H3C NS-SecPath F1050 Y2
- 0关注
- 1收藏,924浏览
问题描述:
配置地址转换、端口映射
[yidong_FW]dis current-configuration
#
version 7.1.054, Ess 9308P05
#
sysname yidong_FW
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
dhcp server forbidden-ip 10.188.0.1
dhcp server forbidden-ip 10.188.0.250
dhcp server forbidden-ip 10.188.0.251
dhcp server forbidden-ip 10.188.0.254
#
password-recovery enable
#
vlan 1
#
vlan 10
description YeWu-Vlan
#
vlan 1100
description waiwang-VLAN
#
vlan-group q
#
dhcp server ip-pool 1
gateway-list 10.188.0.1
network 10.188.0.0 mask 255.255.0.0
dns-list 211.138.180.2
#
interface NULL0
#
interface Vlan-interface10
ip address 10.188.0.1 255.255.0.0
#
interface Vlan-interface1100
ip address 111.39.13.17 255.255.255.0
nat outbound
nat server protocol tcp global 111.39.13.17 9080 inside 10.176.211.160 9080
#
interface GigabitEthernet1/0/0
port link-mode route
description guanli_default
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/15
port link-mode route
description TO_waiwang(NO)
ip address 120.193.69.50 255.255.255.0
nat outbound
nat server protocol tcp global 111.39.13.17 1000 inside 192.168.188.2 1000
nat server protocol tcp global 120.193.69.50 8897 inside 192.168.188.2 443
nat server protocol tcp global 120.193.69.50 8898 inside 192.168.188.2 443
nat server protocol tcp global current-interface 1522 inside 192.168.100.244 1522
#
interface GigabitEthernet1/0/16
port link-mode route
description TO_wangsheng
ip address 192.168.188.1 255.255.255.0
nat server protocol tcp global current-interface 1522 inside 192.168.100.244 1522
nat static enable
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/1
port link-mode bridge
description TO_hexin(10.188.0.254)
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/3
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/4
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/5
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/6
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/7
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/8
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/9
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/10
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/11
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/12
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/13
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/14
port link-mode bridge
description yewu
port access vlan 10
#
interface GigabitEthernet1/0/17
port link-mode bridge
description TO_waiwang
port link-type trunk
port trunk permit vlan all
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/16
import interface Vlan-interface10
#
security-zone name DMZ
#
security-zone name Untrust
import interface Vlan-interface1100
#
zone-pair security source Any destination Any
#
zone-pair security source Any destination Trust
packet-filter 2000
packet-filter 3000
#
zone-pair security source Any destination Untrust
packet-filter 2000
#
zone-pair security source Local destination Local
packet-filter 2000
#
zone-pair security source Local destination Trust
packet-filter 2000
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 2000
#
zone-pair security source Trust destination Any
packet-filter 2000
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 2000
packet-filter 3000
#
zone-pair security source Trust destination Trust
packet-filter 2000
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 2000
packet-filter 3000
#
zone-pair security source Untrust destination Any
packet-filter 2000
#
zone-pair security source Untrust destination Local
packet-filter 2000
#
zone-pair security source Untrust destination Trust
packet-filter 2000
#
zone-pair security source Untrust destination Untrust
packet-filter 2000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role level-15
user-role network-admin
set authentication password hash $h$6$4i9NXPW2m61xwuhC$6EnesAH+D0NghsH6JYr4vvbU5euyTxOQvFs2YNHpzWkQsDRS3yO9b7BDyV5gOQBRfC9MMIoFDBs4LO2AaDDMdQ==
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 111.39.13.1
ip route-static 10.170.0.0 16 192.168.188.2
ip route-static 10.176.0.0 16 192.168.188.2
ip route-static 10.189.10.0 24 192.168.188.2
ip route-static 59.203.0.0 16 192.168.188.2
ip route-static 59.255.0.0 16 192.168.188.2
ip route-static 192.168.0.0 16 192.168.188.2
#
undo ssh server compatible-ssh1x enable
#
acl number 2000
rule 0 permit
#
acl number 3000
rule 0 deny tcp source-port eq 445
rule 1 deny tcp source-port eq 5554
rule 2 deny tcp source-port eq 139
rule 3 deny tcp source-port eq 135
rule 4 deny udp source-port eq tftp
rule 5 deny udp source-port eq 1434
rule 10 permit ip
#
acl number 3333
rule 1 permit ip source 0.0.0.0 255.255.0.0
#
domain ci
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$7kbkur5EuIwNHNAk$uiUB5DGuK4f1IZljtZkymWENM+1o/7QDmAVzliSVtGViJr0RbnkNFdcIPuGEX+9gViR0Kydemf9EawN77UImWg==
service-type telnet terminal http
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user fhq class manage
password hash $h$6$ctZDbxRpD1RqXiTA$teeEiphXKQZjCtzU1dqTvkcFRMKERKVdxd+SLOAekZf/ovHH5eKV6fCPh9ctJzA8mkZH2YrzUUA7MSTeyQbYDQ==
service-type telnet http https
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
nat static outbound 192.168.100.244 10.188.0.1
#
ip http port 8899
ip http enable
ip https enable
#
return
组网及组网描述:
- 2021-04-15提问
- 举报
-
(0)
最佳答案
您好,请知:
是端口映射不出去吗?如果是,以下是排查要点,请参考:
1、检查路由来回路径是否一致。
2、常规端口可能在运营商侧被拦截,可考虑使用非常规端口重新映射。
3、检查是否有安全策略或域间策略给拦截了。
4、调整出口的TCP MSS看下,以下是参考命令:
int gi 1/0/1
tcp mss 1200
quit
- 2021-04-15回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
内网口上开启一下nat hairpin enable