H3C F1000-S-AI防火墙ping不通默认的G0/0口IP
- 0关注
- 1收藏,3146浏览
问题描述:
H3C F1000-S-AI防火墙
版本 :Version 5.20, Release 3734P14
出厂状态,无其他配置
默认G0/0口 IP地址:192.168.0.1/24
电脑直连G0/0,IP设置为192.168.0.2/24
互相都ping不通 默认是可以直连G0/0口web登录的,现在ping不通 也无法登录web界面
小白 不是很东防火墙设置
请教一下大神们 是哪里有问题?谢谢大神
组网及组网描述:
- 2021-10-20提问
- 举报
-
(0)
最佳答案
当前默认配置,电脑防火墙也关了
dis cur
#
version 5.20, Release 3734P14
#
sysname H3C
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$U6Gnu2L2gBLAbUGg0m0mT/rlVN4/vZ0U
authorization-attribute level 3
service-type telnet
service-type web
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet0/4
port link-mode route
#
interface GigabitEthernet0/5
port link-mode route
#
interface GigabitEthernet0/6
port link-mode route
#
interface GigabitEthernet0/7
port link-mode route
#
interface GigabitEthernet0/8
port link-mode route
#
interface GigabitEthernet0/9
port link-mode route
#
interface GigabitEthernet0/10
port link-mode route
#
interface GigabitEthernet0/11
port link-mode route
#
vd Root id 1
#
zone name Management id 0
priority 100
import interface GigabitEthernet0/0
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
switchto vd Root
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
- 2021-10-20回答
- 评论(3)
- 举报
-
(0)
没看到策略相关内容,已经修改答案,做下策略放行试试
找到解决方法了 H3C防火墙或者UTM之类的产品在开箱出场空配置的时候如果想通过WEB界面来管理,往往配置了管理口的地址(默认已配置),默认第一个口,却发现接口地址PING不通,而且WEB界面也打开不了。 解决方法 interzone policy default by-priority 开启默认区域之间使用优先级的功能 原因:新版本(V5),默认区域之前无法使用优先级 之前的版本是需要开启包过滤 firewall packet-filter default permit
感谢 感谢 感谢
https://www.h3c.com/cn/d_202001/1271914_30005_0.htm#_Toc30507439
默认应该是可以登录的,具体登录不了得看看里面的配置
- 2021-10-20回答
- 评论(1)
- 举报
-
(0)
现在是互相PING不通,也登录不了,防火墙是出厂默认配置
现在是互相PING不通,也登录不了,防火墙是出厂默认配置
你怎么能确认是出场缺省预配呢?
串口登录设备看下具体配置
1、接口地址是否正确,是否绑定了VRF实例
2、G1/0/0是否在缺省的management区域下
3、如果不在management区域下的话,需要做相关的策略放行
V5的配置不熟悉,V7的管理区域是缺省通的,V5的不太清楚,百度了下命令行,做下策略放行试试吧
interzone source Management destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Local destination Management
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
- 2021-10-20回答
- 评论(7)
- 举报
-
(0)
dis cur # version 5.20, Release 3734P14 # sysname H3C # undo voice vlan mac-address 00e0-bb00-0000 # domain default enable system # undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg pptp undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp # session synchronization enable # password-recovery enable # vlan 1 # domain system access-limit disable state active idle-cut disable self-service-url disable # pki domain default crl check disable # user-group system group-attribute allow-guest # local-user admin password cipher $c$3$U6Gnu2L2gBLAbUGg0m0mT/rlVN4/vZ0U authorization-attribute level 3 service-type telnet service-type web # interface NULL0 # interface GigabitEthernet0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet0/1 port link-mode route # interface GigabitEthernet0/2 port link-mode route # interface GigabitEthernet0/3 port link-mode route # interface GigabitEthernet0/4 port link-mode route # interface GigabitEthernet0/5 port link-mode route # interface GigabitEthernet0/6 port link-mode route # interface GigabitEthernet0/7 port link-mode route # interface GigabitEthernet0/8 port link-mode route # interface GigabitEthernet0/9 port link-mode route # interface GigabitEthernet0/10 port link-mode route # interface GigabitEthernet0/11 port link-mode route # vd Root id 1 # zone name Management id 0 priority 100 import interface GigabitEthernet0/0 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 switchto vd Root zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 ip virtual-reassembly # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme # return
是刚开箱的,也reset save 配置重启了
确认电脑接对端口了,且端口UP了
最好是用串口线连接设备看下具体情况,目前直连不通就已经卡住了,必须想其他的办法来尝试下.可以用电脑ping 扫描192.168.0.1 /24 和192.168.1.1 /24这个段,正常情况下是应该能看到ARP地址的
接口没问题 ,也显示UP 了 在防火墙上查看ARP 也能看到电脑的IP
使用G 0/2 口,配了10.0.0.1/24,加入management,电脑使用10.0.0.2/24 也ping不通
可以看到ARP,说明地址接口配置没问题,PCping不通防火墙的话一般都是策略问题,做个安全策略放行就可以。如果是墙ping不通PC的话,检查PC的防火墙是否开启。
dis cur # version 5.20, Release 3734P14 # sysname H3C # undo voice vlan mac-address 00e0-bb00-0000 # domain default enable system # undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg pptp undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp # session synchronization enable # password-recovery enable # vlan 1 # domain system access-limit disable state active idle-cut disable self-service-url disable # pki domain default crl check disable # user-group system group-attribute allow-guest # local-user admin password cipher $c$3$U6Gnu2L2gBLAbUGg0m0mT/rlVN4/vZ0U authorization-attribute level 3 service-type telnet service-type web # interface NULL0 # interface GigabitEthernet0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet0/1 port link-mode route # interface GigabitEthernet0/2 port link-mode route # interface GigabitEthernet0/3 port link-mode route # interface GigabitEthernet0/4 port link-mode route # interface GigabitEthernet0/5 port link-mode route # interface GigabitEthernet0/6 port link-mode route # interface GigabitEthernet0/7 port link-mode route # interface GigabitEthernet0/8 port link-mode route # interface GigabitEthernet0/9 port link-mode route # interface GigabitEthernet0/10 port link-mode route # interface GigabitEthernet0/11 port link-mode route # vd Root id 1 # zone name Management id 0 priority 100 import interface GigabitEthernet0/0 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 switchto vd Root zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 ip virtual-reassembly # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme # return
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
感谢 感谢 感谢