问
F1020防火墙sslvpn遇到个难题了
2021-06-08提问
- 0关注
- 1收藏,1188浏览
问题描述:
客户端那边能登陆inode,也能获取到IP,需要访问的内网是192.168.9.XXX,网关是192.168.9.254,现在不连接inode能够ping通网关,但是不能连接内部服务器,连接inode后网关不能ping通,内部服务器也不通
var FrameInfo = {};
- #
- version 7.1.064, Release 9313P15
- #
- sysname FW
- #
- context Admin id 1
- #
- ip vpn-instance nei
- #
- telnet server enable
- #
- irf mac-address persistent timer
- irf auto-update enable
- undo irf link-delay
- irf member 1 priority 1
- #
- security-zone intra-zone default permit
- #
- dhcp enable
- #
- dns server 61.177.7.1
- dns server 223.5.5.5
- dns server 114.114.114.114
- dns server 61.177.7.1 vpn-instance nei
- dns server 223.5.5.5 vpn-instance nei
- dns server 114.114.114.114 vpn-instance nei
- ip host 22 222.92.222.34
- ip host 223 223.5.5.5
- ip host 61 61.177.7.1
- ip host 61 61.177.7.1 vpn-instance nei
- #
- password-recovery enable
- #
- vlan 1
- #
- object-group ip address 系统服务器
- 0 network host address 192.168.4.132
- #
- object-group ip address 公盘
- 0 network host address 192.168.5.26
- #
- object-group ip address 金蝶
- 0 network host address 192.168.4.132
- #
- object-group ip address 备份盘
- 0 network host address 192.168.5.88
- 10 network host address 192.168.5.125
- #
- object-group ip address scm系统
- 0 network host address 192.168.9.161
- #
- object-group service 3360端口
- 0 service tcp destination eq 3360
- 10 service tcp
- #
- object-group service 4433
- 0 service tcp destination eq 4433
- #
- object-group service 5000端口
- 0 service tcp destination eq 5001
- 10 service tcp destination eq 5000
- #
- object-group service 8001端口
- 0 service tcp destination eq 8001
- #
- object-group service 9001端口
- 0 service tcp destination eq 9001
- #
- object-group service 999端口
- 0 service tcp destination eq 999
- #
- dhcp server ip-pool 61
- #
- interface NULL0
- #
- interface GigabitEthernet1/0/0
- port link-mode route
- ip address 10.0.0.1 255.255.255.0
- #
- interface GigabitEthernet1/0/1
- port link-mode route
- #
- interface GigabitEthernet1/0/2
- port link-mode route
- ip address 222.92.222.34 255.255.255.248
- nat outbound
- nat outbound 2000
- nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80
- nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389
- nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443
- nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514
- nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636
- nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873
- nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999
- nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194
- nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360
- nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361
- nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000
- nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001
- nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281
- nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690
- nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001
- nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible
- nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514
- nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360
- nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361
- nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001
- nat static enable
- #
- interface GigabitEthernet1/0/3
- port link-mode route
- ip address 10.1.1.1 255.255.255.0
- #
- interface GigabitEthernet1/0/4
- port link-mode route
- #
- interface GigabitEthernet1/0/5
- port link-mode route
- ip address 3.3.3.1 255.255.255.0
- #
- interface GigabitEthernet1/0/6
- port link-mode route
- #
- interface GigabitEthernet1/0/7
- port link-mode route
- #
- interface GigabitEthernet1/0/8
- port link-mode route
- #
- interface GigabitEthernet1/0/9
- port link-mode route
