• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

F1020防火墙sslvpn遇到个难题了

2021-06-08提问
  • 0关注
  • 1收藏,1362浏览
粉丝:0人 关注:0人

问题描述:

客户端那边能登陆inode,也能获取到IP,需要访问的内网是192.168.9.XXX,网关是192.168.9.254,现在不连接inode能够ping通网关,但是不能连接内部服务器,连接inode后网关不能ping通,内部服务器也不通

               var FrameInfo = {};

  1. #
  2. version 7.1.064, Release 9313P15
  3. #
  4. sysname FW
  5. #
  6. context Admin id 1
  7. #
  8. ip vpn-instance nei
  9. #
  10. telnet server enable
  11. #
  12. irf mac-address persistent timer
  13. irf auto-update enable
  14. undo irf link-delay
  15. irf member 1 priority 1
  16. #
  17. security-zone intra-zone default permit
  18. #
  19. dhcp enable
  20. #
  21. dns server 61.177.7.1
  22. dns server 223.5.5.5
  23. dns server 114.114.114.114
  24. dns server 61.177.7.1 vpn-instance nei
  25. dns server 223.5.5.5 vpn-instance nei
  26. dns server 114.114.114.114 vpn-instance nei
  27. ip host 22 222.92.222.34
  28. ip host 223 223.5.5.5
  29. ip host 61 61.177.7.1
  30. ip host 61 61.177.7.1 vpn-instance nei
  31. #
  32. password-recovery enable
  33. #
  34. vlan 1
  35. #
  36. object-group ip address 系统服务器
  37. 0 network host address 192.168.4.132
  38. #
  39. object-group ip address 公盘
  40. 0 network host address 192.168.5.26
  41. #
  42. object-group ip address 金蝶
  43. 0 network host address 192.168.4.132
  44. #
  45. object-group ip address 备份盘
  46. 0 network host address 192.168.5.88
  47. 10 network host address 192.168.5.125
  48. #
  49. object-group ip address scm系统
  50. 0 network host address 192.168.9.161
  51. #
  52. object-group service 3360端口
  53. 0 service tcp destination eq 3360
  54. 10 service tcp
  55. #
  56. object-group service 4433
  57. 0 service tcp destination eq 4433
  58. #
  59. object-group service 5000端口
  60. 0 service tcp destination eq 5001
  61. 10 service tcp destination eq 5000
  62. #
  63. object-group service 8001端口
  64. 0 service tcp destination eq 8001
  65. #
  66. object-group service 9001端口
  67. 0 service tcp destination eq 9001
  68. #
  69. object-group service 999端口
  70. 0 service tcp destination eq 999
  71. #
  72. dhcp server ip-pool 61
  73. #
  74. interface NULL0
  75. #
  76. interface GigabitEthernet1/0/0
  77. port link-mode route
  78. ip address 10.0.0.1 255.255.255.0
  79. #
  80. interface GigabitEthernet1/0/1
  81. port link-mode route
  82. #
  83. interface GigabitEthernet1/0/2
  84. port link-mode route
  85. ip address 222.92.222.34 255.255.255.248
  86. nat outbound
  87. nat outbound 2000
  88. nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80
  89. nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389
  90. nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443
  91. nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514
  92. nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636
  93. nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873
  94. nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999
  95. nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194
  96. nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360
  97. nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361
  98. nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000
  99. nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001
  100. nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281
  101. nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690
  102. nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001
  103. nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible
  104. nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514
  105. nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360
  106. nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361
  107. nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001
  108. nat static enable
  109. #
  110. interface GigabitEthernet1/0/3
  111. port link-mode route
  112. ip address 10.1.1.1 255.255.255.0
  113. #
  114. interface GigabitEthernet1/0/4
  115. port link-mode route
  116. #
  117. interface GigabitEthernet1/0/5
  118. port link-mode route
  119. ip address 3.3.3.1 255.255.255.0
  120. #
  121. interface GigabitEthernet1/0/6
  122. port link-mode route
  123. #
  124. interface GigabitEthernet1/0/7
  125. port link-mode route
  126. #
  127. interface GigabitEthernet1/0/8
  128. port link-mode route
  129. #
  130. interface GigabitEthernet1/0/9
  131. port link-mode route
  132. #
  133. interface GigabitEthernet1/0/10
  134. port link-mode route
  135. #
  136. interface GigabitEthernet1/0/11
  137. port link-mode route
  138. #
