虚接口,无线和有线无法互通
- 0关注
- 1收藏,1328浏览
问题描述:
1、有线是vlan 1
2、无线是vlan 10
3、有线和无线都可以上外网
问题:内网有线和无线无法互通。
组网及组网描述:
secpath F100-S-G2的GigabitEthernet1/0/6口划vlan 1,172.16.16.0/22,
子接口GigabitEthernet1/0/6.1划给vlan10,配置如下:
#
version 7.1.064, Release 9510P12
#
context Admin id 1
#
ip unreachables enable
#
vlan 1
#
vlan 10
#
vlan 20
#
object-group ip address ALL
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address Newwork-Shanghai
0 network subnet 10.6.0.0 255.255.0.0
#
object-group ip address Allow-WIFI-to-PC
0 network subnet 172.16.23.0 255.255.255.0
#
object-group ip address intranet-WIFI
0 network subnet 172.16.20.0 255.255.252.0
#
object-group ip address intranet-Server-10
0 network host address 172.16.17.155
#
object-group ip address intranet-PC
0 network subnet 172.16.16.0 255.255.252.0
#
object-group ip address intranet-ALL
0 network subnet 172.16.16.0 255.255.240.0
#
object-group service Deny-Ports
0 service tcp destination eq 22
#
object-group service Allow-Server-Ports
0 service tcp destination eq 20400
20 service tcp destination eq 10443
30 service tcp destination eq 22
#
interface GigabitEthernet1/0/1
port link-mode route
bandwidth 120000
combo enable copper
ip address 222.222.222.46 255.255.255.252
nat outbound name NAT_PAT_VPN
nat server protocol tcp global 222.222.222.46 1022 inside 172.16.17.155 22
nat server protocol tcp global 222.222.222.46 10443 inside 172.16.17.155 10443
nat server protocol tcp global 222.222.222.46 20400 inside 172.16.17.155 20400
undo dhcp select server
ipsec apply policy ALL
#
interface GigabitEthernet1/0/3
port link-mode route
bandwidth 120000
ip address 123.123.123.178 255.255.255.248
nat outbound name NAT_PAT_VPN
nat server protocol tcp global 123.123.123.179 123.123.123.181 20400 inside 172.16.17.155 20400
undo dhcp select server
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 172.16.16.1 255.255.252.0
nat hairpin enable
#
interface GigabitEthernet1/0/6.1
ip address 172.16.20.1 255.255.252.0
nat hairpin enable
vlan-type dot1q vid 1 10
undo dhcp select server
#
interface GigabitEthernet1/0/6.2
ip address 172.16.24.1 255.255.252.0
vlan-type dot1q vid 20
undo dhcp select server
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Local-WIFI
rule 0 pass
#
object-policy ip Local-WIFIGuest
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass source-ip intranet-ALL
#
object-policy ip Trust-WIFI
rule 0 pass source-ip intranet-PC destination-ip intranet-WIFI counting
#
object-policy ip Untrust-Local
rule 0 pass service https disable logging counting
#
object-policy ip Untrust-Trust
rule 6 drop service Deny-Ports disable counting
rule 5 pass source-ip Newwork-Shanghai destination-ip intranet-PC counting
rule 4 pass destination-ip intranet-Server-10 service Allow-Server-Ports logging counting
#
object-policy ip Untrust-WIFI
rule 0 drop counting
#
object-policy ip WIFI-Local
rule 0 pass counting
#
object-policy ip WIFI-Trust
rule 1 pass source-ip intranet-WIFI destination-ip intranet-Server-10 service Allow-Server-Ports logging counting
rule 0 pass source-ip Allow-WIFI-to-PC destination-ip intranet-ALL counting
#
object-policy ip WIFI-Untrust
rule 0 pass source-ip intranet-ALL
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/6
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name WIFI
import interface GigabitEthernet1/0/6.1
#
security-zone name WIFIGuest
import interface GigabitEthernet1/0/6.2
#
ip route-static 0.0.0.0 0 222.222.222.45
ip route-static 0.0.0.0 0 GigabitEthernet1/0/3 123.123.123.177
