FWX120 の WAN/DMZ/LAN デュアルスタック設定例


FWX120設定例

# 回線品目 : フレッツ光ネクスト + IPv4 PPPoE(固定IP/28) + IPv6 PPPoE(固定IP/48)
# カッコ内は service group の ID 体系

# FWX120 Rev.11.03.02 (Wed Sep 26 10:26:43 2012)
login password *
administrator password *
console columns 200
console lines infinity
ip route default gateway pp 1
ip filter source-route on
ip filter directed-broadcast on
ipv6 rh0 discard on
ipv6 route default gateway pp 2
ipv6 prefix 1 [LAN GUA プレフィックス]/64
ipv6 prefix 2 [LAN ULA プレフィックス]/64

# LAN1ポート分割
vlan port mapping lan1.2 vlan2
vlan port mapping lan1.3 vlan2
vlan port mapping lan1.4 vlan2
lan type lan1 port-based-option=divide-network

## IPアドレス割り当て
# LAN
ip vlan1 address [LAN側FWX120 IPv4アドレス]/24
ip vlan1 rip send on version 2
ip vlan1 rip receive on version 2
ip vlan1 tcp mss limit auto
ipv6 vlan1 address [LAN側FWX120 ULAアドレス]/64
ipv6 vlan1 address [LAN側FWX120 GUAアドレス]/64
ipv6 vlan1 address fe80::1/64
ipv6 vlan1 rtadv send 1 2 o_flag=on
ipv6 vlan1 rip send on
ipv6 vlan1 rip receive on
ipv6 vlan1 mld router version=1,2
ipv6 vlan1 tcp mss limit auto

# DMZ
[DMZ側FWX120 IPv4アドレス]/28
ip vlan2 rip send on version 2
ip vlan2 rip receive on version 2
ip vlan2 tcp mss limit auto
ipv6 vlan2 address [DMZ側FWX120 GUAアドレス]/64
ipv6 vlan2 address fe80::1/64
ipv6 vlan2 rip send on
ipv6 vlan2 rip receive on
ipv6 vlan2 tcp mss limit auto

# NGN との RIP 遮断
ip lan2 rip send off
ip lan2 rip receive off
ipv6 lan2 rip send off
ipv6 lan2 rip receive off

# IPv4 PPPoE(WAN)
pp select 1
pp always-on on
pppoe use lan2
pppoe auto connect on
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname ID password
ppp lcp mru on 1454
ppp ccp type none
ip pp mtu 1454
ip pp rip send off
ip pp rip receive off
ip pp secure filter out 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1100 1200 1201 1210 1211 1212 1202 1400 1401 1402 1403 1500 1600 1601 1602 1700 1800 1801 1802 1803 2000
ip pp intrusion detection in on reject=on
ip pp intrusion detection out on reject=on
ip pp inbound filter list 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1100 1200 1201 1202 1300 1400 1401 1402 1403 1500 1600 1601 1602 1800 1801 1802 1803 2000
ip pp nat descriptor 1
ip pp tcp mss limit auto
pp enable 1

# IPv6 PPPoE(WAN)
pp select 2
pp always-on on
pppoe use lan2
pppoe auto connect on
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname ID password
ppp ccp type none
ppp ipv6cp use on
ip pp intrusion detection in on reject=on
ip pp intrusion detection out on reject=on
ipv6 pp rip send off
ipv6 pp rip receive off
 ipv6 pp secure filter out 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1013 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1100 1200 1201 1400 1401 1402 1403 1404 1500 1600 1601 1700 1800 1801 1802 1803 1804 2000
ipv6 pp inbound filter list 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1100 1200 1201 1300 1400 1401 1402 1403 1404 1500 1600 1601 1800 1801 1802 1803 1804 2000
ipv6 pp dhcp service client
ipv6 pp mld host version=1,2
ipv6 pp tcp mss limit auto
pp enable 2

