sslvpn能通网关不能访问内网
- 0关注
- 1收藏,1570浏览
问题描述:
客户端那边能登陆inode,也能获取到IP,需要访问的内网是192.168.9.XXX,网关是192.168.9.254,现在ping网关能通,但是ping内网的其他服务器就不通。
var FrameInfo = {};
- #
- version 7.1.064, Release 9313P15
- #
- sysname FW
- #
- context Admin id 1
- #
- ip vpn-instance nei
- #
- telnet server enable
- #
- irf mac-address persistent timer
- irf auto-update enable
- undo irf link-delay
- irf member 1 priority 1
- #
- security-zone intra-zone default permit
- #
- dhcp enable
- #
- dns server 61.177.7.1
- dns server 223.5.5.5
- dns server 114.114.114.114
- dns server 61.177.7.1 vpn-instance nei
- dns server 223.5.5.5 vpn-instance nei
- dns server 114.114.114.114 vpn-instance nei
- ip host 22 222.92.222.34
- ip host 223 223.5.5.5
- ip host 61 61.177.7.1
- ip host 61 61.177.7.1 vpn-instance nei
- #
- password-recovery enable
- #
- vlan 1
- #
- object-group ip address 系统服务器
- 0 network host address 192.168.4.132
- #
- object-group ip address 公盘
- 0 network host address 192.168.5.26
- #
- object-group ip address 金蝶
- 0 network host address 192.168.4.132
- #
- object-group ip address 备份盘
- 0 network host address 192.168.5.88
- 10 network host address 192.168.5.125
- #
- object-group ip address scm系统
- 0 network host address 192.168.9.161
- #
- object-group service 3360端口
- 0 service tcp destination eq 3360
- 10 service tcp
- #
- object-group service 4433
- 0 service tcp destination eq 4433
- #
- object-group service 5000端口
- 0 service tcp destination eq 5001
- 10 service tcp destination eq 5000
- #
- object-group service 8001端口
- 0 service tcp destination eq 8001
- #
- object-group service 9001端口
- 0 service tcp destination eq 9001
- #
- object-group service 999端口
- 0 service tcp destination eq 999
- #
- dhcp server ip-pool 61
- #
- interface NULL0
- #
- interface GigabitEthernet1/0/0
- port link-mode route
- ip address 10.0.0.1 255.255.255.0
- #
- interface GigabitEthernet1/0/1
- port link-mode route
- #
- interface GigabitEthernet1/0/2
- port link-mode route
- ip address 222.92.222.34 255.255.255.248
- nat outbound
- nat outbound 2000
- nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80
- nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389
- nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443
- nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514
- nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636
- nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873
- nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999
- nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194
- nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360
- nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361
- nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000
- nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001
- nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281
- nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690
- nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001
- nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible
- nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514
- nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360
- nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361
- nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001
- nat static enable
- #
- interface GigabitEthernet1/0/3
- port link-mode route
- ip address 10.1.1.1 255.255.255.0
- #
- interface GigabitEthernet1/0/4
- port link-mode route
- #
- interface GigabitEthernet1/0/5
- port link-mode route
- ip address 3.3.3.1 255.255.255.0
- #
- interface GigabitEthernet1/0/6
- port link-mode route
- #
- interface GigabitEthernet1/0/7
- port link-mode route
- #
- interface GigabitEthernet1/0/8
- port link-mode route
- #
- interface GigabitEthernet1/0/9
- port link-mode route
- #
- interface GigabitEthernet1/0/10
- port link-mode route
- #
- interface GigabitEthernet1/0/11
- port link-mode route
- #
- interface GigabitEthernet1/0/12
- port link-mode route
- #
- interface GigabitEthernet1/0/13
- port link-mode route
- #
- interface GigabitEthernet1/0/14
- port link-mode route
- #
- interface GigabitEthernet1/0/15
- port link-mode route
- #
- interface GigabitEthernet1/0/16
- port link-mode route
- ip binding vpn-instance nei
- #
- interface GigabitEthernet1/0/17
- port link-mode route
- ip address 192.168.150.2 255.255.255.0
- nat hairpin enable
- #
- interface GigabitEthernet1/0/18
- port link-mode route
- #
- interface GigabitEthernet1/0/19
