• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙 F1000-AK135,配置完了,外网不能TELNET访问,为何?

2023-04-08提问
  • 0关注
  • 0收藏,755浏览
粉丝:0人 关注:1人

问题描述:

[ak135]dis cu # version 7.1.064, Release 9323P28 # sysname ak135 # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # security-zone intra-zone default permit # dhcp enable dhcp server forbidden-ip 192.168.20.1 192.168.20.100 # dns server 211.228.255.1 dns server 114.114.114.114 # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 200 # object-group ip address 服务器 security-zone Trust 0 network host address 192.168.10.1 10 network host name 192.168.10.10 20 network host address 192.168.10.11 30 network host name 192.168.20.20 40 network host address 114.67.106.20 50 network host address 114.67.108.13 60 network host address 114.67.107.16 70 network host address 114.67.119.12 # object-group ip address 内网 0 network subnet 172.16.0.0 255.255.0.0 10 network subnet 192.168.0.0 255.255.0.0 # object-group service 端口 0 service tcp destination eq 3389 10 service tcp destination eq 52626 20 service tcp destination eq 8092 30 service tcp destination eq 8180 40 service udp destination eq 8092 50 service udp destination eq 8080 60 service tcp destination eq 8133 70 service tcp destination eq 7001 80 service udp destination eq 8180 # dhcp server ip-pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 221.228.255.1 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route ip address 22290.159.138 255.255.255.252 nat outbound nat outbound 2000 nat server protocol tcp global 222.90.159.138 3389 inside 192.168.10.1 3389 nat server protocol tcp global 222.90.159.138 7001 inside 192.168.20.20 7001 nat server protocol tcp global 222.90.159.138 8092 inside 192.168.10.10 8092 nat server protocol tcp global 222.90.159.138 8133 inside 192.168.10.10 8133 nat server protocol tcp global 222.90.159.138 8180 inside 192.168.10.11 8180 nat server protocol tcp global 222.90.159.138 52626 inside 192.168.10.1 52626 nat server protocol udp global 222.90.159.138 8080 inside 192.168.10.10 8080 nat server protocol udp global 222.90.159.138 8092 inside 192.168.10.10 8092 nat server protocol udp global 222.90.159.138 8180 inside 192.168.10.11 8180 # interface GigabitEthernet1/0/2 port link-mode route ip address 172.16.0.254 255.255.255.0 nat hairpin enable # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route # interface GigabitEthernet1/0/17 port link-mode route # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/2 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-zone name Management import interface GigabitEthernet1/0/0 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin idle-timeout 35000 0 # line vty 0 4 authentication-mode scheme user-role level-15 user-role network-admin user-role network-operator idle-timeout 35000 0 # line vty 5 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 222.90.159.137 ip route-static 172.16.0.0 16 172.16.0.1 ip route-static 192.168.0.0 16 172.16.0.1 ip route-static 192.168.10.0 24 172.16.0.1 ip route-static 192.168.20.0 24 172.16.0.1 # ssh server enable # acl basic 2000 rule 0 permit # acl advanced 3000 rule 0 permit ip source 192.168.0.0 0.0.255.255 rule 1 permit ip source 172.16.1.0 0.0.0.255 rule 5 permit ip # undo password-control length enable # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$Jvfba9zz1a9hqmR2$3fIJnoybRtaDM3IeJqvWTPMU7F35D+GO2k078VXPEItYInth9WDkfEDZPth16d1Ysi5j+36xQkY+Eadc/xw7/w== service-type ssh telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user h3c class manage password hash $h$6$BWm0rl/2tjYxuh3j$JZSb+Ychtozqj2i5TgDVmvcpO8vADSMWtlbizgfypDTBG5QU38/yBTnEKj+/rqKFPGuaeTY1IDfifxrZyQWiFA== service-type ssh telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role level-15 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # session statistics enable # l2tp enable # apr signature auto-update update schedule weekly sun start-time 03:00:00 tingle 120 # ip http enable ip https port 11443 ip https enable webui log enable # url-filter signature auto-update update schedule weekly sun start-time 03:30:00 tingle 120 # app-profile 0_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 1_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 2_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 3_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # app-profile 4_IPv4 ips apply policy default mode protect anti-virus apply policy default mode protect # security-policy ip rule 0 name 内网互通 action pass counting enable profile 0_IPv4 source-zone Local source-zone Trust destination-zone Trust destination-zone Local rule 1 name 上网 action pass counting enable profile 1_IPv4 source-zone Trust destination-zone Untrust source-ip 内网 rule 2 name 服务器访问 action pass counting enable profile 2_IPv4 source-zone Untrust destination-zone Trust destination-ip 服务器 rule 3 name 防火墙升级 action pass counting enable profile 3_IPv4 source-zone Local destination-zone Untrust rule 4 name 内网互访 action pass counting enable profile 4_IPv4 source-zone Trust destination-zone Trust # anti-virus signature auto-update update schedule weekly sun start-time 02:30:00 tingle 120 # return


最佳答案

Xcheng 九段
粉丝:121人 关注:3人

在仔细检查下配置吧

目前配置检查下来是没放通untrust到local流量。

3 个回答
粉丝:1人 关注:1人

能ping通么

粉丝:167人 关注:1人

1、策略要放行

2、运营要未封端口

粉丝:4人 关注:1人

策略没问题应该是运营商关端口了

加微15069770019帮看

爱爬杆的小石头丶 发表时间:2023-04-08 更多>>

加微15069770019帮看

爱爬杆的小石头丶 发表时间:2023-04-08

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明