### サイトポリシーフィルター(アウトバウンド)
## 遮断プロトコル
# IPv4
ip filter 1000 reject * * tcp * 22
ip filter 1001 reject * * tcp 22 *
ip filter 1002 reject * * tcp * telnet
ip filter 1003 reject * * tcp telnet *
ip filter 1004 reject * * tcp * 445
ip filter 1005 reject * * tcp 445 *
ip filter 1006 reject * * tcp * netbios_ns
ip filter 1007 reject * * tcp netbios_ns *
ip filter 1008 reject * * tcp * netbios_dgm
ip filter 1009 reject * * tcp netbios_dgm *
ip filter 1010 reject * * tcp * netbios_ssn
ip filter 1011 reject * * tcp netbios_ssn *
ip filter 1012 reject * * udp * netbios_ns
ip filter 1013 reject * * udp netbios_ns *
ip filter 1014 reject * * udp * netbios_dgm
ip filter 1015 reject * * udp netbios_dgm *
ip filter 1016 reject * * udp * netbios_ssn
ip filter 1017 reject * * udp netbios_ssn *
ip filter 1018 reject * * tcp * 3389
ip filter 1019 reject * * tcp 3389 *
ip filter 1020 reject * * tcp * 1433
ip filter 1021 reject * * tcp 1433 *
ip filter 1022 reject * * tcp * 1434
ip filter 1023 reject * * tcp 1434 *
ip filter 1024 reject * * udp * syslog
ip filter 1025 reject * * udp syslog *
ip filter 1026 reject * * tcp * snmp
ip filter 1027 reject * * tcp snmp *
ip filter 1028 reject * * tcp * snmptrap
ip filter 1029 reject * * tcp snmptrap *
ip filter 1030 reject * * udp * snmp
ip filter 1031 reject * * udp snmp *
ip filter 1032 reject * * udp * snmptrap
ip filter 1033 reject * * udp snmptrap *
# IPv6
ipv6 filter 1000 reject * * tcp * 22
ipv6 filter 1001 reject * * tcp 22 *
ipv6 filter 1002 reject * * tcp * telnet
ipv6 filter 1003 reject * * tcp telnet *
ipv6 filter 1004 reject * * tcp * 445
ipv6 filter 1005 reject * * tcp 445 *
ipv6 filter 1006 reject * * tcp * netbios_ns
ipv6 filter 1007 reject * * tcp netbios_ns *
ipv6 filter 1008 reject * * tcp * netbios_dgm
ipv6 filter 1009 reject * * tcp netbios_dgm *
ipv6 filter 1010 reject * * tcp * netbios_ssn
ipv6 filter 1011 reject * * tcp netbios_ssn *
ipv6 filter 1012 reject * * udp * netbios_ns
ipv6 filter 1013 reject * * udp netbios_ns *
ipv6 filter 1014 reject * * udp * netbios_dgm
ipv6 filter 1015 reject * * udp netbios_dgm *
ipv6 filter 1016 reject * * udp * netbios_ssn
ipv6 filter 1017 reject * * udp netbios_ssn *
ipv6 filter 1018 reject * * tcp * 3389
ipv6 filter 1019 reject * * tcp 3389 *
ipv6 filter 1020 reject * * tcp * 1433
ipv6 filter 1021 reject * * tcp 1433 *
ipv6 filter 1022 reject * * tcp * 1434
ipv6 filter 1023 reject * * tcp 1434 *
ipv6 filter 1024 reject * * udp * syslog
ipv6 filter 1025 reject * * udp syslog *
ipv6 filter 1026 reject * * tcp * snmp
ipv6 filter 1027 reject * * tcp snmp *
ipv6 filter 1028 reject * * tcp * snmptrap
ipv6 filter 1029 reject * * tcp snmptrap *
ipv6 filter 1030 reject * * udp * snmp
ipv6 filter 1031 reject * * udp snmp *
ipv6 filter 1032 reject * * udp * snmptrap
ipv6 filter 1033 reject * * udp snmptrap *

## 送信元ループバック
# IPv4
ip filter 1100 reject 127.0.0.0/8 *
# IPv6
ipv6 filter 1100 reject ::1 *

## 送信元ローカルアドレス
# IPv4
ip filter 1200 reject 10.0.0.0/8 *
ip filter 1201 reject 172.16.0.0/12 *
ip filter 1202 reject 192.168.0.0/16 *
# IPv6
ipv6 filter 1200 reject fc00::/7 *
ipv6 filter 1201 reject ff05::/16 *

## 送信元ローカルアドレス(例外許可)
# IPv4
ip filter 1210 pass 192.168.0.0/24 *
ip filter 1211 pass 192.168.1.0/24 *
ip filter 1212 pass 192.168.2.0/24 *
# IPv6
# NAT しないので不要

