防火墙-3层不通

防火墙作为最外层，在下面情况下，防火墙ping不通3层的地址

即防火墙192.168.0.1 ping 不通 三层192.168.0.2

将防火墙的5口改位二层口后可以正常使用

{

#

interface GigabitEthernet1/0/5

port link-mode bridge

port port link-type trunk 

port trunk permit vlan all

#

vlan 10 

interface Vlan-interface10 

 ip address 192.168.0.1 255.255.255.0

#

security-zone name Trust 

 import interface Vlan-interface10

}

这么配置是可以使用的嘛，外网口是3层模式，内网口是二层模式。

3层：

#

vlan 2 to 10

#

interface Vlan-interface vlan1

 ip address 192.168.1.1 255.255.255.0

dhcp server ip-pool 1 

 network 192.168.1.0 mask 255.255.255.0 

 gateway-list 192.168.1.1 

 dns-list 192.168.1.20 192.168.1.19

#

interface Vlan-interface vlan10

 ip address 192.168.0.2 255.255.255.0

#

interface GigabitEthernet1/0/23

 port link-type trunk 

 port trunk permit vlan all

#

ip route-static 0.0.0.0 0.0.0.0 192.168.0.1

防火墙 :

#

object-group ip address 192.168.0.0 

0 network subnet 192.168.0.0 

255.255.255.0 

# 

object-group ip address 192.168.1.0 

 0 network subnet 192.168.1.0 255.255.255.0

#

interface GigabitEthernet1/0/5 

 port link-mode route 

 ip address 192.168.0.1 255.255.255.0

# 

太多不一一列举，括号的object-policy ip 皆已创建

object-policy ip Any-Any(Local-Trust Local-Untrust Trust-Local Trust-Trust Trust-Untrust Untrust-Local Untrust-Trust)

 rule 0 pass

#

security-zone name Trust 

 import interface GigabitEthernet1/0/5

#

security-zone name Untrust 

 import interface GigabitEthernet1/0/4

#

同上全部创建

zone-pair security source Any destination Any( Local-Trust Local-Untrust Trust-Local Trust-Trust Trust-Untrust Untrust-Local Untrust-Trust )

 object-policy apply ip Any-Any

#

ip route-static 192.168.0.0 24 192.168.0.2

ip route-static 192.168.1.0 24 192.168.0.2

#

acl advanced 3000

 rule 0 permit ip