- #
- interface GigabitEthernet1/0/10
- port link-mode route
- #
- interface GigabitEthernet1/0/11
- port link-mode route
- #
- interface GigabitEthernet1/0/12
- port link-mode route
- #
- interface GigabitEthernet1/0/13
- port link-mode route
- #
- interface GigabitEthernet1/0/14
- port link-mode route
- #
- interface GigabitEthernet1/0/15
- port link-mode route
- #
- interface GigabitEthernet1/0/16
- port link-mode route
- ip binding vpn-instance nei
- #
- interface GigabitEthernet1/0/17
- port link-mode route
- ip address 192.168.150.2 255.255.255.0
- nat hairpin enable
- #
- interface GigabitEthernet1/0/18
- port link-mode route
- #
- interface GigabitEthernet1/0/19
- port link-mode route
- #
- interface GigabitEthernet1/0/20
- port link-mode route
- #
- interface GigabitEthernet1/0/21
- port link-mode route
- #
- interface GigabitEthernet1/0/22
- port link-mode route
- #
- interface GigabitEthernet1/0/23
- port link-mode route
- #
- interface SSLVPN-AC1
- ip address 172.168.9.1 255.255.255.0
- #
- object-policy ip Local-Local
- rule 0 pass
- #
- object-policy ip SSLVPN-Local
- rule 0 pass
- #
- object-policy ip SSLVPN-Trust
- rule 0 pass
- #
- object-policy ip Trust-Trust
- rule 0 pass
- #
- object-policy ip Trust-Untrust
- rule 0 pass
- #
- object-policy ip Untrust-Local
- rule 0 pass service 4433
- #
- object-policy ip Untrust-Trust
- rule 5 pass destination-ip 公盘 service 3360端口
- rule 6 pass destination-ip 备份盘 service 5000端口
- rule 7 pass destination-ip 金蝶 service 8001端口
- rule 8 pass destination-ip scm系统 service 999端口
- rule 9 pass destination-ip MES系统服务器 service 9001端口
- rule 10 pass
- #
- object-policy ip local-untrust
- rule 0 pass
- #
- security-zone name Local
- #
- security-zone name Trust
- import interface GigabitEthernet1/0/3
- import interface GigabitEthernet1/0/4
- import interface GigabitEthernet1/0/5
- import interface GigabitEthernet1/0/6
- import interface GigabitEthernet1/0/7
- import interface GigabitEthernet1/0/8
- import interface GigabitEthernet1/0/9
- import interface GigabitEthernet1/0/10
- import interface GigabitEthernet1/0/11
- import interface GigabitEthernet1/0/12
- import interface GigabitEthernet1/0/13
- import interface GigabitEthernet1/0/14
- import interface GigabitEthernet1/0/15
- import interface GigabitEthernet1/0/16
- import interface GigabitEthernet1/0/17
- import interface GigabitEthernet1/0/18
- import interface GigabitEthernet1/0/19
- import interface GigabitEthernet1/0/20
- import interface GigabitEthernet1/0/21
- import interface GigabitEthernet1/0/22
- import interface GigabitEthernet1/0/23
- import interface NULL0
- #
- security-zone name DMZ
- #
- security-zone name Untrust
- import interface GigabitEthernet1/0/1
- import interface GigabitEthernet1/0/2
- #
- security-zone name Management
- import interface GigabitEthernet1/0/0
- #
- security-zone name 111
- #
- security-zone name SSLVPN
- import interface SSLVPN-AC1
- #
- security-zone name SSLVPNANQUANYU
- #
- zone-pair security source Local destination Local
- object-policy apply ip Local-Local
- #
- zone-pair security source Local destination Trust
- packet-filter 2000
- #
- zone-pair security source Local destination Untrust
- object-policy apply ip local-untrust
- packet-filter 2000
- #
- zone-pair security source SSLVPN destination Local
- object-policy apply ip SSLVPN-Local
- #
- zone-pair security source SSLVPN destination Trust
- object-policy apply ip SSLVPN-Trust
- #
- zone-pair security source Trust destination Local
- packet-filter 2000
- #
- zone-pair security source Trust destination Trust
- object-policy apply ip Trust-Trust
- #
- zone-pair security source Trust destination Untrust
- object-policy apply ip Trust-Untrust
- packet-filter 2000
- #
- zone-pair security source Untrust destination Local