- port link-mode route
- #
- interface GigabitEthernet1/0/20
- port link-mode route
- #
- interface GigabitEthernet1/0/21
- port link-mode route
- #
- interface GigabitEthernet1/0/22
- port link-mode route
- #
- interface GigabitEthernet1/0/23
- port link-mode route
- #
- interface SSLVPN-AC1
- ip address 172.168.9.1 255.255.255.0
- #
- object-policy ip Local-Local
- rule 0 pass
- #
- object-policy ip SSLVPN-Local
- rule 0 pass
- #
- object-policy ip SSLVPN-Trust
- rule 0 pass
- #
- object-policy ip Trust-Trust
- rule 0 pass
- #
- object-policy ip Trust-Untrust
- rule 0 pass
- #
- object-policy ip Untrust-Local
- rule 0 pass service 4433
- #
- object-policy ip Untrust-Trust
- rule 5 pass destination-ip 公盘 service 3360端口
- rule 6 pass destination-ip 备份盘 service 5000端口
- rule 7 pass destination-ip 金蝶 service 8001端口
- rule 8 pass destination-ip scm系统 service 999端口
- rule 9 pass destination-ip MES系统服务器 service 9001端口
- rule 10 pass
- #
- object-policy ip local-untrust
- rule 0 pass
- #
- security-zone name Local
- #
- security-zone name Trust
- import interface GigabitEthernet1/0/3
- import interface GigabitEthernet1/0/4
- import interface GigabitEthernet1/0/5
- import interface GigabitEthernet1/0/6
- import interface GigabitEthernet1/0/7
- import interface GigabitEthernet1/0/8
- import interface GigabitEthernet1/0/9
- import interface GigabitEthernet1/0/10
- import interface GigabitEthernet1/0/11
- import interface GigabitEthernet1/0/12
- import interface GigabitEthernet1/0/13
- import interface GigabitEthernet1/0/14
- import interface GigabitEthernet1/0/15
- import interface GigabitEthernet1/0/16
- import interface GigabitEthernet1/0/17
- import interface GigabitEthernet1/0/18
- import interface GigabitEthernet1/0/19
- import interface GigabitEthernet1/0/20
- import interface GigabitEthernet1/0/21
- import interface GigabitEthernet1/0/22
- import interface GigabitEthernet1/0/23
- import interface NULL0
- #
- security-zone name DMZ
- #
- security-zone name Untrust
- import interface GigabitEthernet1/0/1
- import interface GigabitEthernet1/0/2
- #
- security-zone name Management
- import interface GigabitEthernet1/0/0
- #
- security-zone name 111
- #
- security-zone name SSLVPN
- import interface SSLVPN-AC1
- #
- security-zone name SSLVPNANQUANYU
- #
- zone-pair security source Local destination Local
- object-policy apply ip Local-Local
- #
- zone-pair security source Local destination Trust
- packet-filter 2000
- #
- zone-pair security source Local destination Untrust
- object-policy apply ip local-untrust
- packet-filter 2000
- #
- zone-pair security source SSLVPN destination Local
- object-policy apply ip SSLVPN-Local
- #
- zone-pair security source SSLVPN destination Trust
- object-policy apply ip SSLVPN-Trust
- #
- zone-pair security source Trust destination Local
- packet-filter 2000
- #
- zone-pair security source Trust destination Trust
- object-policy apply ip Trust-Trust
- #
- zone-pair security source Trust destination Untrust
- object-policy apply ip Trust-Untrust
- packet-filter 2000
- #
- zone-pair security source Untrust destination Local
- object-policy apply ip Untrust-Local
- #
- zone-pair security source Untrust destination Trust
- object-policy apply ip Untrust-Trust
- #
- scheduler logfile size 16
- #
- line class aux
- user-role network-operator
- #
- line class console
- user-role network-admin
- #
- line class vty
- user-role network-operator
- #
- line aux 0
- user-role network-admin
- #
- line con 0
- user-role network-admin
- #
- line vty 0
- authentication-mode scheme
- user-role network-admin
- set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw==
- #
- line vty 1 63
- authentication-mode scheme
- user-role network-admin
- #
- ip route-static 0.0.0.0 0 222.92.222.33
- ip route-static 192.168.0.0 16 192.168.150.1
- #
- info-center loghost 1.1.1.1
- #
- ssh server enable
- ssh server acl 2222
- #
- acl basic 2000
- rule 0 permit
- #
- acl basic 2222
- rule 0 permit source 192.168.0.0 0.0.255.255
- #
- acl advanced 3600
- rule 10000 permit ip
- #
- acl advanced 3999
- rule 0 permit ip destination 10.10.10.0 0.0.0.255
- rule 5 permit ip destination 0.0.0.0 255.255.255.0
- rule 10 permit ipinip destination 0.0.0.0 255.255.255.0
- #
- domain system
- #
- aaa session-limit ftp 16
- aaa session-limit telnet 16
- aaa session-limit ssh 16
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user admin class manage