## 送信元予約アドレス
# IPv4
ip filter 1400 reject 0.0.0.0 *
ip filter 1401 reject 192.0.2.0/24 *
ip filter 1402 reject 198.51.100.0/24 *
ip filter 1403 reject 203.0.113.0/24 *
# IPv6
ipv6 filter 1400 reject :: *
ipv6 filter 1401 reject 2001:db8::/32 *
ipv6 filter 1402 reject 3ffe::/16 *
ipv6 filter 1403 reject 5f00::/8 *
ipv6 filter 1404 reject fec0::/10 *

## 宛先ループバック
# IPv4
ip filter 1500 reject * 127.0.0.0/8
# IPv6
ipv6 filter 1500 reject * ::1

## 宛先ローカルアドレス
# IPv4
ip filter 1600 reject * 10.0.0.0/8
ip filter 1601 reject * 172.16.0.0/12
ip filter 1602 reject * 192.168.0.0/16
# IPv6
ipv6 filter 1600 reject * fc00::/7
ipv6 filter 1601 reject * ff05::/16

## 宛先自サイトグローバル
# IPv4
ip filter 1700 reject * [IPv4 グローバルアドレス]/28
# IPv6
ipv6 filter 1700 reject * [GUA]/48

## 宛先予約アドレス
# IPv4
ip filter 1800 reject * 0.0.0.0
ip filter 1801 reject * 192.0.2.0/24
ip filter 1802 reject * 198.51.100.0/24
ip filter 1803 reject * 203.0.113.0/24
# IPv6
ipv6 filter 1800 reject * ::
ipv6 filter 1801 reject * 2001:db8::/32
ipv6 filter 1802 reject * 3ffe::/16
ipv6 filter 1803 reject * 5f00::/8
ipv6 filter 1804 reject * fec0::/10

