问题描述:
核心交换机无法ping通防火墙,路由设置的全通,肯定可达,无法ping通防火墙是防火墙配置有问题吗
#
version 7.1.064, Release 9360P28
#
sysname BanGong-FIREWALL
#
clock timezone Beijing add 08:00:00
clock protocol ntp context 1
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
undo irf link-delay
irf member 1 priority 1
#
nat log enable
nat log flow-begin
nat log flow-end
#
dns server 114.114.115.115
#
lldp global enable
#
ip subscriber access-user log enable successful-login failed-login logout normal abnormal
ipv6 subscriber access-user log enable successful-login failed-login logout normal abnormal
#
password-recovery enable
#
vlan 1
#
nqa template icmp nqa
reaction trigger per-probe
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 255.255.255.224
ip last-hop hold
nat outbound 2000
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 192.168.16.2 255.255.255.252 \\内网口
nat hairpin enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 255.255.255.128
ip last-hop hold
nat outbound 2000
nat hairpin enable
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
security-zone name Management
#
zone-pair security source Local destination Trust
packet-filter 2001
#
zone-pair security source Local destination Untrust
packet-filter 2001
#
zone-pair security source Trust destination Local
packet-filter 2001
#
zone-pair security source Trust destination Untrust
packet-filter 2001
#
zone-pair security source Untrust destination Local
packet-filter 2001
#
zone-pair security source Untrust destination Trust
packet-filter 2001
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role level-15
#
line vty 5 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0
#
customlog format nat unicom
customlog format security-policy sgcc
customlog host source GigabitEthernet1/0/2
#
snmp-agent
snmp-agent local-engineid 800063A2800440A9E7769B00000001
snmp-agent community read cipher $c$3$p7lUaGGoisMi7JCU/Rxz64pDYOYLjkFlY9Irbbw5EA==
snmp-agent community write cipher $c$3$2M0zL0LZ8mRV/c95y9NhjLsoKC5nXIEhPWNKxifcgw==
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 172.20.1.100 params securityname Passw0rd@xt1
#
performance-management
#
ssh server enable
#
ntp-service enable
ntp-service source GigabitEthernet1/0/0
ntp-service unicast-peer version 1
#
acl basic 2000
rule 11 permit source 192.168.16.1 0 \\此配置属于核心交换机
rule 100 deny
#
acl basic 2001
rule 0 permit
rule 5 permit source 0.0.0.0 0
#
acl basic 2002
rule 0 permit source 0.0.0.0 255.255.0.0
rule 0 comment fw remote manage
#
acl advanced 3002
rule 0 permit ip destination 0
rule 5 permit ip destination 0
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user adm class manage
password hash
service-type ssh telnet terminal http https
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
#
public-key peer 127.0.0.1
public-key-code begin
public-key-code end
peer-public-key end
#
session statistics enable
session log flow-begin
session log flow-end
#
ip http port 103
ip https port 80
ip http enable
ip https enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance link-group china-isp
fail-action reschedule
transparent enable
probe nqa
#
loadbalance link-group cmcc
fail-action reschedule
transparent enable
probe nqa
#
loadbalance class chinanet type link-generic match-any
match 1 isp chinatel
#
loadbalance class cmcc type link-generic match-any
match 1 isp cmcc
#
loadbalance class server type link-generic
match 1 acl 3002
#
loadbalance action chinanet type link-generic
link-group china-isp
fallback-action continue
#
loadbalance action cmcc type link-generic
link-group cmcc
fallback-action continue
#
loadbalance action server type link-generic
forward all
fallback-action continue
#
loadbalance policy 1 type link-generic
class chinanet action chinanet
class cmcc action cmcc
class server action server
#
virtual-server outbound type link-ip
virtual ip address 0.0.0.0 0
lb-policy 1
default link-group cmcc
service enable
#
loadbalance link chinanet-link
router ip
link-group china-isp
probe nqa
#
loadbalance link cmcc-link
router ip
link-group cmcc
probe nqa
#
uapp-control
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return
组网及组网描述:
核心交换机》内联防火墙板卡》上网行为管理ACG》防火墙
核心交换机路由: 0.0.0.0 0 防火墙板卡IP
防火墙板卡路由: 0.0.0.0 0 ACG IP
ACG路由: 0.0.0.0 0 防火墙内网口 IP
- 2024-06-18提问
- 举报
-
(0)
最佳答案
ACG有地址吗,逐步ping一下试试
- 2024-06-18回答
- 评论(9)
- 举报
-
(0)
都有,核心交换机到防火墙不通,剩下的都通,防火墙板卡和acg是全通的
防火墙回指路由了吗。你的防火墙内网口掩码是30位的啊。只能有两个地址
有回指路由 ip route-static 0.0.0.0 0 外网IP ip route-static 10.0.0.0 8 核心交换机IP ip route-static 172.*.0.0 16 核心交换机IP ip route-static 172.*.0.0 16 核心交换机IP ip route-static 172.*.0.0 16 核心交换机IP ip route-static 172.*.1.0 24 核心交换机IP ip route-static 172.*.1.0 24 核心交换机IP ip route-static 192.*.0.0 16 核心交换机IP
跨了但也不算跨,核心交换机个防火墙上有相同网段的配置 ,防火墙是192.168.16.2,在核心上有一个相同的192.168.16.1,防火墙的回指路由就是到这个地址,防火墙单方面ping核心是通的,但是核心ping防火墙就是不通,而且带源192.168.16.1ping也不通。192.168.18.2这个是核心的防火墙板卡,他ping防火墙就是正常通过的,核心交换机有两个IP,192.168.16.1,192.168.18.1
单方面ping的是192.168.16.1,到核心上就是所有地址都不到达防火墙了
你把路由指到18.1试试。防火墙下一跳指acg acg指板卡,
检查下防火墙的策略吧,要放通到lcoal的的流量才行哦
- 2024-06-18回答
- 评论(1)
- 举报
-
(0)
防火墙的配置已放上,您看下有问题吗
防火墙的配置已放上,您看下有问题吗
接口允许ping
进入接口
manage ping inbound
manage ping outbound
- 2024-06-18回答
- 评论(1)
- 举报
-
(0)
但是我的acg和核心交换机的防火墙板卡可以ping通这个IP地址,这个跟这个有关系吗?ping不通是不是也访问不到
但是我的acg和核心交换机的防火墙板卡可以ping通这个IP地址,这个跟这个有关系吗?ping不通是不是也访问不到
接口没有允许ping
- 2024-06-18回答
- 评论(3)
- 举报
-
(0)
好的
但是我的acg和核心交换机的防火墙板卡可以ping通这个IP地址,这个跟这个有关系吗?ping不通是不是也访问不到
interface GigabitEthernet1/0/1 接口下允许ping ping只是icmp协议 不影响其他的
好的
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
你把路由指到18.1试试。防火墙下一跳指acg acg指板卡,