内网无法通过公网IP访问内网服务器
- 0关注
- 1收藏,3349浏览
问题描述:
设备是SECPATH F100-S-G2
目前的情况:
1、VPN是通的
2、内网可以访问外网
3、外网可以通过公网IP访问内网服务器
内网无法通过公网IP访问内网服务器。nat hairpin是开了的,安全域也是放通的。
组网及组网描述:
#
version 7.1.064, Release 9510P12
#
context Admin id 1
#
ip unreachables enable
#
vlan 1
#
vlan 10
#
vlan 20
#
object-group ip address ALL
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address Newwork-Shanghai
0 network subnet 10.6.0.0 255.255.0.0
#
object-group ip address Allow-WIFI-to-PC
0 network subnet 172.16.23.0 255.255.255.0
#
object-group ip address intranet-WIFI
0 network subnet 172.16.20.0 255.255.252.0
#
object-group ip address intranet-Server-10
0 network host address 172.16.17.155
#
object-group ip address intranet-PC
0 network subnet 172.16.16.0 255.255.252.0
#
object-group ip address intranet-ALL
0 network subnet 172.16.16.0 255.255.240.0
#
object-group service Deny-Ports
0 service tcp destination eq 22
#
object-group service Allow-Server-Ports
0 service tcp destination eq 20400
20 service tcp destination eq 10443
30 service tcp destination eq 22
#
interface GigabitEthernet1/0/1
port link-mode route
bandwidth 120000
combo enable copper
ip address 222.222.222.46 255.255.255.252
nat outbound name NAT_PAT_VPN
nat server protocol tcp global 222.222.222.46 1022 inside 172.16.17.155 22
nat server protocol tcp global 222.222.222.46 10443 inside 172.16.17.155 10443
nat server protocol tcp global 222.222.222.46 20400 inside 172.16.17.155 20400
undo dhcp select server
ipsec apply policy ALL
#
interface GigabitEthernet1/0/3
port link-mode route
bandwidth 120000
ip address 123.123.123.178 255.255.255.248
nat outbound name NAT_PAT_VPN
nat server protocol tcp global 123.123.123.179 123.123.123.181 20400 inside 172.16.17.155 20400
undo dhcp select server
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 172.16.16.1 255.255.252.0
nat hairpin enable
#
interface GigabitEthernet1/0/6.1
ip address 172.16.20.1 255.255.252.0
nat hairpin enable
vlan-type dot1q vid 1 10
undo dhcp select server
#
interface GigabitEthernet1/0/6.2
ip address 172.16.24.1 255.255.252.0
vlan-type dot1q vid 20
undo dhcp select server
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Local-WIFI
rule 0 pass
#
object-policy ip Local-WIFIGuest
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass source-ip intranet-ALL
#
object-policy ip Trust-WIFI
rule 0 pass source-ip intranet-PC destination-ip intranet-WIFI counting
#
object-policy ip Untrust-Local
rule 0 pass service https disable logging counting
#
object-policy ip Untrust-Trust
rule 6 drop service Deny-Ports disable counting
rule 5 pass source-ip Newwork-Shanghai destination-ip intranet-PC counting
rule 4 pass destination-ip intranet-Server-10 service Allow-Server-Ports logging counting
#
object-policy ip Untrust-WIFI
rule 0 drop counting
#
object-policy ip WIFI-Local
rule 0 pass counting
#
object-policy ip WIFI-Trust
rule 1 pass source-ip intranet-WIFI destination-ip intranet-Server-10 service Allow-Server-Ports logging counting
rule 0 pass source-ip Allow-WIFI-to-PC destination-ip intranet-ALL counting
#
object-policy ip WIFI-Untrust
rule 0 pass source-ip intranet-ALL
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/6
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name WIFI
import interface GigabitEthernet1/0/6.1
#
security-zone name WIFIGuest
import interface GigabitEthernet1/0/6.2
#
ip route-static 0.0.0.0 0 222.222.222.45
ip route-static 0.0.0.0 0 GigabitEthernet1/0/3 123.123.123.177
ip route-static 10.6.0.0 16 GigabitEthernet1/0/1 222.222.222.45 preference 40
#
acl advanced name IPsec_GE1/0/1_IPv4_1
step 10
rule 0 permit ip source 172.16.16.0 0.0.3.255 destination 10.6.0.0 0.0.255.255
#
acl advanced name NAT_PAT_VPN
step 10
rule 10 deny ip destination 10.6.0.0 0.0.255.255
rule 20 permit ip
#
ipsec logging packet enable
ipsec limit max-tunnel 409600
#
ipsec transform-set 3des-sha1-dh2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group2
#
ipsec transform-set GE1/0/1_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy ALL 1 isakmp
transform-set GE1/0/1_IPv4_1
security acl name IPsec_GE1/0/1_IPv4_1
local-address 222.222.222.46
remote-address 101.101.101.101
ike-profile GE1/0/1_IPv4_1
sa duration time-based 3600
sa duration traffic-based 1843200
sa idle-time 86400
#
ike invalid-spi-recovery enable
ike dpd interval 120 retry 60 periodic
ike identity address 222.222.222.46
ike nat-keepalive 60
#
ike profile 1
#
ike profile dt
keychain dt
exchange-mode aggressive
local-identity fqdn shunlian-hz
match remote identity fqdn dt
proposal 1
#
ike profile GE1/0/1_IPv4_1
keychain GE1/0/1_IPv4_1
dpd interval 60 retry 10 periodic
local-identity address 222.222.222.46
match remote identity address 101.101.101.101 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 65534
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 3600
#
ike proposal 65534
encryption-algorithm aes-cbc-128
authentication-algorithm md5
description GE1/0/1_IPv4_1
#
ike keychain GE1/0/1_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 101.101.101.101 255.255.255.255 key cipher **********************
#
return
- 2021-11-06提问
- 举报
-
(0)
最佳答案
#
security-zone name Trust
import interface GigabitEthernet1/0/6
#
trust到trust策略需要放通
- 2021-11-06回答
- 评论(3)
- 举报
-
(0)
谢谢,有线已经可以了,现在WIFI还无法通过外网访问内网服务器,WIFI-Trust已经放通,接口是虚接口GigabitEthernet1/0/6.1
已经通了,谢谢
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
那注意策略放通吧,源目地址都是内网地址