## 対象外
# IPv4
ip filter 2000 pass * * * * *
# IPv6
ipv6 filter 2000 pass * * * * *

### サイトポリシーフィルター(インバウンド)
## 遮断プロトコル
# IPv4
ip inbound filter 1000 reject-log * * tcp * 22
ip inbound filter 1001 reject-log * * tcp 22 *
ip inbound filter 1002 reject-log * * tcp * telnet
ip inbound filter 1003 reject-log * * tcp telnet *
ip inbound filter 1004 reject-log * * tcp * 445
ip inbound filter 1005 reject-log * * tcp 445 *
ip inbound filter 1006 reject-log * * tcp * netbios_ns
ip inbound filter 1007 reject-log * * tcp netbios_ns *
ip inbound filter 1008 reject-log * * tcp * netbios_dgm
ip inbound filter 1009 reject-log * * tcp netbios_dgm *
ip inbound filter 1010 reject-log * * tcp * netbios_ssn
ip inbound filter 1011 reject-log * * tcp netbios_ssn *
ip inbound filter 1012 reject-log * * udp * netbios_ns
ip inbound filter 1013 reject-log * * udp netbios_ns *
ip inbound filter 1014 reject-log * * udp * netbios_dgm
ip inbound filter 1015 reject-log * * udp netbios_dgm *
ip inbound filter 1016 reject-log * * udp * netbios_ssn
ip inbound filter 1017 reject-log * * udp netbios_ssn *
ip inbound filter 1018 reject-log * * tcp * 3389
ip inbound filter 1019 reject-log * * tcp 3389 *
ip inbound filter 1020 reject-log * * tcp * 1433
ip inbound filter 1021 reject-log * * tcp 1433 *
ip inbound filter 1022 reject-log * * tcp * 1434
ip inbound filter 1023 reject-log * * tcp 1434 *
ip inbound filter 1024 reject-log * * udp * syslog
ip inbound filter 1025 reject-log * * udp syslog *
ip inbound filter 1026 reject-log * * tcp * snmp
ip inbound filter 1027 reject-log * * tcp snmp *
ip inbound filter 1028 reject-log * * tcp * snmptrap
ip inbound filter 1029 reject-log * * tcp snmptrap *
ip inbound filter 1030 reject-log * * udp * snmp
ip inbound filter 1031 reject-log * * udp snmp *
ip inbound filter 1032 reject-log * * udp * snmptrap
ip inbound filter 1033 reject-log * * udp snmptrap *
# IPv6
ipv6 inbound filter 1000 reject-log * * tcp * 22
ipv6 inbound filter 1001 reject-log * * tcp 22 *
ipv6 inbound filter 1002 reject-log * * tcp * telnet
ipv6 inbound filter 1003 reject-log * * tcp telnet *
ipv6 inbound filter 1004 reject-log * * tcp * 445
ipv6 inbound filter 1005 reject-log * * tcp 445 *
ipv6 inbound filter 1006 reject-log * * tcp * netbios_ns
ipv6 inbound filter 1007 reject-log * * tcp netbios_ns *
ipv6 inbound filter 1008 reject-log * * tcp * netbios_dgm
ipv6 inbound filter 1009 reject-log * * tcp netbios_dgm *
ipv6 inbound filter 1010 reject-log * * tcp * netbios_ssn
ipv6 inbound filter 1011 reject-log * * tcp netbios_ssn *
ipv6 inbound filter 1012 reject-log * * udp * netbios_ns
ipv6 inbound filter 1013 reject-log * * udp netbios_ns *
ipv6 inbound filter 1014 reject-log * * udp * netbios_dgm
ipv6 inbound filter 1015 reject-log * * udp netbios_dgm *
ipv6 inbound filter 1016 reject-log * * udp * netbios_ssn
ipv6 inbound filter 1017 reject-log * * udp netbios_ssn *
ipv6 inbound filter 1018 reject-log * * tcp * 3389
ipv6 inbound filter 1019 reject-log * * tcp 3389 *
ipv6 inbound filter 1020 reject-log * * tcp * 1433
ipv6 inbound filter 1021 reject-log * * tcp 1433 *
ipv6 inbound filter 1022 reject-log * * tcp * 1434
ipv6 inbound filter 1023 reject-log * * tcp 1434 *
ipv6 inbound filter 1024 reject-log * * udp * syslog
ipv6 inbound filter 1025 reject-log * * udp syslog *
ipv6 inbound filter 1026 reject-log * * tcp * snmp
ipv6 inbound filter 1027 reject-log * * tcp snmp *
ipv6 inbound filter 1028 reject-log * * tcp * snmptrap
ipv6 inbound filter 1029 reject-log * * tcp snmptrap *
ipv6 inbound filter 1030 reject-log * * udp * snmp
ipv6 inbound filter 1031 reject-log * * udp snmp *
ipv6 inbound filter 1032 reject-log * * udp * snmptrap
ipv6 inbound filter 1033 reject-log * * udp snmptrap *

## 送信元ループバック
# IPv4
ip inbound filter 1100 reject-log 127.0.0.0/8 *
# IPv6
ipv6 inbound filter 1100 reject-log ::1 *

## 送信元ローカルアドレス
# IPv4
ip inbound filter 1200 reject-log 10.0.0.0/8 *
ip inbound filter 1201 reject-log 172.16.0.0/12 *
ip inbound filter 1202 reject-log 192.168.0.0/16 *
## IPv6
ipv6 inbound filter 1200 reject-log fc00::/7 *
ipv6 inbound filter 1201 reject-log ff05::/16 *

## 送信元自サイトグローバル
# IPv4
ip inbound filter 1300 reject-log [IPv4 グローバルアドレス]/28 *
# IPv6
ipv6 inbound filter 1300 reject-log [GUA]/48 *

## 送信元予約アドレス
# IPv4
ip inbound filter 1400 reject-log 0.0.0.0 *
ip inbound filter 1401 reject-log 192.0.2.0/24 *
ip inbound filter 1402 reject-log 198.51.100.0/24 *
ip inbound filter 1403 reject-log 203.0.113.0/24 *
# IPv6
ipv6 inbound filter 1400 reject-log :: *
ipv6 inbound filter 1401 reject-log 2001:db8::/32 *
ipv6 inbound filter 1402 reject-log 3ffe::/16 *
ipv6 inbound filter 1403 reject-log 5f00::/8 *
ipv6 inbound filter 1404 reject-log fec0::/10 *

