以下的設定,假設trust-vr為內部網路,而untrust-vr為外部網路,內部網路區域為192.168.1.0,而外部網路則為
192.168.10.0,其中內部選用NAT模式,而外部則選用Route模式,表示所有內部的連線電腦,將會由此一轉址防火牆取得IP,並利用
reserved address的方式,在內部IP中保留一個對應IP
192.168.1.10給某一台MAC為000000000000的電腦,並且在untrust-vr區段(ethernet-3),將此一內部
host
IP(即192.168.1.10)以MIP的方式,對應給外部的IP(192.168.10.59),然後再利用Policy設定,讓untrust-
vr區域的電腦,可以透過MIP,"直接"穿過防火牆,與trust-vr內的192.168.1.10進行連線.
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "帳號"
set admin password "密碼"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet3 ip 192.168.10.89/24
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage snmp
set interface ethernet1 manage mtrace
set interface vlan1 manage mtrace
set interface ethernet1 dhcp server service
set interface ethernet1 dhcp server enable
set interface ethernet1 dhcp server option gateway 192.168.1.1
set interface ethernet1 dhcp server option netmask 255.255.255.0
set interface ethernet1 dhcp server option dns1 192.168.10.3
set interface ethernet1 dhcp server option dns2 192.168.11.2
set interface ethernet1 dhcp server option dns3 168.95.1.1
set interface ethernet1 dhcp server ip 192.168.1.15 to 192.168.1.250
set interface ethernet1 dhcp server ip 192.168.1.10 mac 000000000000
set interface "ethernet3" mip 192.168.10.88 host 192.168.1.9 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 192.168.10.59 host 192.168.1.10 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain this.is.my.domain
set hostname ns50
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.10.3
set dns host dns2 192.168.11.2
set dns host schedule 06:28
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol sc-cpa
set cache size 500
exit
set policy id 1 name "All" from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "10.88" from "Untrust" to "Trust" "Any" "MIP(192.168.10.88)" "ANY" permit
set policy id 2
exit
set policy id 3 name "10.59" from "Untrust" to "Trust" "Any" "MIP(192.168.10.59)" "ANY" permit
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet3 gateway 192.168.10.254 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