  139. interface GigabitEthernet1/0/12
  140. port link-mode route
  141. #
  142. interface GigabitEthernet1/0/13
  143. port link-mode route
  144. #
  145. interface GigabitEthernet1/0/14
  146. port link-mode route
  147. #
  148. interface GigabitEthernet1/0/15
  149. port link-mode route
  150. #
  151. interface GigabitEthernet1/0/16
  152. port link-mode route
  153. ip binding vpn-instance nei
  154. #
  155. interface GigabitEthernet1/0/17
  156. port link-mode route
  157. ip address 192.168.150.2 255.255.255.0
  158. nat hairpin enable
  159. #
  160. interface GigabitEthernet1/0/18
  161. port link-mode route
  162. #
  163. interface GigabitEthernet1/0/19
  164. port link-mode route
  165. #
  166. interface GigabitEthernet1/0/20
  167. port link-mode route
  168. #
  169. interface GigabitEthernet1/0/21
  170. port link-mode route
  171. #
  172. interface GigabitEthernet1/0/22
  173. port link-mode route
  174. #
  175. interface GigabitEthernet1/0/23
  176. port link-mode route
  177. #
  178. interface SSLVPN-AC1
  179. ip address 172.168.9.1 255.255.255.0
  180. #
  181. object-policy ip Local-Local
  182. rule 0 pass
  183. #
  184. object-policy ip SSLVPN-Local
  185. rule 0 pass
  186. #
  187. object-policy ip SSLVPN-Trust
  188. rule 0 pass
  189. #
  190. object-policy ip Trust-Trust
  191. rule 0 pass
  192. #
  193. object-policy ip Trust-Untrust
  194. rule 0 pass
  195. #
  196. object-policy ip Untrust-Local
  197. rule 0 pass service 4433
  198. #
  199. object-policy ip Untrust-Trust
  200. rule 5 pass destination-ip 公盘 service 3360端口
  201. rule 6 pass destination-ip 备份盘 service 5000端口
  202. rule 7 pass destination-ip 金蝶 service 8001端口
  203. rule 8 pass destination-ip scm系统 service 999端口
  204. rule 9 pass destination-ip MES系统服务器 service 9001端口
  205. rule 10 pass
  206. #
  207. object-policy ip local-untrust
  208. rule 0 pass
  209. #
  210. security-zone name Local
  211. #
  212. security-zone name Trust
  213. import interface GigabitEthernet1/0/3
  214. import interface GigabitEthernet1/0/4
  215. import interface GigabitEthernet1/0/5
  216. import interface GigabitEthernet1/0/6
  217. import interface GigabitEthernet1/0/7
  218. import interface GigabitEthernet1/0/8
  219. import interface GigabitEthernet1/0/9
  220. import interface GigabitEthernet1/0/10
  221. import interface GigabitEthernet1/0/11
  222. import interface GigabitEthernet1/0/12
  223. import interface GigabitEthernet1/0/13
  224. import interface GigabitEthernet1/0/14
  225. import interface GigabitEthernet1/0/15
  226. import interface GigabitEthernet1/0/16
  227. import interface GigabitEthernet1/0/17
  228. import interface GigabitEthernet1/0/18
  229. import interface GigabitEthernet1/0/19
  230. import interface GigabitEthernet1/0/20
  231. import interface GigabitEthernet1/0/21
  232. import interface GigabitEthernet1/0/22
  233. import interface GigabitEthernet1/0/23
  234. import interface NULL0
  235. #
  236. security-zone name DMZ
  237. #
  238. security-zone name Untrust
  239. import interface GigabitEthernet1/0/1
  240. import interface GigabitEthernet1/0/2
  241. #
  242. security-zone name Management
  243. import interface GigabitEthernet1/0/0
  244. #
  245. security-zone name 111
  246. #
  247. security-zone name SSLVPN
  248. import interface SSLVPN-AC1
  249. #
  250. security-zone name SSLVPNANQUANYU
  251. #
  252. zone-pair security source Local destination Local
  253. object-policy apply ip Local-Local
  254. #
  255. zone-pair security source Local destination Trust
  256. packet-filter 2000
  257. #
  258. zone-pair security source Local destination Untrust
  259. object-policy apply ip local-untrust
  260. packet-filter 2000
  261. #
  262. zone-pair security source SSLVPN destination Local
  263. object-policy apply ip SSLVPN-Local
  264. #
  265. zone-pair security source SSLVPN destination Trust
  266. object-policy apply ip SSLVPN-Trust
  267. #
  268. zone-pair security source Trust destination Local
  269. packet-filter 2000
  270. #
  271. zone-pair security source Trust destination Trust
  272. object-policy apply ip Trust-Trust
  273. #
  274. zone-pair security source Trust destination Untrust
  275. object-policy apply ip Trust-Untrust
  276. packet-filter 2000
  277. #
  278. zone-pair security source Untrust destination Local
  279. object-policy apply ip Untrust-Local
  280. #
  281. zone-pair security source Untrust destination Trust
  282. object-policy apply ip Untrust-Trust
  283. #
  284. scheduler logfile size 16
  285. #
  286. line class aux
  287. user-role network-operator
