问题描述:
你好,手头有1台F100-S-G V5版本,在配置的时候遇到以下问题:
1、在内网用公网地址+端口访问映射到FW上的资源时,会访问不了,初步分析是NAT回流没配置,但找不到相应V5版本的配置命令;
2、配置SSL VPN了,但访问不了,用 XP 的 ie 访问时会有协议不支持的提醒,是否有解决办法?如适配的客户端?
组网及组网描述:
F100-S-G
comware V5
- 2021-04-12提问
- 举报
-
(0)
最佳答案
您好,请知:
以下是NAT回流和SSL VPN配置关键点,请参考:
SSL VPN IP接入配置关键点:
SSL_VPN:
[SSL_VPN]acl advanced 3000
[SSL_VPN-acl-ipv4-adv-3000]rule 0 permit ip source any
[SSL_VPN-acl-ipv4-adv-3000]quit
[SSL_VPN]sslvpn ip address-pool weijianing 172.16.1.2 172.16.1.254
[SSL_VPN]int SSLVPN-AC 1
[SSL_VPN-SSLVPN-AC1]ip address 172.16.1.1 24
[SSL_VPN-SSLVPN-AC1]quit
[SSL_VPN]sslvpn gateway james
[SSL_VPN-sslvpn-gateway-james]ip address 192.168.200.200
[SSL_VPN-sslvpn-gateway-james]service enable
[SSL_VPN-sslvpn-gateway-james]quit
[SSL_VPN]sslvpn context james
[SSL_VPN-sslvpn-context-james]gateway james
[SSL_VPN-sslvpn-context-james]ip-tunnel address-pool weijianing mask 24
[SSL_VPN-sslvpn-context-james]ip-tunnel interface SSLVPN-AC 1
[SSL_VPN-sslvpn-context-james]ip-route-list james
[SSL_VPN-sslvpn-context-james-route-list-james]include 10.0.0.0 24
[SSL_VPN-sslvpn-context-james-route-list-james]quit
[SSL_VPN-sslvpn-context-james]policy-group ip
[SSL_VPN-sslvpn-context-james-policy-group-ip]filter ip-tunnel acl 3000
[SSL_VPN-sslvpn-context-james-policy-group-ip]ip-tunnel access-route ip-route-list james
[SSL_VPN-sslvpn-context-james-policy-group-ip]quit
[SSL_VPN-sslvpn-context-james]service enable
[SSL_VPN-sslvpn-context-james]quit
[SSL_VPN]local-user weijianing class network
New local user added.
[SSL_VPN-luser-network-weijianing]password simple weijianing
[SSL_VPN-luser-network-weijianing]service-type sslvpn
[SSL_VPN-luser-network-weijianing]authorization-attribute sslvpn-policy-group ip
[SSL_VPN-luser-network-weijianing]quit
[SSL_VPN]security-zone name Untrust
[SSL_VPN-security-zone-Untrust]import interface SSLVPN-AC 1
[SSL_VPN-security-zone-Untrust]quit
NAT回流:
[FW1]int range gi 1/0/3 gi 1/0/5
[FW1-if-range]nat hairpin enable
[FW1-if-range]quit
- 2021-04-12回答
- 评论(1)
- 举报
-
(0)
1、内网接口开启[H3C-GigabitEthernet0/0]nat hairpin
2、用INode拨号看看
- 2021-04-12回答
- 评论(1)
- 举报
-
(0)
1、[H3C-GigabitEthernet0/0]nat hairpin是v7版本的命令,v5不支持 2、INode哪个版本?在没有指引的情况下,安装了iNode PC 7.1(E0308)连接失败
内网口配置nat server和nat outbound
- 2021-04-12回答
- 评论(2)
- 举报
-
(0)
<H3C>dis cu # version 5.20, Release 5142P08 # sysname H3C # l2tp enable # undo voice vlan mac-address 00e0-bb00-0000 # interzone policy default by-priority # nat address-group 1 address 1.1.1.1 1.1.1.2 # domain default enable system # dns server 202.96.209.133 dns server 223.5.5.5 # telnet server enable # port-security enable # ip http port 8300 # undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg pptp undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp # password-recovery enable # acl number 3000 description NAT-OUTBOUND rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.30.22.0 0.0.0.255 rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 172.30.23.0 0.0.0.255 rule 100 permit ip acl number 3001 description IPSEC-protect-network rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.30.22.0 0.0.0.255 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.30.23.0 0.0.0.255 acl number 3100 description PBR rule 0 permit ip source 192.168.1.20 0 rule 10 permit ip source 192.168.1.25 0 rule 20 permit ip source 192.168.1.21 0 rule 30 permit ip source 192.168.1.22 0 # vlan 1 # domain system authentication ppp local access-limit disable state active idle-cut disable self-service-url disable ip pool 1 192.168.20.2 192.168.20.100 # pki entity en common-name