问题描述:
公司最近老是中病毒,需要做一个外网端口到内网的端口限制,目前只有一台2600路由器,但是当我做好ACL应用到外网接口后,内网就掉线不能上网,加了per 内网端口也不行,求助!
路由器配置:
version 5.20, Release 2516P15
#
sysname H3C
#
super password level 3 cipher $c$3$MNVczce7/ATf+y1LbdMbuvKNt6S2PIWi
#
firewall enable
#
domain default enable system
#
dns proxy enable
#
telnet server enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
ip http port 8081
#
password-recovery enable
#
blacklist enable
#
acl number 3001
rule 0 permit tcp destination 192.168.5.127 0 destination-port eq 3389
rule 1 deny ip
acl number 4999
rule 0 deny source-mac fc15-b42d-d4f6 ffff-ffff-ffff
rule 1 permit
#
vlan 1
#
vlan 10
#
vlan 20
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$M9NQfpJE0ql8KUXJQTFr7YMTZ0rSvrcRJF5J2o68
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.5.1 255.255.255.0
dhcp server apply ip-pool vlan10
#
interface Vlan-interface20
ip address 192.168.2.1 255.255.255.0
dhcp server apply ip-pool vlan20
#
interface GigabitEthernet0/0
port link-mode route
nat outbound
undo dhcp select server global-pool
ip address dhcp-alloc
#
interface GigabitEthernet0/1
port link-mode route
firewall packet-filter 3001 intbound
nat outbound
nat server 1 protocol tcp global current-interface 7501 inside 192.168.5.127 3389
ip address 1.1.1.1 255.255.255.128
undo dhcp select server global-pool
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/4
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/5
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/6
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet0/7
port link-mode bridge
#
interface GigabitEthernet0/8
port link-mode bridge
#
interface GigabitEthernet0/9
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
ip https port 4431
ip https enable
#
nms primary monitor-interface GigabitEthernet0/1
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher %#!@#$!$@!%^!@$@!%^
#
return
- 2019-10-28提问
- 举报
-
(0)
最佳答案
我是外网进来的方向啊,还需要加一个什么配置呢?不能加permit 192.168.5.0 0.0.0.255 ,这个加了就没有意义了!!需要问一下大神!另外防火墙WAN到LAN默认DENY也不影响内网用户上网的啊,就很困惑哪里不对。
- 2019-10-28回答
- 评论(0)
- 举报
-
(0)
暂无评论
您好,请知:
可尝试将ACL应用的方向修改为outbound。
int gi 0/1
firewall packet-filter 3001 outbound
- 2019-10-28回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论