ip route-static 10.6.0.0 16 GigabitEthernet1/0/1 222.222.222.45 preference 40
#
acl advanced name IPsec_GE1/0/1_IPv4_1
step 10
rule 0 permit ip source 172.16.16.0 0.0.3.255 destination 10.6.0.0 0.0.255.255
#
acl advanced name NAT_PAT_VPN
step 10
rule 10 deny ip destination 10.6.0.0 0.0.255.255
rule 20 permit ip
#
ipsec logging packet enable
ipsec limit max-tunnel 409600
#
ipsec transform-set 3des-sha1-dh2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group2
#
ipsec transform-set GE1/0/1_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm md5
#
ipsec policy ALL 1 isakmp
transform-set GE1/0/1_IPv4_1
security acl name IPsec_GE1/0/1_IPv4_1
local-address 222.222.222.46
remote-address 101.101.101.101
ike-profile GE1/0/1_IPv4_1
sa duration time-based 3600
sa duration traffic-based 1843200
sa idle-time 86400
#
ike invalid-spi-recovery enable
ike dpd interval 120 retry 60 periodic
ike identity address 222.222.222.46
ike nat-keepalive 60
#
ike profile 1
#
ike profile dt
keychain dt
exchange-mode aggressive
local-identity fqdn shunlian-hz
match remote identity fqdn dt
proposal 1
#
ike profile GE1/0/1_IPv4_1
keychain GE1/0/1_IPv4_1
dpd interval 60 retry 10 periodic
local-identity address 222.222.222.46
match remote identity address 101.101.101.101 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 65534
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 3600
#
ike proposal 65534
encryption-algorithm aes-cbc-128
authentication-algorithm md5
description GE1/0/1_IPv4_1
#
ike keychain GE1/0/1_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 101.101.101.101 255.255.255.255 key cipher **********************
#
return
- 2021-11-06提问
- 举报
-
(0)
最佳答案
可能是防火墙没放通,可以检查下安全域是否都放通WIFI和Trust之间访问的流量
- 2021-11-06回答
- 评论(3)
- 举报
-
(0)
安全域WIFI和Trust之间是放通的
WIFI-Trust,Trust-WIFI
没看到你的安全域zone-pair 配置呀,只有object-policy这个里面也只放部分地址,不行就debug吧
无线可以通过公网IP访问内网有线服务器,无法通过内网IP访问。
debug可以看到:
%Nov 7 07:42:41:929 2021 Gateway-ShunLian FILTER/6/FILTER_ZONE_IPV4_EXECUTION: SrcZoneName(1025)=WIFI;DstZoneName(1035)=Trust;Type(1067)=ACL;ObjectPolicy(1072)=WIFI-Trust;RuleID(1078)=1;Protocol(1001)=TCP;Application(1002)=general_tcp;SrcIPAddr(1003)=123.123.123.178;SrcPort(1004)=50231;DstIPAddr(1007)=172.16.17.155;DstPort(1008)=20400;MatchCount(1069)=1;Event(1048)=Permit;
安全域设置:
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/6
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name WIFI
import interface GigabitEthernet1/0/6.1
#
security-zone name WIFIGuest
import interface GigabitEthernet1/0/6.2
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Local destination WIFI
object-policy apply ip Local-WIFI
#
zone-pair security source Local destination WIFIGuest
object-policy apply ip Local-WIFIGuest
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Trust destination WIFI
object-policy apply ip Trust-WIFI
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
zone-pair security source Untrust destination WIFI
object-policy apply ip Untrust-WIFI
#
zone-pair security source Untrust destination WIFIGuest
object-policy apply ip Untrust-WIFIGuest
#
zone-pair security source WIFI destination Local
object-policy apply ip WIFI-Local
#
zone-pair security source WIFI destination Trust
object-policy apply ip WIFI-Trust
#
zone-pair security source WIFI destination Untrust
object-policy apply ip WIFI-Untrust
#
zone-pair security source WIFI destination WIFI
object-policy apply ip WIFI-WIFI
- 2021-11-07回答
- 评论(1)
- 举报
-
(0)
这个看防火墙已允许了呀
这个看防火墙已允许了呀
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
没看到你的安全域zone-pair 配置呀,只有object-policy这个里面也只放部分地址,不行就debug吧