前几天客户从我门这里购买了华为AR-18系列的路由器,客户把管理权限都交给我门管理,自己在参考网上的中低端路由器典型配置实例(3.4VRP)完成L2TP接入,现在拿出来和大家分享,如有不对地方请大家指正,附件是中低端路由器典型配置实例,里面有怎么设置WINXP拨入方法.
[H3C]dis cu
#
sysname H3C
#
l2tp enable 启用L2TP
#
nat address-group 20 x.x.x.x x.x.x.10
#
sysname H3C
#
l2tp enable 启用L2TP
#
nat address-group 20 x.x.x.x x.x.x.10
nat static 192.168.1.1 x.x.x.1
nat static 192.168.1.5 x.x.x.2
nat static 192.168.1.4 x.x.x3
nat static 192.168.1.5 x.x.x.2
nat static 192.168.1.4 x.x.x3
nat static 192.168.1.3 x.x.x4
nat static 192.168.1.2 x.x.x5
nat static 192.168.1.2 x.x.x5
#
DNS resolve
DNS-proxy enable
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
ip pool 1 192.168.250.2 192.168.250.3 //l2tp拨入后用户端获得的地址
#
local-user admin
password simple huawei
service-type telnet terminal
level 3
service-type ftp
local-user caolei
password simple caolei
service-type ppp //创建PPPOE用户
local-user huawei
password simple huawei
service-type telnet
level 3
local-user pppoe
password cipher (Z9S*/B*+TOQ=^Q`MAF4<1!!
service-type ppp
#
dhcp server ip-pool jingliren
network 192.168.1.0 mask 255.255.255.224
gateway-list 192.168.1.1
dns-list 202.106.196.115 202.106.0.20
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.31
rule 2 permit source 192.168.250.0 0.0.0.31 // pppoe用户的NAT,公网地址多的话可以直接做映射
rule 3 deny
#
acl number 3000
rule 0 deny tcp destination-port eq 6667
rule 1 deny tcp destination-port eq 1434
rule 2 deny udp destination-port eq 4444
rule 3 deny tcp destination-port eq 135
rule 4 deny udp destination-port eq 135
rule 5 deny udp destination-port eq netbios-ssn
rule 6 deny tcp destination-port eq 139
rule 7 permit ip
#
interface Virtual-Template0
ppp authentication-mode pap
ip address 192.168.250.1 255.255.255.0 //在虚拟接口下封装PPP为PAP认证方式
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.224 //内网地址
ip address X.X.X.10 255.255.255.128 sub //公网管理地址
qos car inbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
qos car outbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet3/0
ip address 192.168.249.22 255.255.255.252
firewall packet-filter 3000 inbound
nat outbound static
nat outbound 2000 address-group 20
#
interface Atm2/0
#
interface Virtual-Ethernet0
#
interface NULL0
#
l2tp-group 1
undo tunnel authentication //禁止使用通道
mandatory-lcp //强制使用链路控制协议
allow l2tp virtual-template 0
#
FTP server enable
#
dhcp server forbidden-ip 192.168.1.2 192.168.1.6
#
ip route-static 0.0.0.0 0.0.0.0 192.168.249.21 preference 60 //上端互联地址
#
snmp-agent
snmp-agent local-engineid 7F00000100002893
snmp-agent community read XXXX
DNS resolve
DNS-proxy enable
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
ip pool 1 192.168.250.2 192.168.250.3 //l2tp拨入后用户端获得的地址
#
local-user admin
password simple huawei
service-type telnet terminal
level 3
service-type ftp
local-user caolei
password simple caolei
service-type ppp //创建PPPOE用户
local-user huawei
password simple huawei
service-type telnet
level 3
local-user pppoe
password cipher (Z9S*/B*+TOQ=^Q`MAF4<1!!
service-type ppp
#
dhcp server ip-pool jingliren
network 192.168.1.0 mask 255.255.255.224
gateway-list 192.168.1.1
dns-list 202.106.196.115 202.106.0.20
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.31
rule 2 permit source 192.168.250.0 0.0.0.31 // pppoe用户的NAT,公网地址多的话可以直接做映射
rule 3 deny
#
acl number 3000
rule 0 deny tcp destination-port eq 6667
rule 1 deny tcp destination-port eq 1434
rule 2 deny udp destination-port eq 4444
rule 3 deny tcp destination-port eq 135
rule 4 deny udp destination-port eq 135
rule 5 deny udp destination-port eq netbios-ssn
rule 6 deny tcp destination-port eq 139
rule 7 permit ip
#
interface Virtual-Template0
ppp authentication-mode pap
ip address 192.168.250.1 255.255.255.0 //在虚拟接口下封装PPP为PAP认证方式
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.224 //内网地址
ip address X.X.X.10 255.255.255.128 sub //公网管理地址
qos car inbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
qos car outbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet3/0
ip address 192.168.249.22 255.255.255.252
firewall packet-filter 3000 inbound
nat outbound static
nat outbound 2000 address-group 20
#
interface Atm2/0
#
interface Virtual-Ethernet0
#
interface NULL0
#
l2tp-group 1
undo tunnel authentication //禁止使用通道
mandatory-lcp //强制使用链路控制协议
allow l2tp virtual-template 0
#
FTP server enable
#
dhcp server forbidden-ip 192.168.1.2 192.168.1.6
#
ip route-static 0.0.0.0 0.0.0.0 192.168.249.21 preference 60 //上端互联地址
#
snmp-agent
snmp-agent local-engineid 7F00000100002893
snmp-agent community read XXXX
snmp-agent sys-info version all
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
[H3C]
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
[H3C]