- password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg==
- service-type ssh telnet http https
- authorization-attribute user-role level-3
- authorization-attribute user-role network-admin
- authorization-attribute user-role network-operator
- #
- local-user liucheng class manage
- password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw==
- access-limit 5
- service-type ftp
- service-type ssh telnet terminal http https
- authorization-attribute work-directory slot1#flash:
- authorization-attribute user-role context-admin
- authorization-attribute user-role network-admin
- authorization-attribute user-role network-operator
- #
- local-user tianyou001 class network
- password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg=
- service-type sslvpn
- authorization-attribute user-role network-operator
- authorization-attribute sslvpn-policy-group tianyou001
- #
- local-user tianyou01 class network
- password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w==
- service-type sslvpn
- authorization-attribute user-role network-operator
- authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
- #
- ftp server enable
- #
- ip http enable
- ip https enable
- #
- sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15
- #
- sslvpn gateway SSLVPN
- ip address 222.92.222.34 port 4433
- service enable
- #
- sslvpn context SSLVPN
- gateway SSLVPN
- ip-tunnel interface SSLVPN-AC1
- ip-tunnel address-pool SSLPOOL mask 255.255.255.0
- ip-tunnel dns-server primary 114.114.114.114
- ip-route-list NEINEI
- include 192.168.9.0 255.255.255.0
- policy-group SSLVPNZIYUAN
- filter ip-tunnel 3999
- ip-tunnel access-route ip-route-list NEINEI
- service enable
- #
- ips policy default
- #
- anti-virus policy default
- #
- return
组网及组网描述:
- 2021-06-08提问
- 举报
-
(0)
您好,请知:
PING内网网关能通了,说明路由可达了。
关闭终端的系统防火墙或者放通防火墙出入站规则看下是否能通。
其次进一步检查下防火墙的安全策略或域间策略是否有限制。
- 2021-06-08回答
- 评论(2)
- 举报
-
(0)
你好,现在是连inode不能ping通网关,内网上不去,不连inode能ping通网关,内网也上不去
客户端那边能登陆inode,也能获取到IP,需要访问的内网是192.168.9.XXX,网关是192.168.9.254,现在ping网关能通,但是ping内网的其他服务器就不通。 var FrameInfo = {}; # version 7.1.064, Release 9313P15 # sysname FW # context Admin id 1 # ip vpn-instance nei # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # security-zone intra-zone default permit # dhcp enable # dns server 61.177.7.1 dns server 223.5.5.5 dns server 114.114.114.114 dns server 61.177.7.1 vpn-instance nei dns server 223.5.5.5 vpn-instance nei dns server 114.114.114.114 vpn-instance nei ip host 22 222.92.222.34 ip host 223 223.5.5.5 ip host 61 61.177.7.1 ip host 61 61.177.7.1 vpn-instance nei # password-recovery enable # vlan 1 # object-group ip address 系统服务器 0 network host address 192.168.4.132 # object-group ip address 公盘 0 network host address 192.168.5.26 # object-group ip address 金蝶 0 network host address 192.168.4.132 # object-group ip address 备份盘 0 network host address 192.168.5.88 10 network host address 192.168.5.125 # object-group ip address scm系统 0 network host address 192.168.9.161 # object-group service 3360端口 0 service tcp destination eq 3360 10 service tcp # object-group service 4433 0 service tcp destination eq 4433 # object-group service 5000端口 0 service tcp destination eq 5001 10 service tcp destination eq 5000 # object-group service 8001端口 0 service tcp destination eq 8001 # object-group service 9001端口 0 service tcp destination eq 9001 # object-group service 999端口 0 service tcp destination eq 999 # dhcp server ip-pool 61 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 10.0.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route ip address 222.92.222.34 255.255.255.248 nat outbound nat outbound 2000 nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80 nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389 nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443 nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514 nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636 nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873 nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999 nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194 nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360 nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361 nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000 nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001 nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281 nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690 nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001 nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514 nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360 nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361 nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001 nat static enable # interface GigabitEthernet1/0/3 port link-mode route ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route ip address 3.3.3.1 255.255.255.0 # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route ip binding vpn-instance nei # interface GigabitEthernet1/0/17 port link-mode route ip address 192.168.150.2 255.255.255.0 nat hairpin enable # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # interface SSLVPN-AC1 ip address 172.168.9.1 255.255.255.0 # object-policy ip Local-Local rule 0 pass # object-policy ip SSLVPN-Local rule 0 pass # object-policy ip SSLVPN-Trust rule 0 pass # object-policy ip Trust-Trust rule 0 pass # object-policy ip Trust-Untrust rule 0 pass # object-policy ip Untrust-Local rule 0 pass service 4433 # object-policy ip Untrust-Trust rule 5 pass destination-ip 公盘 service 3360端口 rule 6 pass destination-ip 备份盘 service 5000端口 rule 7 pass destination-ip 金蝶 service 8001端口 rule 8 pass destination-ip scm系统 service 999端口 rule 9 pass destination-ip MES系统服务器 service 9001端口 rule 10 pass # object-policy ip local-untrust rule 0 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/3 import interface GigabitEthernet1/0/4 import interface GigabitEthernet1/0/5 import interface GigabitEthernet1/0/6 import interface GigabitEthernet1/0/7 import interface GigabitEthernet1/0/8 import interface GigabitEthernet1/0/9 import interface GigabitEthernet1/0/10 import interface GigabitEthernet1/0/11 import interface GigabitEthernet1/0/12 import interface GigabitEthernet1/0/13 import interface GigabitEthernet1/0/14 import interface GigabitEthernet1/0/15 import interface GigabitEthernet1/0/16 import interface GigabitEthernet1/0/17 import interface GigabitEthernet1/0/18 import interface GigabitEthernet1/0/19 import interface GigabitEthernet1/0/20 import interface GigabitEthernet1/0/21 import interface GigabitEthernet1/0/22 import interface GigabitEthernet1/0/23 import interface NULL0 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 import interface GigabitEthernet1/0/2 # security-zone name Management import interface GigabitEthernet1/0/0 # security-zone name 111 # security-zone name SSLVPN import interface SSLVPN-AC1 # security-zone name SSLVPNANQUANYU # zone-pair security source Local destination Local object-policy apply ip Local-Local # zone-pair security source Local destination Trust packet-filter 2000 # zone-pair security source Local destination Untrust object-policy apply ip local-untrust packet-filter 2000 # zone-pair security source SSLVPN destination Local object-policy apply ip SSLVPN-Local # zone-pair security source SSLVPN destination Trust object-policy apply ip SSLVPN-Trust # zone-pair security source Trust destination Local packet-filter 2000 # zone-pair security source Trust destination Trust object-policy apply ip Trust-Trust # zone-pair security source Trust destination Untrust object-policy apply ip Trust-Untrust packet-filter 2000 # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip Untrust-Trust # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 authentication-mode scheme user-role network-admin set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw== # line vty 1 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 222.92.222.33 ip route-static 192.168.0.0 16 192.168.150.1 # info-center loghost 1.1.1.1 # ssh server enable ssh server acl 2222 # acl basic 2000 rule 0 permit # acl basic 2222 rule 0 permit source 192.168.0.0 0.0.255.255 # acl advanced 3600 rule 10000 permit ip # acl advanced 3999 rule 0 permit ip destination 10.10.10.0 0.0.0.255 rule 5 permit ip destination 0.0.0.0 255.255.255.0 rule 10 permit ipinip destination 0.0.0.0 255.255.255.0 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg== service-type ssh telnet http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user liucheng class manage password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw== access-limit 5 service-type ftp service-type ssh telnet terminal http https authorization-attribute work-directory slot1#flash: authorization-attribute user-role context-admin authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user