  288. #
  289. line class console
  290. user-role network-admin
  291. #
  292. line class vty
  293. user-role network-operator
  294. #
  295. line aux 0
  296. user-role network-admin
  297. #
  298. line con 0
  299. user-role network-admin
  300. #
  301. line vty 0
  302. authentication-mode scheme
  303. user-role network-admin
  304. set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw==
  305. #
  306. line vty 1 63
  307. authentication-mode scheme
  308. user-role network-admin
  309. #
  310. ip route-static 0.0.0.0 0 222.92.222.33
  311. ip route-static 192.168.0.0 16 192.168.150.1
  312. #
  313. info-center loghost 1.1.1.1
  314. #
  315. ssh server enable
  316. ssh server acl 2222
  317. #
  318. acl basic 2000
  319. rule 0 permit
  320. #
  321. acl basic 2222
  322. rule 0 permit source 192.168.0.0 0.0.255.255
  323. #
  324. acl advanced 3600
  325. rule 10000 permit ip
  326. #
  327. acl advanced 3999
  328. rule 0 permit ip destination (这里不知道填哪个IP,并且这条命令删除后也是一样的)
  329. rule 5 permit ip destination 0.0.0.0 255.255.255.0
  330. rule 10 permit ipinip destination 0.0.0.0 255.255.255.0
  331. #
  332. domain system
  333. #
  334. aaa session-limit ftp 16
  335. aaa session-limit telnet 16
  336. aaa session-limit ssh 16
  337. domain default enable system
  338. #
  339. role name level-0
  340. description Predefined level-0 role
  341. #
  342. role name level-1
  343. description Predefined level-1 role
  344. #
  345. role name level-2
  346. description Predefined level-2 role
  347. #
  348. role name level-3
  349. description Predefined level-3 role
  350. #
  351. role name level-4
  352. description Predefined level-4 role
  353. #
  354. role name level-5
  355. description Predefined level-5 role
  356. #
  357. role name level-6
  358. description Predefined level-6 role
  359. #
  360. role name level-7
  361. description Predefined level-7 role
  362. #
  363. role name level-8
  364. description Predefined level-8 role
  365. #
  366. role name level-9
  367. description Predefined level-9 role
  368. #
  369. role name level-10
  370. description Predefined level-10 role
  371. #
  372. role name level-11
  373. description Predefined level-11 role
  374. #
  375. role name level-12
  376. description Predefined level-12 role
  377. #
  378. role name level-13
  379. description Predefined level-13 role
  380. #
  381. role name level-14
  382. description Predefined level-14 role
  383. #
  384. user-group system
  385. #
  386. local-user admin class manage
  387. password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg==
  388. service-type ssh telnet http https
  389. authorization-attribute user-role level-3
  390. authorization-attribute user-role network-admin
  391. authorization-attribute user-role network-operator
  392. #
  393. local-user liucheng class manage
  394. password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw==
  395. access-limit 5
  396. service-type ftp
  397. service-type ssh telnet terminal http https
  398. authorization-attribute work-directory slot1#flash:
  399. authorization-attribute user-role context-admin
  400. authorization-attribute user-role network-admin
  401. authorization-attribute user-role network-operator
  402. #
  403. local-user tianyou001 class network
  404. password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg=
  405. service-type sslvpn
  406. authorization-attribute user-role network-operator
  407. authorization-attribute sslvpn-policy-group tianyou001
  408. #
  409. local-user tianyou01 class network
  410. password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w==
  411. service-type sslvpn
  412. authorization-attribute user-role network-operator
  413. authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
  414. #
  415. ftp server enable
  416. #
  417. ip http enable
  418. ip https enable
  419. #
  420. sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15
  421. #
  422. sslvpn gateway SSLVPN
  423. ip address 222.92.222.34 port 4433
  424. service enable
  425. #
  426. sslvpn context SSLVPN
  427. gateway SSLVPN
  428. ip-tunnel interface SSLVPN-AC1
  429. ip-tunnel address-pool SSLPOOL mask 255.255.255.0
  430. ip-tunnel dns-server primary 114.114.114.114
  431. ip-route-list NEINEI
  432.   include 192.168.9.0 255.255.255.0
  433. policy-group SSLVPNZIYUAN
  434.   filter ip-tunnel 3999
  435.   ip-tunnel access-route ip-route-list NEINEI
  436. service enable
  437. #
  438. ips policy default
  439. #
  440. anti-virus policy default
  441. #
  442. return 

