vlan2
virtual-ip 10.78.2.254 backup
circuit-failover eth1 50
ha associate
enable
router vrrp 3 vlan3
virtual-ip 10.78.3.254 backup
circuit-failover eth1 50
ha associate
enable
!
ip route 0.0.0.0/0 112.78.147.201
ip route 192.168.0.0/24 10.0.0.1
!
line con 0
line vty 0 4
!
end