问题描述:
3层无法ping通防火墙
组网及组网描述:
3层17口trunk测试 测试可ping通192.168.1-5.1
3层23口 port trunk permit vlan all 连接防火墙5口
3层 路由 ip route-static 0.0.0.0 0 192.168.0.1
防火墙路由
ip route-static 0.0.0.0 0 int gi1/0/4 公网网关
ip route-static 192.168.0.0 0 192.168.0.2
防火墙5口加入trust ip addresses 192.168.0.1
最佳答案
防火墙接口默认都属于local域,默认都是拒绝访问的,需要配置安全策略才可以访问
防火墙的安全域有没有配置,放通local到trust,trust到local,以下是配置案例可以参考一下
安全域典型配置举例
1. 组网需求
某公司以Device作为网络边界防火墙,连接公司内部网络和Internet。公司需要对外提供Web服务和FTP服务。现需要在防火墙上部署安全域,并基于以下安全需求进行域间安全控制策略的配置。
· 与接口GigabitEthernet1/0/1相连的公司内部网络属于可信任网络,部署在Trust域,可以自由访问服务器和外部网络。
· 与接口GigabitEthernet1/0/3相连的外部网络属于不可信任网络,部署在Untrust域,访问公司内部网络和服务器时,需要受到严格的域间安全控制策略的限制。
· 与接口GigabitEthernet1/0/2相连的Web server、FTP server部署在DMZ域,可以自由访问处于Untrust域的外部网络,但在访问处于Trust域的公司内部网络时,需要受到严格的域间安全控制策略的限制。
2. 组网图
3. 配置步骤
# 向安全域Trust中添加接口GigabitEthernet1/0/1。
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# 向安全域DMZ中添加接口GigabitEthernet1/0/2。
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/2
[Device-security-zone-DMZ] quit
# 向安全域Untrust中添加接口GigabitEthernet1/0/3。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/3
[Device-security-zone-Untrust] quit
# 配置ACL 3500,定义规则:允许IP流量。
[Device] acl advanced 3500
[Device-acl-ipv4-adv-3500] rule permit ip
[Device-acl-ipv4-adv-3500] quit
# 创建ASPF策略1,配置检测应用层协议FTP(FTP仅为示例,若要检测其它应用协议,可根据需要配置)。
[Device] aspf policy 1
[Device-aspf-policy-1] detect ftp
[Device-aspf-policy-1] quit
# 创建源安全域Trust到目的安全域Untrust的安全域间实例,并在该安全域间实例上应用ASPF策略和包过滤策略,可以拒绝Untrust域用户对Trust的访问,但Trust域用户访问Untrust域以及返回的报文可以通过。
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] aspf apply policy 1
[Device-zone-pair-security-Trust-Untrust] packet-filter 3500
[Device-zone-pair-security-Trust-Untrust] quit
# 创建源安全域Trust到目的安全域DMZ的安全域间实例,并在该安全域间实例上开启ASPF检测功能,可以拒绝DMZ域用户对Trust的访问,但Trust域用户访问DMZ域以及返回的报文可以通过。
[Device] zone-pair security source trust destination dmz
[Device-zone-pair-security-Trust-DMZ] aspf apply policy 1
[Device-zone-pair-security-Trust-DMZ] packet-filter 3500
[Device-zone-pair-security-Trust-DMZ] quit
- 2020-10-16回答
- 评论(11)
- 举报
-
(0)
lcoal-trust 放通? 我都做了 object-policy ip Any-Any(lcoal-trust lcoal-untrust trust-trust trust-untrust untrust-local untrust-trust)
trust都local也放通一下
漏打了,已经放通了 Trust-Trust(Untrust,local)3个 local-Trust(Untrust)2个 Untrust-Local(Trust)2个 加上一个any-any
对象策略应该也没问题才对,那你接口有没有加入安全域
加入了,4口试外网口加入Untrust 5口试内网口加入Trust
===============防火墙配置==================== # version 7.1.064, Release 9510P06 # sysname H3C # context Admin id 1 # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # object-group ip address 192.168.0.0 0 network subnet 192.168.0.0 255.255.255.0 # object-group ip address 192.168.1.0 0 network subnet 192.168.1.0 255.255.255.0 # object-group ip address 192.168.2.0 0 network subnet 192.168.2.0 255.255.255.0 # object-group ip address 192.168.3.0 0 network subnet 192.168.3.0 255.255.255.0 # object-group ip address 192.168.4.0 0 network subnet 192.168.4.0 255.255.255.0 # object-group ip address 192.168.5.0 0 network subnet 192.168.5.0 255.255.255.0 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 10.0.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route ip address xxx.xxx.xxx.xxx 255.255.255.252 # interface GigabitEthernet1/0/5 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # object-policy ip Any-Any rule 0 pass counting # object-policy ip Local-Trust rule 0 pass # object-policy ip Local-Untrust rule 0 pass counting # object-policy ip Trust-Local rule 0 pass # object-policy ip Trust-Trust rule 0 pass # object-policy ip Trust-Untrust rule 0 pass # object-policy ip Untrust-Local rule 0 pass counting # object-policy ip Untrust-Trust rule 0 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/5 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/4 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # zone-pair security source Any destination Any object-policy apply ip Any-Any # zone-pair security source Local destination Trust object-policy apply ip Local-Trust # zone-pair security source Local destination Untrust object-policy apply ip Local-Untrust # zone-pair security source Trust destination Local object-policy apply ip Trust-Local # zone-pair security source Trust destination Trust object-policy apply ip Trust-Trust # zone-pair security source Trust destination Untrust object-policy apply ip Trust-Untrust # zone-pair security source Untrust destination