icg2000配置和解释.doc-

# version 5.20, Test 1705# sysname yichang-wangba# tcp syn-cookie enable tcp anti-naptha enable tcp state closing connection-number 500 tcp state established connection-number 500 tcp state fin-wait-1 connection-number 500 tcp state fin-wait-2 connection-number 500 tcp state last-ack connection-number 500 tcp state syn-received connection-number 500# ipsec cpu-backup enable# firewall enable# nat aging-time tcp 300 nat aging-time udp 180 nat aging-time pptp 300 nat aging-time ftp-ctrl 300# domain default enable system# telnet server enable# qos carl 1 source-ip-address range 192.168.0.1 to 192.168.0.62 per-address qos carl 2 destination-ip-address range 192.168.0.1 to 192.168.0.62 per-address qos carl 3 source-ip-address range 192.168.0.64 to 192.168.0.220 per-address qos carl 4 destination-ip-address range 192.168.0.64 to 192.168.0.220 per-address# mirroring-group 1 local#acl number 2000 rule 5 permit source 192.0.0.0 0.255.255.255 rule 10 deny#acl number 3100 rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 200 deny tcp destination-port eq www rule 202 deny tcp destination-port eq ftp rule 203 deny tcp destination-port eq 22 rule 204 permit tcp destination-port eq telnet rule 2001 permit ip destination 192.0.0.0 0.255.255.255 rule 2002 deny ip#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#user-group system#local-user admin password cipher Da4.B2FTUP61DKDQR.FQ! authorization-attribute level 3 service-type telnet#wlan rrm dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54#cwmp undo cwmp enable#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0 port link-mode route firewall packet-filter 3100 inbound nat outbound 2000 nat server protocol tcp global 61.136.223.169 10086 inside 192.168.0.251 10086 nat server protocol tcp global 61.136.223.169 10087 inside 192.168.0.63 10087 nat server protocol tcp global 61.136.223.169 11469 inside 192.168.0.230 11469 nat server protocol tcp global 61.136.223.169 11470 inside 192.168.0.230 11470 ip address 61.136.223.169 255.255.255.224#interface NULL0#interface Vlan-interface1 ip address 192.168.0.254 255.255.255.0 qos car inbound carl 1 cir 2000 cbs 64000 ebs 0 green pass red discard qos car inbound carl 3 cir 2000 cbs 64000 ebs 0 green pass red discard qos car outbound carl 2 cir 3500 cbs 64000 ebs 0 green pass red discard qos car outbound carl 4 cir 3500 cbs 64000 ebs 0 green pass red discard#interface Ethernet0/1 port link-mode bridge mirroring-group 1 mirroring-port both#interface Ethernet0/2 port link-mode bridge#interface Ethernet0/3 port link-mode bridge#interface Ethernet0/4 port link-mode bridge mirroring-group 1 monitor-port#interface WLAN-Radio2/0 shutdown# ip route-static 0.0.0.0 0.0.0.0 61.136.223.161# arp anti-attack active-ack enable arp static 61.136.223.161 0030-8803-673e arp static 192.168.0.171 0019-2159-4361 1 Ethernet0/1 arp static 192.168.0.27 0019-db8c-68ef 1 Ethernet0/1 arp static 192.168.0.41 0019-db8c-5eaa 1 Ethernet0/1 arp static 192.168.0.4 0019-db8c-68e1 1 Ethernet0/1 arp static 192.168.0.203 00e0-4cc1-7756 1 Ethernet0/1 arp static 192.168.0.26 0019-db8c-5db2 1 Ethernet0/1 arp static 192.168.0.251 00f0-4c83-4cc2 1 Ethernet0/1 arp static 192.168.0.43 0019-db8c-6e06 1 Ethernet0/1 arp static 192.168.0.253 00f0-4c84-be2e 1 Ethernet0/1 arp static 192.168.0.3 0019-db83-3481 1 Ethernet0/1 arp static 192.168.0.2 0019-db8c-6931 1 Ethernet0/1 arp static 192.168.0.103 00f0-4c88-6ed6 1 Ethernet0/1 arp static 192.168.0.8 0019-db8c-6437 1 Ethernet0/1 arp static 192.168.0.105 0019-2159-a8db 1 Ethernet0/1 arp static 192.168.