防火墙如何设置DNS地址转换
- 0关注
- 1收藏,2365浏览
问题描述:
不知道是什么原因,防火墙F100-A-G2(V7)配置好以后,内网客户端能上QQ、微信,但无法打开网页,发现防火墙和客户端均无法ping通已设置好的本地运营商DNS 61.139.2.69,但是能ping通114.114.114.114。由于客户端数量较多,且全为手动配置的IP和DNS,请问有什么临时的方法在不更改客户端DNS 61.139.2.69设置情况下,通过防火墙将该DNS转换成114.114.114.114,以便客户端能正常上网?
附上配置文件,已隐藏公网IP
- 2020-06-13提问
- 举报
-
(0)
最佳答案
#
version 7.1.064, Release 9313P1901
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dns proxy enable
dns server 61.139.2.69
#
password-recovery enable
#
vlan 1
#
interface Route-Aggregation1
ip address 172.18.6.2 255.255.255.0
undo dhcp select server
#
interface Route-Aggregation2
undo dhcp select server
#
interface Route-Aggregation3
ip address 171.***.***.*** 255.255.255.0
nat outbound 3000
nat outbound 2000
nat server protocol tcp global 171.***.***.*** 3330 inside 172.18.10.3 3330
nat server protocol tcp global 171.***.***.*** 3331 inside 172.18.10.3 3331
nat server protocol tcp global 171.***.***.*** 3334 inside 172.18.10.2 3334
nat server protocol tcp global 171.***.***.*** 3335 inside 172.18.10.2 3335
nat server protocol tcp global 171.***.***.*** 3340 inside 172.18.10.24 8080
nat server protocol tcp global 171.***.***.*** 8081 inside 172.18.10.12 8081
nat server protocol tcp global 171.***.***.*** 8086 inside 172.18.10.12 8086
nat server protocol tcp global 171.***.***.*** 8089 inside 172.18.10.12 8089
nat server protocol tcp global 171.***.***.*** 9990 inside 172.18.10.12 9990
nat server protocol tcp global 171.***.***.*** 9996 inside 172.18.10.12 9996
nat server protocol tcp global 171.***.***.*** 59001 inside 172.18.10.210 5900
nat server protocol tcp global 171.***.***.*** 59002 inside 172.18.10.220 5900
nat server protocol tcp global 171.***.***.*** 59008 inside 172.18.10.8 5900
nat server protocol tcp global 171.***.***.*** 59010 inside 172.18.10.10 5900
nat server protocol tcp global current-interface 8085 inside 172.18.10.12 8085
undo dhcp select server
#
interface Route-Aggregation4
ip address 172.18.8.248 255.255.255.0
undo dhcp select server
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
undo dhcp select server
port link-aggregation group 3
#
interface GigabitEthernet1/0/1
port link-mode route
undo dhcp select server
port link-aggregation group 3
#
interface GigabitEthernet1/0/2
port link-mode route
undo dhcp select server
port link-aggregation group 2
#
interface GigabitEthernet1/0/3
port link-mode route
undo dhcp select server
port link-aggregation group 2
#
interface GigabitEthernet1/0/4
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/5
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/6
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/7
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/8
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/9
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/10
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/11
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/12
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/13
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-mode route
undo dhcp select server
port link-aggregation group 4
#
interface GigabitEthernet1/0/15
port link-mode route
undo dhcp select server
port link-aggregation group 4
#
interface GigabitEthernet1/0/16
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/17
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/18
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/19
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/20
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/21
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/22
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/23
port link-mode route
undo dhcp select server
#
object-policy ip Local-Trust
rule 0 pass logging
#
object-policy ip Trust-Local
rule 0 pass logging
#
object-policy ip Trust-Trust
rule 0 pass logging
#
object-policy ip Trust-Untrust
rule 0 pass logging
#
object-policy ip Untrust-Local
rule 0 pass logging
#
object-policy ip Untrust-Trust
rule 0 pass logging
#
security-zone name Local
#
security-zone name Trust
import interface Route-Aggregation1
import interface Route-Aggregation4
#
security-zone name DMZ
#
security-zone name Untrust
import interface Route-Aggregation2
import interface Route-Aggregation3
#
security-zone name Management
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Any
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 171.***.***.1
ip route-static 0.0.0.0 0 172.18.6.1
ip route-static 172.18.0.0 16 172.18.6.1
#
acl basic 2000 match-order auto
step 1
rule 4 permit source 172.18.1.44 0
rule 5 permit source 172.18.1.22 0
rule 6 permit source 172.18.1.8 0
rule 7 permit source 172.18.1.145 0
rule 8 permit source 172.18.1.220 0
rule 9 permit source 172.18.1.221 0
rule 10 permit source 172.18.1.222 0
rule 11 permit source 172.18.1.223 0
rule 12 permit source 172.18.1.224 0
rule 13 permit source 172.18.1.225 0
rule 14 permit source 172.18.1.226 0
rule 15 permit source 172.18.1.227 0
rule 16 permit source 172.18.1.228 0
rule 17 permit source 172.18.1.229 0
rule 18 permit source 172.18.1.231 0
rule 19 permit source 172.18.1.232 0
rule 20 permit source 172.18.1.235 0
rule 21 permit source 172.18.1.236 0
rule 22 permit source 172.18.5.41 0
rule 1 deny source 172.18.1.0 0.0.0.255
rule 2 deny source 172.18.2.0 0.0.0.255
rule 3 deny source 172.18.5.0 0.0.0.255
rule 0 permit source 172.18.0.0 0.0.255.255
#
acl advanced 3000
step 10
rule 0 permit icmp
rule 100 deny tcp destination-port eq telnet counting
rule 300 deny tcp destination-port eq 3389
rule 400 permit tcp destination-port eq 1723
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
ips policy default
#
anti-virus policy default
#
return
- 2020-06-13回答
- 评论(2)
- 举报
-
(0)
防火墙下面有一个三层交换机,172.18.6.2是防火墙内网端口的地址。内网客户端全是手动配置ip172.18.***.***。那条静态路由是从原旧防火墙照搬过来的,旧防火墙可以正常ping通61.139.2.69,是因为使用太久才要更换新设备
ip route-static 0.0.0.0 0 172.18.6.1 //这个缺省路由指向内网是什么作用啊?如果是这样的话,路由表上会有两条缺省路由,报文到防火墙上查表转发的时候可能会有问题。
防火墙下面有一个三层交换机,172.18.6.2是防火墙内网端口的地址。内网客户端全是手动配置ip172.18.***.***。那条静态路由是从原旧防火墙照搬过来的,旧防火墙可以正常ping通61.139.2.69,是因为使用太久才要更换新设备
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明