Local object-policy apply ip Untrust-Local # zone-pair security source Untrust destination Trust object-policy apply ip Untrust-Trust # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/4 xxx.xxx.xxx.xxx ip route-static 192.168.0.0 24 192.168.0.2 # ssh server enable # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role ..... # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip https enable # return ===================3层配置============================== # version 7.1.070, Release 6113 # sysname H3C # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable dhcp server forbidden-ip 192.168.1.1 192.168.1.50 dhcp server forbidden-ip 192.168.1.245 192.168.1.255 dhcp server forbidden-ip 192.168.2.1 192.168.2.50 dhcp server forbidden-ip 192.168.2.245 192.168.2.255 dhcp server forbidden-ip 192.168.3.1 192.168.3.50 dhcp server forbidden-ip 192.168.3.245 192.168.3.255 dhcp server forbidden-ip 192.168.5.1 192.168.5.50 dhcp server forbidden-ip 192.168.5.245 192.168.5.255 # dns server 192.168.1.20 dns server 192.168.1.19 # lldp global enable # password-recovery enable # vlan 1 # vlan 2 to 5 # vlan 10 # vlan 100 # stp global enable # dhcp server ip-pool vlan1 gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 dns-list 192.168.1.20 192.168.1.19 expired day 0 hour 4 # dhcp server ip-pool vlan2 gateway-list 192.168.2.1 network 192.168.2.0 mask 255.255.255.0 dns-list 192.168.1.20 192.168.1.19 expired day 0 hour 4 # dhcp server ip-pool vlan3 gateway-list 192.168.3.1 network 192.168.3.0 mask 255.255.255.0 dns-list 192.168.1.20 192.168.1.19 expired day 0 hour 4 # dhcp server ip-pool vlan4 gateway-list 192.168.4.1 network 192.168.4.0 mask 255.255.255.0 dns-list 192.168.1.20 192.168.1.19 expired day 0 hour 4 # dhcp server ip-pool vlan5 gateway-list 192.168.5.1 network 192.168.5.0 mask 255.255.255.0 dns-list 192.168.1.20 192.168.1.19 expired day 0 hour 4 # interface NULL0 # interface Vlan-interface1 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface2 ip address 192.168.2.1 255.255.255.0 # interface Vlan-interface3 ip address 192.168.3.1 255.255.255.0 # interface Vlan-interface4 ip address 192.168.4.1 255.255.255.0 # interface Vlan-interface5 ip address 192.168.5.1 255.255.255.0 # interface Vlan-interface10 ip address 192.168.0.2 255.255.255.0 # interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/2 # interface GigabitEthernet1/0/3 # interface GigabitEthernet1/0/4 # interface GigabitEthernet1/0/5 # interface GigabitEthernet1/0/6 # interface GigabitEthernet1/0/7 # interface GigabitEthernet1/0/8 # interface GigabitEthernet1/0/9 # interface GigabitEthernet1/0/10 # interface GigabitEthernet1/0/11 # interface GigabitEthernet1/0/12 # interface GigabitEthernet1/0/13 # interface GigabitEthernet1/0/14 # interface GigabitEthernet1/0/15 # interface GigabitEthernet1/0/16 # interface GigabitEthernet1/0/17 port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/18 # interface GigabitEthernet1/0/19 # interface GigabitEthernet1/0/20 # interface GigabitEthernet1/0/21 # interface GigabitEthernet1/0/22 # interface GigabitEthernet1/0/23 port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/24 # interface Ten-GigabitEthernet1/0/25 # interface Ten-GigabitEthernet1/0/26 # interface Ten-GigabitEthernet1/0/27 # interface Ten-GigabitEthernet1/0/28 # scheduler logfile size 16 # line class aux user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line vty 0 4 authentication-mode scheme user-role network-operator # line vty 5 63 user-role network-operator # ip route-static 0.0.0.0 0 192.168.0.1 # radius scheme system user-name-format without-domain # domain system # domain default enable system # role name level-0 description Predefined level-0 role ... # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$IjxMmgGSopGjlRbG$WcY/eo95Lris/wAXBvSMP+Oj3otS0Nw2F5hOU2jmd2QS6QWSCb+6Bo1/+5khmg69CyraZ2lX9xHGO+y4iBblgA== service-type telnet http https terminal authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip https enable # return
设备之间互联ip可以相互ping通吗
3层下2台机子嘛,我一个1.55 一个5.51 不通
但是我5.51可以ping通192.168.1.1
ip route-static 192.168.0.0 0 192.168.0.2防火墙上这个路由的掩码写错了吧,写成16位的试试
ip route-static 192.168.0.0 24 192.168.0.2你这里也是24位的掩码,24位表示只有0.0网段,不包含其他网段的路由
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
ip route-static 192.168.0.0 24 192.168.0.2你这里也是24位的掩码,24位表示只有0.0网段,不包含其他网段的路由