## 宛先ループバック
# IPv4
ip inbound filter 1500 reject-log * 127.0.0.0/8
# IPv6
ipv6 inbound filter 1500 reject-log * ::1

## 宛先ローカルアドレス
# IPv4
ip inbound filter 1600 reject-log * 10.0.0.0/8
ip inbound filter 1601 reject-log * 172.16.0.0/12
ip inbound filter 1602 reject-log * 192.168.0.0/16
# IPv6
ipv6 inbound filter 1600 reject-log * fc00::/7
ipv6 inbound filter 1601 reject-log * ff05::/16

## 宛先予約アドレス
# IPv4
ip inbound filter 1800 reject-log * 0.0.0.0
ip inbound filter 1801 reject-log * 192.0.2.0/24
ip inbound filter 1802 reject-log * 198.51.100.0/24
ip inbound filter 1803 reject-log * 203.0.113.0/24
# IPv6
ipv6 inbound filter 1800 reject-log * ::
ipv6 inbound filter 1801 reject-log * 2001:db8::/32
ipv6 inbound filter 1802 reject-log * 3ffe::/16
ipv6 inbound filter 1803 reject-log * 5f00::/8
ipv6 inbound filter 1804 reject-log * fec0::/10

## 対象外
# IPv4
ip inbound filter 2000 pass-nolog * * * * *
# IPv6
ipv6 inbound filter 2000 pass-nolog * * * * *

#### セグメントポリシーフィルター
### インターフェイスグルーブ
## PPPoE(WAN)
# IPv4
ip policy interface group 1000 pp1
# IPv6
ipv6 policy interface group 1000 pp2

### アドレスグルーブ
## ドメインコントローラー
# IPv4
ip policy address group 1000 name=DCs [ドメインコントローラー IPv4アドレス]
# IPv6
ipv6 policy address group 1000 name=DCs [ドメインコントローラーIPv6アドレス]

## DMZ配置ドメインメンバー
# IPv4
ip policy address group 1010 name=Connect-DC [DMZ 配置ドメインメンバー IPv4アドレス]
# IPv6
ipv6 policy address group 1010 name=Connect-DC [DMZ 配置ドメインメンバーIPv6アドレス]

## RDP 許可
# IPv4
ip policy address group 1020 name=Allow-RDP [RD-Gateway IPv4アドレス]
# IPv6
ipv6 policy address group 1020 name=Allow-RDP [RD-Gateway IPv6アドレス]

### プロトコル定義
## DNS
# IPv4
ip policy service 1000 DNS-udp udp * 53
ip policy service 1001 DNS-tcp tcp * 53
# IPv6
ipv6 policy service 1000 DNS-udp udp * 53
ipv6 policy service 1001 DNS-tcp tcp * 53

## Submission
# IPv4
ip policy service 1010 Submission tcp * 587
# IPv6
ipv6 policy service 1010 Submission tcp * 587

# IMAP4
# IPv4
ip policy service 1020 IMAP4 tcp * 143
# IPv6
ipv6 policy service 1020 IMAP4 tcp * 143

# RDP
# IPv4
ip policy service 1030 RDP tcp * 3389
# IPv6
ipv6 policy service 1030 RDP tcp * 3389

# IPsec-NAT-Traversal
# IPv4
ip policy service 1040 IPsec-NAT udp * 4500
# IPv6
ipv6 policy service 1040 IPsec-NAT udp * 4500

### セグメントポリシー
## ICMP 全方向通過許可
# IPv4
ip policy filter 100 static-pass-nolog * * * * icmp
# IPv6
ipv6 policy filter 100 static-pass-nolog * * * * icmpv6

## WAN -> DMZ(100xx)
# IPv4
ip policy service group 10000 name=WANtoDMZ-1 DNS-tcp DNS-udp http https ftp smtp pop3 IMAP4 Submission ike
ip policy service group 10001 name=WANtoDMZ-2 IPsec-NAT esp
ip policy filter 1000 pass-nolog 1000 vlan2 * * 10000
ip policy filter 1001 pass-nolog 1000 vlan2 * * 10001
ip policy filter 1999 reject-log 1000 vlan2 * * *
# IPv6
ipv6 policy service group 10000 name=WANtoDMZ-1 DNS-tcp DNS-udp http https ftp smtp pop3 IMAP4 Submission ike
ipv6 policy service group 10001 name=WANtoDMZ-2 IPsec-NAT esp
ipv6 policy filter 1000 pass-nolog 1000 vlan2 * * 10000
ipv6 policy filter 1001 pass-nolog 1000 vlan2 * * 10001
ipv6 policy filter 1999 reject-log 1000 vlan2 * * *

