问题描述:
配置命令ssh server acl 2100后,在该ACL范围内的终端使用SSH访问设备时被拒绝,显示连接超时,这是什么问题呢
配置信息:
<R_ZH_WL_H3610-02_CBRC>dis cu
#
version 9.1.041, Release 9119P16
#
sysname R_ZH_WL_H3610-02_CBRC
#
clock timezone GMT add 08:00:00
#
ip load-sharing mode per-flow src-ip global
#
ip netstream timeout active 60
ip netstream export host 10.192.31.37 9996
ip netstream export source interface GigabitEthernet0/0/1
#
lldp global enable
#
loopback-detection global enable vlan 1 to 4094
#
system-working-mode standard
password-recovery enable
#
vlan 1
#
stp region-configuration
region-name RegionWL
revision-level 1
active region-configuration
#
stp bpdu-protection
stp pathcost-standard dot1t
stp global enable
#
policy-based-route CBRC permit node 10
if-match acl 3000
apply default-output-interface GigabitEthernet0/0/0
#
interface NULL0
#
interface GigabitEthernet0/0/0
port link-mode route
description To_CBRC
combo enable copper
ip address 19.100.249.198 255.255.255.252
undo lldp enable
ip netstream inbound
nat outbound 3000
nat outbound 2050
#
interface GigabitEthernet0/0/1
port link-mode route
description To_S_ZH_WL_H5130-02_G1/0/18
combo enable copper
ip address 19.100.193.97 255.255.255.248
ip netstream inbound
#
interface GigabitEthernet0/0/2
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/3
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/4
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/5
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/6
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/7
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/8
port link-mode bridge
description #unused#
shutdown
#
interface GigabitEthernet0/0/9
port link-mode bridge
description #unused#
shutdown
#
interface Ten-GigabitEthernet0/0/10
port link-mode route
description #unused#
shutdown
#
interface Ten-GigabitEthernet0/0/11
port link-mode route
description #unused#
shutdown
#
interface Ten-GigabitEthernet0/0/12
port link-mode route
description #unused#
shutdown
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
authentication-mode scheme
user-role network-admin
idle-timeout 5 0
#
line vty 0 63
authentication-mode scheme
user-role network-operator
protocol inbound ssh
idle-timeout 5 0
command authorization
#
ip route-static 10.0.0.0 8 19.100.193.98
ip route-static 19.10.250.0 24 19.100.249.197
ip route-static 19.10.251.0 24 19.100.249.197
ip route-static 19.100.246.0 24 19.100.249.197
ip route-static 100.100.60.1 32 19.100.193.98
#
info-center synchronous
info-center logging suppress duplicates
info-center format cmcc
info-center logbuffer size 1024
info-center loghost source GigabitEthernet0/0/1
info-center loghost 10.192.2.11
info-center source SHELL logbuffer deny
#
snmp-agent
snmp-agent local-engineid 800063A28080616C05066F00000001
snmp-agent community read beachina acl 2000
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.192.31.36 params securityname beachina v2c
snmp-agent target-host trap address udp-domain 10.192.31.37 params securityname beachina v2c
snmp-agent target-host trap address udp-domain 10.192.31.43 params securityname beachina v2c
snmp-agent target-host trap address udp-domain 10.192.31.45 params securityname beachina v2c
snmp-agent target-host trap address udp-domain 10.192.31.47 params securityname beachina v2c
snmp-agent target-host trap address udp-domain 10.192.31.48 params securityname beachina v2c
snmp-agent trap source GigabitEthernet0/0/1
#
ssh server enable
ssh server acl 2100
#
ntp-service enable
ntp-service source GigabitEthernet0/0/1
ntp-service unicast-server 10.192.6.104
#
acl number 2000
rule 5 permit source 10.192.31.0 0.0.0.255
#
acl number 2050
rule 5 permit source 10.192.56.225 0
#
acl number 2100
rule 10 permit source 10.192.31.0 0.0.0.255
rule 20 permit source 10.191.0.0 0.0.255.255
#
acl advanced 3000
rule 5 permit ip source 10.192.56.225 0 destination 19.100.249.197 0
rule 10 permit ip source 19.100.193.97 0 destination 19.100.249.197 0
#
header login %
WARNING:Unauthorized access and use of this equipment will be vigorously prosecuted.
%
#
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
hwtacacs scheme acs
primary authentication 10.192.31.181
primary authorization 10.192.31.181
primary accounting 10.192.31.181
secondary authentication 10.192.31.182
secondary authorization 10.192.31.182
secondary accounting 10.192.31.182
key authentication cipher $c$3$tDjm0gxa8wRVgsxmfbk9PG2mU+G2NsX+T+GOj+M=
key authorization cipher $c$3$He1L2wVh+/2lyMUuRegIBV+FAjq7ZMyds35A3OQ=
key accounting cipher $c$3$J9OPAzf1wZJGVx8a7BOUryoz/s3t/jzcFAoakTQ=
user-name-format without-domain
nas-ip 19.100.193.97
#
radius scheme system
user-name-format without-domain
#
domain name nac
authentication login hwtacacs-scheme acs local
authorization login hwtacacs-scheme acs local
accounting login hwtacacs-scheme acs
authorization command hwtacacs-scheme acs
#
domain name system
#
domain default enable nac
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user cnadmin1 class manage
password hash $h$6$7ng/a+kKeymvesMw$tQdrTWJSCbcTDifON818HmRVDbJ2t8ZR+xFp25TVJMMW2c0NhVSOQ6VfJxb+kLjXLDqv5Svz/S1zdAAfPR1LqQ==
service-type ssh terminal
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user cnuser1 class manage
password hash $h$6$4QVTGVh97QIyxB58$87MgiBHel++tqYcwO9xGk+MxQoB/O44Adxrwl56YmQa+fvMwcCvUbTASHSure/a89tBjxmLJIHwjjIj55JkdPA==
service-type ssh terminal
authorization-attribute user-role level-1
authorization-attribute user-role network-operator
#
local-user cnuser2 class manage
password hash $h$6$weRfqTBH/n7kmYon$AQdhSpOJuIWsFM1q0hU1FJpmrPnkDIOpD0U3x8NwVhCDAtvAxe2IN8Dl6dJdIcgfXvyCyUYAhel7B5otul5m9Q==
service-type ssh terminal
authorization-attribute user-role level-1
authorization-attribute user-role network-operator
#
local-user cnuser3 class manage
password hash $h$6$s2sfJxaaVPHZbcNU$k1VMt+Qz8L27lL0D0/v83YMyLiuUuvVxCbMvdnNld4Y+WdU39d2V7cBysj97NQuHh7uYTXdwexEcx8/1A+YKiQ==
service-type ssh terminal
authorization-attribute user-role level-1
authorization-attribute user-role network-operator
#
security-zone intra-zone default permit
#
return
组网及组网描述:
- 2023-11-18提问
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
可以Ping通
好像确实也没什么问题,去掉ACL就能ssh上吗
是的,另外一台设备配置相同的ACL就能行,很奇怪