SecPath F100-A-G 做端口映射不通
- 0关注
- 1收藏,842浏览
问题描述:
设置列表
- 有序列表
- 无序列表
对齐方式
- 靠左
- 居中
- 靠右
version 5.20, Release 5142P02
#
sysname boxing-f100-a-g
#
undo voice vlan mac-address 00e0-bb00-0000
#
interzone policy default by-priority
#
domain default enable system
#
ip ttl-expires enable
ip unreachables enable
#
undo ip http enable
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
#
time-range worktime 08:30 to 18:00 working-day
#
acl number 2000
rule 0 permit source 10.104.113.0 0.0.0.255
#
acl number 3000
description nat-private
rule 0 permit tcp
rule 1 permit ip
acl number 3001
rule 10 deny tcp source-port range 135 139 destination-port range 135 139
rule 20 deny udp source-port range 135 netbios-ssn destination-port range 135 netbios-ssn
rule 30 deny tcp source-port eq 3389 destination-port eq 3389
rule 40 deny udp source-port eq 3389 destination-port eq 3389
rule 50 deny tcp source-port eq 445 destination-port eq 445
rule 60 deny udp source-port eq 445 destination-port eq 445
rule 70 deny tcp source-port eq telnet destination-port eq telnet
rule 80 deny udp source-port eq 23 destination-port eq 23
#
vlan 1
#
connection-limit policy 0
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$BSkWJMTcm5tjA/2FbFISp8MIu7xa195m4qCDSlhz
authorization-attribute level 3
service-type ssh telnet
service-type web
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
nat outbound 3000
nat server 1 protocol tcp global current-interface 4430 inside 10.104.113.9 443
nat server 2 protocol tcp global current-interface 9100 inside 10.104.113.245 9100
ip address 222.134.51.90 255.255.255.252
firewall packet-filter ipv6 3001 inbound
firewall packet-filter ipv6 3001 outbound
#
interface GigabitEthernet0/1
port link-mode route
ip address 172.16.15.198 255.255.255.252
arp max-learning-num 300
firewall packet-filter ipv6 3001 inbound
firewall packet-filter ipv6 3001 outbound
#
interface GigabitEthernet0/2
port link-mode route
nat server protocol tcp global 222.134.51.90 8888 inside 10.104.113.58 8888
ip address 10.104.113.1 255.255.255.0
arp max-learning-num 300
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet0/4
port link-mode route
description zhuanxianceshi
ip address 192.168.255.2 255.255.255.252
arp max-learning-num 300
firewall packet-filter ipv6 3001 inbound
firewall packet-filter ipv6 3001 outbound
#
interface GigabitEthernet0/5
port link-mode route
ip address 192.168.100.1 255.255.255.0
arp max-learning-num 300
#
route-policy aaaa permit node 10
if-match acl 3000
#
nqa entry admin to_binzhou
type icmp-echo
destination ip 192.168.255.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry imclinktopologypleaseignore ping
type icmp-echo
destination ip 10.104.113.254
frequency 270000
#
vd Root id 1
#
zone name Management id 0
priority 100
import interface GigabitEthernet0/5
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet0/1
import interface GigabitEthernet0/2
import interface GigabitEthernet0/4
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface GigabitEthernet0/0
switchto vd Root
object network host host address 10.104.113.245
object service 9100
service tcp source-port 9100 destination-port 9100
object service 9101
service tcp source-port 9101 destination-port 9101
object service 9102
service tcp source-port 9102 destination-port 9102
object service 9550
service tcp source-port 9550 destination-port 9550
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 222.134.51.89
ip route-static 10.0.0.0 255.0.0.0 192.168.255.1
ip route-static 172.16.53.0 255.255.255.0 192.168.255.1
ip route-static 172.16.53.0 255.255.255.0 172.16.15.197 preference 70
ip route-static 172.18.61.0 255.255.255.0 192.168.255.1
ip route-static 172.18.61.0 255.255.255.0 172.16.15.197 preference 70
ip route-static 192.168.109.0 255.255.255.0 192.168.255.1
ip route-static 192.168.109.0 255.255.255.0 172.16.15.197 preference 70
ip route-static 192.192.2.0 255.255.255.0 192.168.255.1
ip route-static 192.192.2.0 255.255.255.0 172.16.15.197 preference 70
ip route-static 200.4.13.0 255.255.255.0 192.168.255.1
ip route-static 202.1.19.0 255.255.255.0 172.16.15.197
#
snmp-agent
snmp-agent local-engineid 800063A2035CDD70920FB8
snmp-agent community read h3c_public
snmp-agent community write h3c_private
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.104.109.219 params securityname h3c_public v2c
#
track 1 nqa entry admin to_binzhou reaction 1
#
nqa schedule admin to_binzhou start-time now lifetime forever
nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
nqa server enable
#
ssh server enable
#
nat static 10.104.113.58 222.134.51.90
#
ip https enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
组网及组网描述:
- 2021-12-27提问
- 举报
-
(0)
最佳答案
需要放行zone name Untrust 到trust的策略
V5防火墙是高优先级到低优先级默认放行的。
低优先级untrust 到trust策略没有放行。
- 2021-12-27回答
- 评论(1)
- 举报
-
(0)
请问一下怎么放行,具体命令怎么配
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
请问一下怎么放行,具体命令怎么配