- object-policy apply ip Untrust-Local
- #
- zone-pair security source Untrust destination Trust
- object-policy apply ip Untrust-Trust
- #
- scheduler logfile size 16
- #
- line class aux
- user-role network-operator
- #
- line class console
- user-role network-admin
- #
- line class vty
- user-role network-operator
- #
- line aux 0
- user-role network-admin
- #
- line con 0
- user-role network-admin
- #
- line vty 0
- authentication-mode scheme
- user-role network-admin
- set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw==
- #
- line vty 1 63
- authentication-mode scheme
- user-role network-admin
- #
- ip route-static 0.0.0.0 0 222.92.222.33
- ip route-static 192.168.0.0 16 192.168.150.1
- #
- info-center loghost 1.1.1.1
- #
- ssh server enable
- ssh server acl 2222
- #
- acl basic 2000
- rule 0 permit
- #
- acl basic 2222
- rule 0 permit source 192.168.0.0 0.0.255.255
- #
- acl advanced 3600
- rule 10000 permit ip
- #
- acl advanced 3999
- rule 0 permit ip destination (这里不知道填哪个IP,并且这条命令删除后也是一样的)
- rule 5 permit ip destination 0.0.0.0 255.255.255.0
- rule 10 permit ipinip destination 0.0.0.0 255.255.255.0
- #
- domain system
- #
- aaa session-limit ftp 16
- aaa session-limit telnet 16
- aaa session-limit ssh 16
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user admin class manage
- password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg==
- service-type ssh telnet http https
- authorization-attribute user-role level-3
- authorization-attribute user-role network-admin
- authorization-attribute user-role network-operator
- #
- local-user liucheng class manage
- password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw==
- access-limit 5
- service-type ftp
- service-type ssh telnet terminal http https
- authorization-attribute work-directory slot1#flash:
- authorization-attribute user-role context-admin
- authorization-attribute user-role network-admin
- authorization-attribute user-role network-operator
- #
- local-user tianyou001 class network
- password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg=
- service-type sslvpn
- authorization-attribute user-role network-operator
- authorization-attribute sslvpn-policy-group tianyou001
- #
- local-user tianyou01 class network
- password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w==
- service-type sslvpn
- authorization-attribute user-role network-operator
- authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
- #
- ftp server enable
- #
- ip http enable
- ip https enable
- #
- sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15
- #
- sslvpn gateway SSLVPN
- ip address 222.92.222.34 port 4433
- service enable
- #
- sslvpn context SSLVPN
- gateway SSLVPN
- ip-tunnel interface SSLVPN-AC1
- ip-tunnel address-pool SSLPOOL mask 255.255.255.0
- ip-tunnel dns-server primary 114.114.114.114
- ip-route-list NEINEI
- include 192.168.9.0 255.255.255.0
- policy-group SSLVPNZIYUAN
- filter ip-tunnel 3999
- ip-tunnel access-route ip-route-list NEINEI
- service enable
- #
- ips policy default
- #
- anti-virus policy default
- #
- return
组网及组网描述:
- 2021-06-08提问
- 举报
-
(0)
最佳答案
vlan划分50一次
九段
acl 3999改下
- acl advanced 3999
- rule 0 permit ip destination (这里不知道填哪个IP,并且这条命令删除后也是一样的)
- rule 5 permit ip destination 0.0.0.0 255.255.255.0
- rule 10 permit ipinip destination 0.0.0.0 255.255.255.0
写个rule 0 permit ip destination 192.168.9.0 0.0.0.255
- 2021-06-08回答
- 评论(1)
- 举报
-
(0)
这个sslvpn应该是手机开热点在外网测试吧,怎么在内网测试呢,另外不通服务器,可以检查一下服务器的防火墙配置。
acl 3999
可以直接写
ru 0 pe ip 全允许试试看,配置看下来没什么问题,只要手机开热点拨入以后可以ping通192.168.9.1 就和防火墙没关系,进一步排查内网。。
- 2021-06-08回答
- 评论(0)
- 举报
-
(0)
您好,请知:
PING内网网关能通了,说明路由可达了。
关闭终端的系统防火墙或者放通防火墙出入站规则看下是否能通。
其次进一步检查下防火墙的安全策略或域间策略是否有限制。
- 2021-06-08回答
- 评论(0)
- 举报
-
(0)
编辑答案
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
你好,现在是内网能通了,内部服务器也通了,但是网关居然不通了,搞不明白了