## DMZ -> WAN(101xx)
# IPv4
ip policy service group 10100 name=DMZtoWAN ntp smtp http https DNS-tcp DNS-udp
ip policy filter 2000 pass-nolog vlan2 1000 * * 10100
# 監視
ip policy filter 2001 pass-log vlan2 1000 * * *
ip policy filter 2999 reject-log vlan2 1000 * * *
# IPv6
ipv6 policy service group 10100 name=DMZtoWAN ntp smtp http https DNS-tcp DNS-udp
ipv6 policy filter 2000 pass-nolog vlan2 1000 * * 10100
# 監視
ipv6 policy filter 2001 pass-log vlan2 1000 * * *
ipv6 policy filter 2999 reject-log vlan2 1000 * * *

## LAN -> DMZ(103xx)
# IPv4
# ドメインコントローラー通信許可
ip policy filter 3000 static-pass-nolog vlan1 vlan2 1000 1010 *
ip policy filter 3001 pass-nolog vlan1 vlan2 * * *
ip policy filter 3999 reject-log vlan1 vlan2 * * *
# IPv6
# ドメインコントローラー通信許可
ipv6 policy filter 3000 static-pass-nolog vlan1 vlan2 1000 1010 *
ipv6 policy filter 3001 pass-nolog vlan1 vlan2 * * *
ipv6 policy filter 3999 reject-log vlan1 vlan2 * * *

## DMZ -> LAN(104xx)
# ドメインコントローラーアクセス許可
# IPv4
ip policy filter 4000 static-pass-nolog vlan2 vlan1 1010 1000 *
# IPv6
ipv6 policy filter 4000 static-pass-nolog vlan2 vlan1 1010 1000 *

# RDPアクセス許可
# IPv4
ip policy filter 4010 pass-nolog vlan2 vlan1 1020 * RDP
# IPv6
ipv6 policy filter 4010 pass-nolog vlan2 vlan1 1020 * RDP

# プロトコル
# IPv4
ip policy service group 10400 name=DMZtoLAN DNS-udp DNS-tcp ntp
ip policy filter 4020 pass-nolog vlan2 vlan1 * * 10400
ip policy filter 4999 reject-log vlan2 vlan1 * * *
# IPv6
ipv6 policy service group 10100 name=DMZtoLAN DNS-udp DNS-tcp ntp
ipv6 policy filter 4020 pass-nolog vlan2 vlan1 * * 10100
ipv6 policy filter 4999 reject-log vlan2 vlan1 * * *

## LAN -> WAN(105xx)
# IPv4
ip policy service group 10500 name=LANtoWAN tcp udp
ip policy filter 5000 pass-nolog vlan1 1000 * * 10500
# 監視
ip policy filter 5001 pass-log vlan1 1000 * * *
ip policy filter 5999 reject-log vlan1 1000 * * *
# IPv6
ipv6 policy service group 10500 name=LANtoWAN tcp udp
ipv6 policy filter 5000 pass-nolog vlan1 1000 * * 10500
# 監視
ipv6 policy filter 5001 pass-log vlan1 1000 * * *
ipv6 policy filter 5999 reject-log vlan1 1000 * * *

### ルータと各セグメントポリシー
## DMZ -> FWX120(200xx)
# IPv4
ip policy service group 20000 name=DMZtoLOCAL telnet tftp http https
ip policy filter 7000 reject-log vlan2 local * * 20000
ip policy filter 7001 static-pass-nolog vlan2 local * * *
ip policy filter 7099 reject-log vlan2 local * * *
# IPv6
ipv6 policy service group 20000 name=DMZtoLOCAL telnet tftp http https
ipv6 policy filter 7000 reject-log vlan2 local * * 20000
ipv6 policy filter 7001 static-pass-nolog vlan2 local * * *
ipv6 policy filter 7099 reject-log vlan2 local * * *