tianyou001 class network password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg= service-type sslvpn authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group tianyou001 # local-user tianyou01 class network password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w== service-type sslvpn authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group SSLVPNZIYUAN # ftp server enable # ip http enable ip https enable # sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15 # sslvpn gateway SSLVPN ip address 222.92.222.34 port 4433 service enable # sslvpn context SSLVPN gateway SSLVPN ip-tunnel interface SSLVPN-AC1 ip-tunnel address-pool SSLPOOL mask 255.255.255.0 ip-tunnel dns-server primary 114.114.114.114 ip-route-list NEINEI include 192.168.9.0 255.255.255.0 policy-group SSLVPNZIYUAN filter ip-tunnel 3999 ip-tunnel access-route ip-route-list NEINEI service enable # ips policy default # anti-virus policy default # return
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
客户端那边能登陆inode,也能获取到IP,需要访问的内网是192.168.9.XXX,网关是192.168.9.254,现在ping网关能通,但是ping内网的其他服务器就不通。 var FrameInfo = {}; # version 7.1.064, Release 9313P15 # sysname FW # context Admin id 1 # ip vpn-instance nei # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # security-zone intra-zone default permit # dhcp enable # dns server 61.177.7.1 dns server 223.5.5.5 dns server 114.114.114.114 dns server 61.177.7.1 vpn-instance nei dns server 223.5.5.5 vpn-instance nei dns server 114.114.114.114 vpn-instance nei ip host 22 222.92.222.34 ip host 223 223.5.5.5 ip host 61 61.177.7.1 ip host 61 61.177.7.1 vpn-instance nei # password-recovery enable # vlan 1 # object-group ip address 系统服务器 0 network host address 192.168.4.132 # object-group ip address 公盘 0 network host address 192.168.5.26 # object-group ip address 金蝶 0 network host address 192.168.4.132 # object-group ip address 备份盘 0 network host address 192.168.5.88 10 network host address 192.168.5.125 # object-group ip address scm系统 0 network host address 192.168.9.161 # object-group service 3360端口 0 service tcp destination eq 3360 10 service tcp # object-group service 4433 0 service tcp destination eq 4433 # object-group service 5000端口 0 service tcp destination eq 5001 10 service tcp destination eq 5000 # object-group service 8001端口 0 service tcp destination eq 8001 # object-group service 9001端口 0 service tcp destination eq 9001 # object-group service 999端口 0 service tcp destination eq 999 # dhcp server ip-pool 61 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 10.0.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route ip address 222.92.222.34 255.255.255.248 nat outbound nat outbound 2000 nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80 nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389 nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443 nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514 nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636 nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873 nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999 nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194 nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360 nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361 nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000 nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001 nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281 nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690 nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001 nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514 nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360 nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361 nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001 nat static enable # interface GigabitEthernet1/0/3 port link-mode route ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route ip address 3.3.3.1 255.255.255.0 # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route ip binding vpn-instance nei # interface GigabitEthernet1/0/17 port link-mode route ip address 192.168.150.2 255.255.255.0 nat hairpin enable # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # interface SSLVPN-AC1 ip address 172.168.9.1 255.255.255.0 # object-policy ip Local-Local rule 0 pass # object-policy ip SSLVPN-Local rule 0 pass # object-policy ip SSLVPN-Trust rule 0 pass # object-policy ip Trust-Trust rule 0 pass # object-policy ip Trust-Untrust rule 0 pass # object-policy ip Untrust-Local rule 0 pass service 4433 # object-policy ip Untrust-Trust rule 5 pass destination-ip 公盘 service 3360端口 rule 6 pass destination-ip 备份盘 service 5000端口 rule 7 pass destination-ip 金蝶 service 8001端口 rule 8 pass destination-ip scm系统 service 999端口 rule 9 pass destination-ip MES系统服务器 service 9001端口 rule 10 pass # object-policy ip local-untrust rule 0 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/3 import interface GigabitEthernet1/0/4 import interface GigabitEthernet1/0/5 import interface GigabitEthernet1/0/6 import interface GigabitEthernet1/0/7 import interface GigabitEthernet1/0/8 import interface GigabitEthernet1/0/9 import interface GigabitEthernet1/0/10 import interface GigabitEthernet1/0/11 import interface GigabitEthernet1/0/12 import interface GigabitEthernet1/0/13 import interface GigabitEthernet1/0/14 import interface GigabitEthernet1/0/15 import interface GigabitEthernet1/0/16 import interface GigabitEthernet1/0/17 import interface GigabitEthernet1/0/18 import interface GigabitEthernet1/0/19 import interface GigabitEthernet1/0/20 import interface GigabitEthernet1/0/21 import interface GigabitEthernet1/0/22 import interface GigabitEthernet1/0/23 import interface NULL0 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 import interface GigabitEthernet1/0/2 # security-zone name Management import interface GigabitEthernet1/0/0 # security-zone name 111 # security-zone name SSLVPN import interface SSLVPN-AC1 # security-zone name SSLVPNANQUANYU # zone-pair security source Local destination Local object-policy apply ip Local-Local # zone-pair security source Local destination Trust packet-filter 2000 # zone-pair security source Local destination Untrust object-policy apply ip local-untrust packet-filter 2000 # zone-pair security source SSLVPN destination Local object-policy apply ip SSLVPN-Local # zone-pair security source SSLVPN destination Trust object-policy apply ip SSLVPN-Trust # zone-pair security source Trust destination Local packet-filter 2000 # zone-pair security source Trust destination Trust object-policy apply ip Trust-Trust # zone-pair security source Trust destination Untrust object-policy apply ip Trust-Untrust packet-filter 2000 # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip Untrust-Trust # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 authentication-mode scheme user-role network-admin set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw== # line vty 1 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 222.92.222.33 ip route-static 192.168.0.0 16 192.168.150.1 # info-center loghost 1.1.1.1 # ssh server enable ssh server acl 2222 # acl basic 2000 rule 0 permit # acl basic 2222 rule 0 permit source 192.168.0.0 0.0.255.255 # acl advanced 3600 rule 10000 permit ip # acl advanced 3999 rule 0 permit ip destination 10.10.10.0 0.0.0.255 rule 5 permit ip destination 0.0.0.0 255.255.255.0 rule 10 permit ipinip destination 0.0.0.0 255.255.255.0 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg== service-type ssh telnet http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user liucheng class manage password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw== access-limit 5 service-type ftp service-type ssh telnet terminal http https authorization-attribute work-directory slot1#flash: authorization-attribute user-role context-admin authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user tianyou001 class network password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg= service-type sslvpn authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group tianyou001 # local-user tianyou01 class network password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w== service-type sslvpn authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group SSLVPNZIYUAN # ftp server enable # ip http enable ip https enable # sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15 # sslvpn gateway SSLVPN ip address 222.92.222.34 port 4433 service enable # sslvpn context SSLVPN gateway SSLVPN ip-tunnel interface SSLVPN-AC1 ip-tunnel address-pool SSLPOOL mask 255.255.255.0 ip-tunnel dns-server primary 114.114.114.114 ip-route-list NEINEI include 192.168.9.0 255.255.255.0 policy-group SSLVPNZIYUAN filter ip-tunnel 3999 ip-tunnel access-route ip-route-list NEINEI service enable # ips policy default # anti-virus policy default # return