F100-C-G 配置PPPoE拨号后外网无法访问防火墙外网口
- 0关注
- 1收藏,3098浏览
问题描述:
SecPath F100-C-G 配置PPPoE拨号后外网无法访问防火墙外网口的80端口也无法Telnet 23端口
外部用户也无法使用拨号获取的公网IP地址通过L2TP VPN连接公司网络
设备配置如下:
[H3C]di cu
#
version 5.20, Release 5142P02
#
sysname H3C
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
interzone policy default by-priority
#
domain default enable system
#
dns resolve
dns proxy enable
dns server 114.114.114.114
#
telnet server enable
#
port-security enable
#
web idle-timeout 60
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
acl number 2000
rule 1 permit source 172.16.10.0 0.0.0.255
rule 2 permit source 172.16.20.0 0.0.0.255
#
acl number 3333
rule 0 permit ip
#
vlan 1
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
accounting optional
ip pool 1 192.168.168.100 192.168.168.200
#
pki domain default
crl check disable
#
dhcp server ip-pool dmz
network 172.16.100.0 mask 255.255.255.0
gateway-list 172.16.100.254
dns-list 172.16.100.254
#
dhcp server ip-pool office10
network 172.16.10.0 mask 255.255.255.0
gateway-list 172.16.10.254
dns-list 172.16.10.254
#
dhcp server ip-pool office20
network 172.16.20.0 mask 255.255.255.0
gateway-list 172.16.20.254
dns-list 172.16.20.254
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$GtNONlXPUfSrjr3svymRPtgIMxbhviG33lgPG6o=
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface Dialer1
link-protocol ppp
ppp chap user xxxxxxxx
ppp chap password cipher $c$3$ewrAddwK+wHJHvpThfRtajhHublT1ohwpg==
ppp pap local-user xxxxxxxx password cipher $c$3$nFPtgWe4QfBooso0FU6rI13qb05BotuLCg==
ppp ipcp dns request
ip address ppp-negotiate
dialer user pppoeclient
dialer-group 1
dialer bundle 1
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool 1
ip address 192.168.168.254 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
ip address 172.16.100.254 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
ip address 172.16.10.254 255.255.255.0
#
interface GigabitEthernet0/3
port link-mode route
ip address 172.16.20.254 255.255.255.0
#
interface GigabitEthernet0/4
port link-mode route
nat outbound 2000
pppoe-client dial-bundle-number 1
#
vd Root id 1
#
zone name Management id 0
priority 100
import interface GigabitEthernet0/0
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet0/2
import interface GigabitEthernet0/3
zone name DMZ id 3
priority 50
import interface GigabitEthernet0/1
zone name Untrust id 4
priority 5
import interface Dialer1
import interface GigabitEthernet0/4
switchto vd Root
object network range 11
range 172.16.10.1 172.16.10.253
object network range 21
range 172.16.100.1 172.16.100.253
object network host www
host address 172.16.10.1
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
interzone source Trust destination DMZ
rule 1 permit
source-ip 11
destination-ip any_address
service any_service
rule enable
interzone source Trust destination Untrust
rule 1 permit
source-ip 11
destination-ip any_address
service any_service
rule enable
interzone source DMZ destination Trust
rule 1 permit
source-ip 21
destination-ip any_address
service any_service
rule enable
interzone source DMZ destination Untrust
rule 1 permit
source-ip 21
destination-ip any_address
service any_service
rule enable
interzone source Untrust destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Untrust destination Trust
rule 1 permit
source-ip any_address
destination-ip www
service any_service
rule enable
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
dhcp server forbidden-ip 172.16.10.254
dhcp server forbidden-ip 172.16.20.254
dhcp server forbidden-ip 172.16.100.254
#
dhcp enable
#
dialer-rule 1 ip permit
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher $c$3$b0+qpvTZQWp8Am3gGZ13pOtgFCL992NwhnpOnCI=
idle-timeout 60 0
#
return
[H3C]
请指点一下,谢谢!
组网及组网描述:
防火墙Gi 0/4连接通过拨号连接公网,Gi 0/2和0/3分别连接内网不通的二层交换机。
- 2017-09-04提问
- 举报
-
(0)
在防火墙上开debug ip packet acl(acl匹配你的源电脑的公网ip,目的匹配拨号口地址,协议端口号也可以配置一下),看看有没有报文上来。
- 2017-09-04回答
- 评论(1)
- 举报
-
(0)
创建ACL 3001,ACL源为公网地址,目的地址为拨号口公网地址,执行debugging ip packet acl 无报文
之前Gi 0/4连接路由器的LAN口设置固定IP测试,使用Gi 0/4相同网段的IP访问Gi 0/4的80能打开,Telnet也能连上,现在Gi0/4配置了PPPoE直接连外网,在公网测试就不能访问防火墙的外网口了。
- 2017-09-04回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明