## FWX120 -> DMZ(201xx)
# IPv4
ip policy filter 7100 static-pass-nolog local vlan2 * * *
ip policy filter 7199 reject-log local vlan2 * * *
ipv6 policy filter 7100 static-pass-nolog local vlan2 * * *
ipv6 policy filter 7199 reject-log local vlan2 * * *

## LAN -> FWX120(202xx)
# IPv4
ip policy filter 7200 static-pass-nolog vlan1 local * * *
ip policy filter 7299 reject-log vlan1 local * * *
# IPv6
ipv6 policy filter 7200 static-pass-nolog vlan1 local * * *
ipv6 policy filter 7299 reject-log vlan1 local * * *

## FWX120 -> LAN(203xx)
# IPv4
ip policy filter 7300 static-pass-nolog local vlan1 * * *
ip policy filter 7399 reject-log local vlan1 * * *
# IPv6
ipv6 policy filter 7300 static-pass-nolog local vlan1 * * *
ipv6 policy filter 7399 reject-log local vlan1 * * *

## FWX120 -> WAN(204xx)
# IPv4
ip policy service group 20400 name=LOCALtoWAN ntp http https
ip policy filter 7400 pass-nolog local 1000 * * 20400
ip policy filter 7499 reject-log local 1000 * * *
# IPv6
ipv6 policy service group 20400 name=LOCALtoWAN ntp http https
ipv6 policy filter 7400 pass-nolog local 1000 * * 20400
# リンクローカルは明示的に許可
ipv6 policy filter 7490 static-pass-nolog local 1000 fe80::/64 * *
ipv6 policy filter 7499 reject-log local 1000 * * *

## WAN -> FWX120(205xx)
# IPv4
ip policy filter 7599 reject-log local 1000 * * *
# リンクローカルは明示的に許可
ipv6 policy filter 7590 static-pass-nolog 1000 local fe80::/64 * *
ipv6 policy filter 7599 reject-log local 1000 * * *

## FWX120 -> FWX120(内部処理通信)(300xx)
# IPv4
ip policy filter 9900 pass-nolog local local * * *
# IPv6
ipv6 policy filter 9900 pass-nolog local local * * *

## LAN -> LAN(内部ルーティング)(301xx)
# IPv4
ip policy filter 9910 pass-nolog vlan1 vlan1 * * *
# IPv6
ipv6 policy filter 9910 pass-nolog vlan1 vlan1 * * *

## DMZ -> DMZ(内部ルーティング)(302xx)
# IPv4
ip policy filter 9920 pass-nolog vlan2 vlan2 * * *
# IPv6
ipv6 policy filter 9920 pass-nolog vlan2 vlan2 * * *

## 許可以外
# IPv4
ip policy filter 9999 reject-log * * * * *
# IPv6
ipv6 policy filter 9999 reject-log * * * * *

## ポリシー実装
# IPv4
ip policy filter set 1000 name=IPv4-Policy 100 1000 1001 1999 2000 2001 2999 3000 3001 3999 4000 4010 4020 4999 5000 5001 5999 7000 7001 7099 7100 7199 7200 7299 7300 7399 7400 7499 7599 9900 9910 9920 9999
ip policy filter set enable 1000
# IPv6
ipv6 policy filter set 1000 name=IPv6-Policy 100 1000 1001 1999 2000 2001 2999 3000 3001 3999 4000 4010 4020 4999 5000 5001 5999 7000 7001 7099 7100 7199 7200 7299 7300 7399 7400 7490 7499 7590 7599 9900 9910 9920 9999
ipv6 policy filter set enable 1000

# NAT44設定
nat descriptor type 1 nat-masquerade
nat descriptor address outer 1 [FWX120 IPv4 グローバルアドレス]
nat descriptor address inner 1 [FWX120 IPv4 グローバルアドレス] [NAPT対象 IPv4アドレス]

rip use on
ipv6 rip use on
syslog host [syslog サーバー IPアドレス]
syslog notice on
syslog info on
tftp host none
telnetd host vlan1
dns host none
dns server [DNS サーバー IPアドレス]
dns domain [ドメイン名]
schedule at 1 */* *:00 * ntpdate ntp.nict.jp syslog
httpd host vlan1
operation http revision-up permit on
statistics cpu on
statistics memory on
statistics traffic on
statistics flow on
statistics route on
statistics nat on
statistics filter on
statistics qos on

Copyright © MURA All rights reserved.