http-server # pki domain default crl check disable # pki domain sslvpn ca identifier CA server certificate request url http://10.2.1.1/certsrv/mscep/mscep.dll certificate request from ca certificate request entity en # ike proposal 1 encryption-algorithm aes-cbc 256 dh group14 sa duration 28800 # ike dpd italy_dpd # ike peer italy_peer proposal 1 pre-shared-key cipher $c$3$A34nHRMX+1jfc2Ibwj03fr+QOXZx0Dgemp9pqVdnazGzmTCe3fSPNup/r7bg4HfaILYW remote-address 85.45.147.254 local-address 101.231.33.78 nat traversal dpd italy_dpd # ipsec transform-set italy_prop encapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm aes-cbc-256 # ipsec policy italy_poli 1 isakmp security acl 3001 pfs dh-group14 ike-peer italy_peer transform-set italy_prop sa duration time-based 3600 # ipsec profile test # dhcp server ip-pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1 dns-list 192.168.1.1 223.5.5.5 # policy-based-route 1 permit node 0 if-match acl 3100 apply output-interface GigabitEthernet0/4 apply ip-address next-hop 101.231.33.77 # user-group system group-attribute allow-guest # local-user admin password cipher $c$3$ePhPLxHC7g4T2EIB2HwvGgwXtGvlN9g0EeHbrA== authorization-attribute level 3 service-type telnet service-type web local-user sihung password cipher $c$3$M80n/2hZC0gnLkJHD1KcLM40XIT2fsqbKQmgQw== authorization-attribute level 2 service-type ppp # ssl server-policy access-policy pki-domain sslvpn # cwmp undo cwmp enable # interface Dialer1 nat outbound link-protocol ppp ppp chap user ad73882058 ppp chap password cipher $c$3$MpOH1fGdU0a4/9FfLwe3Vxm4gHHY3bp6oz2Y ppp pap local-user ad73882058 password cipher $c$3$MW8/4Tr1ewxaP9HXynrFJ5c1Myr6gbCrwZLl ppp ipcp dns request ip address ppp-negotiate dialer user pppoeclient dialer-group 1 dialer bundle 1 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet0/1 port link-mode route nat server protocol tcp global 101.231.33.78 5222 inside 192.168.1.20 5222 nat server protocol tcp global 101.231.33.78 8080 inside 192.168.1.20 8080 nat server protocol tcp global 101.231.33.78 8999 inside 192.168.1.20 8999 nat server protocol tcp global 101.231.33.78 7070 inside 192.168.1.20 7070 nat server protocol tcp global 101.231.33.78 20020 inside 192.168.1.21 20020 nat server protocol tcp global 101.231.33.78 20021 inside 192.168.1.21 20021 nat server protocol tcp global 101.231.33.78 20022 inside 192.168.1.21 20022 nat server protocol tcp global 101.231.33.78 6469 inside 192.168.1.21 6469 nat server protocol tcp global 101.231.33.78 10060 inside 192.168.1.21 6469 nat server protocol tcp global 101.231.33.78 20023 inside 192.168.1.21 20023 nat server protocol tcp global 101.231.33.78 20024 inside 192.168.1.21 20024 nat server protocol tcp global 101.231.33.78 22000 inside 192.168.1.21 22000 nat server protocol tcp global 101.231.33.78 20026 inside 192.168.1.22 20026 nat server protocol tcp global 101.231.33.78 20025 inside 192.168.1.22 20025 nat server protocol tcp global 101.231.33.78 21681 inside 192.168.1.25 21681 nat server protocol tcp global 101.231.33.78 www inside 192.168.1.25 www nat server protocol udp global 101.231.33.78 80 inside 192.168.1.25 80 nat server protocol udp global 101.231.33.78 20023 inside 192.168.1.21 20023 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet0/2 port link-mode route nat outbound 3000 pppoe-client dial-bundle-number 1 # interface GigabitEthernet0/3 port link-mode route # interface GigabitEthernet0/4 port link-mode route nat outbound 3000 nat server protocol tcp global 101.231.33.78 5222 inside 192.168.1.20 5222 