H3C SecPath 防火墙设置之端口映射
登陆系统后: 1.显示防火墙当前生效配置参数。 H3Cdisplay current-
configuration 找到如下信息:
# interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000 nat server protocol tcp
global 172.16.1.1 www inside 192.168.1.254 www
登陆系统后:
1.显示防火墙当前生效配置参数。
<H3C>display current-configuration
找到如下信息:
#
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 172.16.1.1 www inside 192.168.1.254 www
nat server protocol tcp global 172.16.1.1 22 inside 192.168.1.254 22
2.进入系统视图
<H3C>system-view
[H3C]
3.进入网卡0
[H3C]interface ethernet0/0
[H3C-Ethernet0/0]
4.运行nat 命令添加FTP端口映射。
[H3C-Ethernet0/0] nat server protocol tcp global 172.16.1.1 ftp inside
192.168.1.254 ftp
5.查看防火墙当前生效配置参数。
<H3C>display current-configuration
找到如下信息:
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
nat outbound 2000
nat server protocol tcp global 172.16.1.1 www inside 192.168.1.254 www
nat server protocol tcp global 172.16.1.1 22 inside 192.168.1.254 22
nat server protocol tcp global 172.16.1.1 ftp inside 192.168.1.254 ftp
6.测试FTP端口是否映射成功。
C:\Documents and Settings\aran>ftp 5X.21X.24X.24X
Connected to 5X.21X.24X.24X.
220 (vsFTPd 2.0.1)
User (5X.21X.24X.24X:(none)): aran
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> user
Username aran
331 Please specify the password.
Password:
230 Login successful.
ftp>
H3C端口映射命令及设备查看计算机 2009-03-21 17:15:00 阅读315 评论0 字
号:大中小 订阅
一,用固定的公网ip做映射命令
System
int dialer 0
[Quidway-Ethernet3/0] nat server protocol tcp global 200.200.200.1 外网
端口inside 192.168.1.254 内网端口
[Quidway-Ethernet3/0] nat server protocol tcp global 200.200.200.1 外网
端口 inside 192.168.1.254 内网端口
【提示】
1、global后跟公网地址,inside后跟的是私网服务器地址,www和ftp可以改为端
口号
2、内部用户不能使用公网地址来访问内部服务器,必须使用内网地址访问.,如
192.168.1.0/24网段的用户,不能访问http://200.200.200.1,而只能访问
http://192.168.1.254
二,如果没有固定ip,对于上面命令要作修改,修改如下
system
int dialer 0
nat server pro tcp global current 内网端口 inside 192.168.1.2 外网端
口
删除命令
在前面加上undo nat server pro tcp global current 内网端口 inside
192.168.1.2 外网端口
三,display nat all命令用来显示所有的地址转换的配置信息
【视图】
任意视图
【缺省级别】
1:监控级
【参数】
无
【描述】
display nat all命令用来显示所有的地址转换的配置信息。
【举例】
# 显示所有的关于地址转换的配置信息。
<Sysname> display nat all
NAT address-group information:
There are currently 1 nat address-group(s)
1 : from 202.110.10.10 to 202.110.10.15
NAT outbound information:
There are currently 2 nat outbound rule(s)
Ethernet1/0: acl(2001) --- NAT address-group(1)
[no-pat]
Ethernet2/0: --- static
NAT server in private network information:
There are currently 1 internal server(s)
Interface:Ethernet1/0, Protocol:6(tcp),
[global] 202.110.10.10: 8080 [local] 10.110.10.10:
80(www)
NAT static information:
There are currently 2 static table(s)
GlobalAddr InsideAddr Vpn-instance
192.168.1.111 2.3.4.5 ----
4.4.4.4 3.3.3.3 ----
NAT aging-time value information:
tcp ---- aging-time value is 86400 (seconds)
udp ---- aging-time value is 300 (seconds)
icmp ---- aging-time value is 60 (seconds)
pptp ---- aging-time value is 86400 (seconds)
dns ---- aging-time value is 60 (seconds)
tcp-fin ---- aging-time value is 60 (seconds)
tcp-syn ---- aging-time value is 60 (seconds)
ftp-ctrl ---- aging-time value is 7200 (seconds)
ftp-data ---- aging-time value is 300 (seconds)
NAT log information:
log enable : enable acl 2000
flow-begin : enable
flow-active : 10(minutes)
表1-5 display nat all命令显示信息描述表
字段
描述
NAT address-group information
显示NAT地址池信息
There are currently 1 nat address-group(s)
存在1条NAT地址池信息
1 : from 202.110.10.10 to 202.110.10.15
1号地址池的IP地址范围从202.110.10.10到202.110.10.15
NAT outbound information:
显示内部地址和外部地址的转换配置信息
There are currently 2 nat outbound rule(s)
存在2条地址转换关联信息
Ethernet1/0: acl(2001) --- NAT address-group(1) [no-pat]
在Ethernet1/0配置了1个地址转换关联:ACL规则2001与地址池1关联,进行多对
多方式的地址转换;[no-pat]表示不进行端口的转换
Ethernet2/0: --- static
在Ethernet1/0配置了静态地址转换
NAT server in private network information
显示内部服务器信息
There are currently 1 internal server(s)
存在1条内部服务器信息
Interface:Ethernet1/0, Protocol:6(tcp),
[global] 202.110.10.10: 8080 [local] 10.110.10.10:
