问题描述:
配置了IPSec VPN后,无法访问nat server,请问各位有什么办法解决?
组网及组网描述:
#
version 7.1.064, Release 9524P33
#
sysname H3C
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dhcp enable
#
password-recovery enable
#
vlan 1
#
vlan 999
#
dhcp server ip-pool 1
gateway-list 172.12.99.1
network 172.12.99.0 mask 255.255.255.0
dns-list 221.131.143.69
#
controller Cellular1/0/0
#
interface NULL0
#
interface Vlan-interface999
ip address 172.12.99.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
undo dhcp select server
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
undo dhcp select server
#
interface GigabitEthernet1/0/3
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/8
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/9
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/10
port link-mode route
mtu 1560
ip address 112.4.114.117 255.255.255.0
tcp mss 1300
nat outbound 3001
nat server protocol tcp global 112.4.114.117 8001 inside 172.12.99.198 80 acl 3001 rule S1 counting
nat hairpin enable
undo dhcp select server
ipsec apply policy 99-6
gateway 112.4.114.1
#
interface GigabitEthernet1/0/11
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 999
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 999
#
interface GigabitEthernet1/0/6
port link-mode bridge
port access vlan 999
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 999
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface999
import interface GigabitEthernet1/0/4 vlan 999
import interface GigabitEthernet1/0/5 vlan 999
import interface GigabitEthernet1/0/6 vlan 999
import interface GigabitEthernet1/0/7 vlan 999
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/10
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 112.4.114.1
#
info-center source FILTER logfile deny
#
ssh server enable
#
acl advanced 3001
step 1
rule 100 deny ip source 172.12.99.0 0.0.0.255 destination 172.12.6.0 0.0.0.255
rule 105 permit ip source 172.12.99.0 0.0.0.255 counting
#
acl advanced 3002
rule 999 permit ip source 172.12.99.0 0.0.0.255 destination 172.12.6.0 0.0.0.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$dUxsYy10HijyzXQD$IhtPIwv5rQOfBv4FOXJjqDBgo0hyvJM0SkuxiMrdMiZIPV8jSjOAtPynBWnV7/93caqA7L0eaYw9I67MEldyIg==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session synchronization enable
session synchronization http
#
ipsec logging negotiation enable
#
ipsec transform-set 99-6_IPv4_100
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group2
#
ipsec policy-template 99-6 100
transform-set 99-6_IPv4_100
security acl 3002
local-address 112.4.114.117
ike-profile 99-6_IPv4_100
#
ipsec policy 99-6 100 isakmp template 99-6
#
ike identity address 112.4.114.117
ike logging negotiation enable
#
ike profile 99-6_IPv4_100
keychain 99-6_IPv4_100
exchange-mode aggressive
local-identity address 112.4.114.117
match remote identity address 0.0.0.0 0.0.0.0
match local address GigabitEthernet1/0/10
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 99-6_IPv4_100
match local address GigabitEthernet1/0/10
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$brQwYLSITiT1525sh8C4LFIIuxraiwKQ8QNH
#
ip https port 9443
ip https enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 0 name trust_to_Local
description 内网访问防火墙及外网
action pass
counting enable
source-zone Trust
destination-zone Untrust
destination-zone Local
rule 1 name Local_to_trunk
action pass
counting enable
source-zone Local
destination-zone Trust
destination-zone Untrust
rule 2 name untr_to_local
action pass
counting enable
source-zone Untrust
destination-zone Local
destination-zone Trust
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return
- 2022-07-01提问
- 举报
-
(0)
最佳答案
nat hairpin enable这个是内网可以访问nat server的配置,一般配置在内网口
- 2022-07-01回答
- 评论(1)
- 举报
-
(0)
谢谢
理论来讲没什么影响。把ipsec删除就可以了?
- 2022-07-01回答
- 评论(1)
- 举报
-
(0)
没有配ipsec之前是OK的
没有配ipsec之前是OK的
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
谢谢