nat server protocol tcp global 101.231.33.78 8080 inside 192.168.1.20 8080 nat server protocol tcp global 101.231.33.78 8999 inside 192.168.1.20 8999 nat server protocol tcp global 101.231.33.78 7070 inside 192.168.1.20 7070 nat server protocol tcp global 101.231.33.78 20020 inside 192.168.1.21 20020 nat server protocol tcp global 101.231.33.78 20021 inside 192.168.1.21 20021 nat server protocol tcp global 101.231.33.78 20022 inside 192.168.1.21 20022 nat server protocol tcp global 101.231.33.78 6469 inside 192.168.1.21 6469 nat server protocol tcp global 101.231.33.78 10060 inside 192.168.1.21 6469 nat server protocol tcp global 101.231.33.78 20023 inside 192.168.1.21 20023 nat server protocol tcp global 101.231.33.78 20024 inside 192.168.1.21 20024 nat server protocol tcp global 101.231.33.78 22000 inside 192.168.1.21 22000 nat server protocol tcp global 101.231.33.78 20026 inside 192.168.1.22 20026 nat server protocol tcp global 101.231.33.78 20025 inside 192.168.1.22 20025 nat server protocol tcp global 101.231.33.78 21681 inside 192.168.1.25 21681 nat server protocol tcp global 101.231.33.78 www inside 192.168.1.25 www nat server protocol udp global 101.231.33.78 80 inside 192.168.1.25 80 nat server protocol udp global 101.231.33.78 20023 inside 192.168.1.21 20023 nat server protocol tcp global 101.231.33.78 990 inside 192.168.1.22 990 ip address 101.231.33.78 255.255.255.248 ipsec policy italy_poli # vd Root id 1 # zone name Management id 0 priority 100 import interface GigabitEthernet0/0 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 import interface GigabitEthernet0/1 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 import interface Dialer1 import interface GigabitEthernet0/2 import interface GigabitEthernet0/4 switchto vd Root object network subnet test1 subnet 192.168.1.0 0.0.0.255 object network subnet test2 subnet 172.30.22.0 0.0.0.255 object network subnet test3 subnet 172.30.23.0 0.0.0.255 zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 ip virtual-reassembly interzone source Management destination Local rule 0 permit interzone source Local destination Local rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Local destination Trust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Local destination Untrust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Trust destination Local rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Trust destination Trust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Trust destination Untrust rule 10 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Untrust destination Local rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Untrust destination Trust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Untrust destination Untrust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Any destination Any rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable # ssl-vpn server-policy access-policy port 4430 ssl-vpn enable # ip route-static 0.0.0.0 0.0.0.0 101.231.33.77 preference 50 ip route-static 0.0.0.0 0.0.0.0 Dialer1 # snmp-agent snmp-agent local-engineid 800063A203741F4A2D2136 snmp-agent community read sihung snmp-agent sys-info version all # dhcp enable # ip https port 8443 ip https enable # dialer-rule 1 ip permit # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return
nat server和nat outbound有配置
1、[H3C-GigabitEthernet0/0]nat hairpin是v7版本的命令,v5不支持
2、INode哪个版本?在没有指引的情况下,安装了iNode PC 7.1(E0308)连接失败
- 2021-04-12回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
nat hairpin enable——是V7的命令,V5无效