80(www)
在Ethernet1/0配置了1个内部服务器:使用TCP协议;公网地址是202.110.10.10
,端口号为8080;内部地址是10.110.10.10,端口号为80
NAT static information:
静态地址转换信息
There are currently 2 static table(s)
存在2条静态转换表项
GlobalAddr
外部IP地址
InsideAddr
内部IP地址
Vpn-instance
内部IP地址所属的三层VPN名
NAT aging-time value information
显示各个协议的NAT转换有效时间
tcp ---- aging-time value is 86400 (seconds)
TCP协议地址转换有效时间为86400秒
udp ---- aging-time value is 300 (seconds)
UDP协议地址转换有效时间为300秒
icmp ---- aging-time value is 60 (seconds)
ICMP协议地址转换有效时间为60秒
pptp ---- aging-time value is 86400 (seconds)
PPTP协议地址转换有效时间为86400秒
dns ---- aging-time value is 60 (seconds)
DNS协议地址转换有效时间为60秒
tcp-fin ---- aging-time value is 60 (seconds)
TCP 协议fin 或 rst连接地址转换有效时间为60秒
tcp-syn ---- aging-time value is 60 (seconds)
TCP 协议syn连接地址转换有效时间为60秒
ftp-ctrl ---- aging-time value is 7200 (seconds)
FTP协议控制链路地址转换有效时间为7200秒
ftp-data ---- aging-time value is 300 (seconds)
FTP协议数据链路地址转换有效时间300秒
NAT log information
显示地址转换的日志信息
log enable : enable acl 2000
日志使能信息,对匹配acl 2000的数据流做日志记录
flow-begin : enable
新建流使能
flow-active : 10(minutes)
活跃流的间隔时间为10分钟
四.区分路由器和防火墙
在Telnet的设备上输入以下命令:
<Quidway>disp ver
Copyright Notice:
All rights reserved (Feb 22 2008).
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Feature 1652
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights
reserved.
Quidway SecPath //此处如果是SecPath,则为防火墙100F uptime is 0 week, 0
day, 3 hours, 10 minutes
CPU type: Mips IDT RC32438 266MHz
256M bytes DDR SDRAM Memory
16M bytes Flash Memory
Pcb Version:3.0
Logic Version:1.0
BootROM Version:1.17
[SLOT 0] 4FE (Hardware)3.0, (Driver)2.0, (Cpld)1.0
[SLOT 1] 3FE (Hardware)3.0, (Driver)2.0, (Cpld)1.0
<R1-C-SDWH-NET>dis ver
Copyright Notice:
All rights reserved (Jun 14 2005).
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Huawei-3Com Versatile Routing Platform Software
VRP(R) software, Version 3.40, Release RT-0011
Copyright (c) 2003-2005 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights
reserved.
Copyright (c) 2000-2003 Huawei Tech. Co.,Ltd. All rights reserved.
Quidway AR28-31//此为路由器,AR28-31为路由器的型号. uptime is 0 week, 0
day, 21 hours, 13 minutes
CPU type: PowerPC 8245 300MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
128K bytes NvRAM Memory
Pcb Version:1.0
Logic Version:1.0
BootROM Version:9.12
[SLOT 0] 2FE (Hardware)2.1, (Driver)2.0, (Cpld)0.0
[SLOT 2] 4E1-F (Hardware)1.0, (Driver)1.0, (Cpld)1.0
nat address-group 2 221.0.185.204 221.0.185.204
#
firewall statistic system enable
#
DNS server 202.102.134.68
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher =VBX!6J709;1<%AOH#3\4Q!!
service-type telnet terminal
level 3
#
acl number 2000
rule 0 permit source 10.10.10.0 0.0.0.255
rule 1 deny
#
nat server-group protocol
#
interface Aux0
async mode flow
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/1
#
interface GigabitEthernet1/0
ip address 221.0.185.204 255.255.255.240
nat outbound 2000 address-group 2
nat server protocol tcp global 221.0.185.204 3389 inside 10.10.10.10 3389
nat server protocol tcp global 221.0.185.204 3390 inside 10.10.10.11 3389
nat server protocol tcp global 221.0.185.204 22 inside 10.10.10.7 22
nat server protocol tcp global 221.0.185.204 ftp inside 10.10.10.7 ftp
nat server protocol tcp global 221.0.185.204 8080 inside 10.10.10.7 8080
nat server protocol tcp global 221.0.185.204 8001 inside 10.10.10.8 22
nat server protocol tcp global 221.0.185.204 81 inside 10.10.10.8 8080
nat server protocol tcp global 221.0.185.204 8085 inside 10.10.10.10 8085
nat server protocol tcp global 221.0.185.204 8086 inside 10.10.10.10 8086
nat server protocol tcp global 221.0.185.204 8087 inside 10.10.10.10 8087
nat server protocol tcp global 221.0.185.204 8088 inside 10.10.10.10 8088
nat server protocol tcp global 221.0.185.204 8089 inside 10.10.10.10 8089
#
interface GigabitEthernet1/1
ip address 10.10.10.1 255.255.255.0
#
- 上一篇:IPMI可能存在的安全隐患及防范措施
- 下一篇:简单的linux提权
相关文章
图文推荐
- 文章
- 推荐
- 热门新闻