组网及组网描述:


最佳答案

粉丝:22人 关注:11人

acl 3999改下

  1. acl advanced 3999
  2. rule 0 permit ip destination (这里不知道填哪个IP,并且这条命令删除后也是一样的)
  3. rule 5 permit ip destination 0.0.0.0 255.255.255.0
  4. rule 10 permit ipinip destination 0.0.0.0 255.255.255.0

写个rule 0 permit ip destination 192.168.9.0 0.0.0.255

你好,现在是内网能通了,内部服务器也通了,但是网关居然不通了,搞不明白了

zhiliao_QFwHs 发表时间:2021-06-08 更多>>

你好,现在是内网能通了,内部服务器也通了,但是网关居然不通了,搞不明白了

zhiliao_QFwHs 发表时间:2021-06-08
2 个回答
粉丝:96人 关注:1人

这个sslvpn应该是手机开热点在外网测试吧,怎么在内网测试呢,另外不通服务器,可以检查一下服务器的防火墙配置。



acl 3999

可以直接写

ru 0 pe ip 全允许试试看,配置看下来没什么问题,只要手机开热点拨入以后可以ping通192.168.9.1 就和防火墙没关系,进一步排查内网。。

粉丝:135人 关注:6人

您好,请知:

PING内网网关能通了,说明路由可达了。

关闭终端的系统防火墙或者放通防火墙出入站规则看下是否能通。

其次进一步检查下防火墙的安全策略或域间策略是否有限制。

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明