• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

SecPath F1000-S-G2 防火墙端口映射不生效

2024-04-25提问
  • 0关注
  • 0收藏,504浏览
粉丝:0人 关注:0人

问题描述:

通过测试防火墙到服务器 能互通 安全策略全放通,NAT 服务器也配置正常,内网的服务器端口也能正常打开web 中间无其他安全设备。就很奇怪

版本为H3C Comware Software, Version 7.1.064, Release 9333P17

组网及组网描述:

5 个回答
粉丝:97人 关注:1人

1,检查安全策略是否放行
2,是否是常用端口,常用端口需要备案可能被运营商封了,更换其他端口尝试
3,内部服务是否正常

1跟3 是没啥问题,但是会不会被运营商封,不是很确定,60080不是啥常用吧

zhiliao_kBacaA 发表时间:2024-04-25 更多>>

1跟3 是没啥问题,但是会不会被运营商封,不是很确定,60080不是啥常用吧

zhiliao_kBacaA 发表时间:2024-04-25
粉丝:57人 关注:2人

看你这个图片上的配置没有错误

发一下整体配置看一下吧!

粉丝:146人 关注:1人

1、nat配置

2、安全策略是否放行

3、路由器是否可达

你可以先看下日志有没有到防火墙

zhiliao_kBacaA 知了小白
粉丝:0人 关注:0人

<H3C>dis cur
#
version 7.1.064, Release 9333P17
#
sysname H3C
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dns proxy enable
dns server 222.85.85.85
dns server 222.88.88.88
#
password-recovery enable
#
vlan 1
#
vlan 2
#
vlan 6
#
vlan 10
#
object-group ip address 192.168.0.100
0 network host address 192.168.0.188
10 network host address 192.168.0.200
#
object-group ip address b
0 network host address 192.168.0.211
#
object-group ip address
security-zone Trust
0 network host address 192.168.0.188
#
object-group service 62008D

0 service tcp destination eq 62008
#
object-group service server188
0 service tcp
#
nqa template icmp icmp
#
nqa template icmp pppoe0
destination ip 100.64.0.1
#
nqa template icmp pppoe1
destination ip 100.64.0.1
#
nqa template icmp static
destination ip 117.160.247.129
#
interface Dialer0
ppp chap password cipher $c$3$kuyxrNV/vsOzfKqtQp9gEZ+atWd/qdh83w==
ppp chap user 037103828360
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 037103828360 password cipher $c$3$s5wAXyhlbIQh69PNOFa3LrUfLWeCe3ahEw==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
#
interface Dialer1
ppp chap password cipher $c$3$RpMYZ0w8nHBmIEZawwrpdU/WYonerDgt7Q==
ppp chap user 037103811692
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 037103811692 password cipher $c$3$50FuR/XvQCQAClNTZOYYs9AI7qTuU6r5Fg==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
#
interface NULL0
#
interface Vlan-interface2
ip address 192.168.0.1 255.255.255.0
nat hairpin enable
#
interface Vlan-interface6
ip address 192.168.6.1 255.255.255.0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode route
speed 100
ip address
ip last-hop hold
nat outbound 3000
nat server protocol tcp global current-interface 1886 inside 192.168.0.186 1886 rule 8
nat server protocol tcp global current-interface 3387 inside 192.168.0.189 3387 rule 8 disable
nat server protocol tcp global current-interface 6001 inside 192.168.0.186 6001 rule 1
nat server protocol tcp global current-interface 8080 inside 192.168.0.189 8080 rule 2
nat server protocol tcp global current-interface 8083 inside 192.168.0.189 8083 rule 1
nat server protocol tcp global current-interface 8090 inside 192.168.0.186 8090 rule 9
nat server protocol tcp global current-interface 8686 inside 192.168.0.61 6868 rule 1 disable
nat server protocol tcp global current-interface 8786 inside 192.168.0.40 8786 rule 2 disable
nat server protocol tcp global current-interface 8883 inside 192.168.0.189 8883 rule 0
nat server protocol tcp global current-interface 9527 inside 192.168.0.189 9527 rule 6
nat server protocol tcp global current-interface 9528 inside 192.168.0.189 9528 rule 9 disable
nat server protocol tcp global current-interface 9529 inside 192.168.0.189 9529 rule 0
nat server protocol tcp global current-interface 10909 inside 192.168.0.189 10909 rule 2
nat server protocol tcp global current-interface 10911 inside 192.168.0.189 10911 rule 3
nat server protocol tcp global current-interface 15800 inside 192.168.0.189 80 rule 5
nat server protocol tcp global current-interface 18006 inside 192.168.0.189 60211 rule 9
nat server protocol tcp global current-interface 18007 inside 192.168.0.189 60214 rule 1 disable
nat server protocol tcp global current-interface 18008 inside 192.168.0.189 60215 rule 2
nat server protocol tcp global current-interface 18010 inside 192.168.0.189 60213 rule disable
nat server protocol tcp global current-interface 18011 inside 192.168.0.189 8011 rule 4 disable
nat server protocol tcp global current-interface 18083 inside 192.168.0.189 18083 rule 3
nat server protocol tcp global current-interface 18622 inside 192.168.0.186 22 rule 6
nat server protocol tcp global current-interface 18680 inside 192.168.0.186 80 rule 7
nat server protocol tcp global current-interface 19082 inside 192.168.0.188 9082 rule 6 disable
nat server protocol tcp global current-interface 19083 inside 192.168.0.191 9082 rule 7
nat server protocol tcp global current-interface 19351 inside 192.168.0.189 1935 rule 0
nat server protocol tcp global current-interface 20911 inside 192.168.0.189 10911 rule

nat server protocol tcp global current-interface 20912 inside 192.168.0.189 10912 rule

nat server protocol tcp global current-interface 21883 inside 192.168.0.186 1883 rule 5
nat server protocol tcp global current-interface 25001 inside 192.168.0.189 5001 rule

nat server protocol tcp global current-interface 29082 inside 192.168.0.186 9082 rule 8
nat server protocol tcp global current-interface 32165 inside 192.168.0.189 32165 rule 5 disable
nat server protocol tcp global current-interface 32580 inside 192.168.0.189 32581 rule

nat server protocol tcp global current-interface 32581 inside 192.168.0.44 32581 rule 2
nat server protocol tcp global current-interface 32582 inside 192.168.0.211 32588 rule

nat server protocol tcp global current-interface 32588 inside 192.168.0.211 32581 rule "yongchaun 32588"
nat server protocol tcp global current-interface 32761 inside 192.168.0.189 32760 rule 3 disable
nat server protocol tcp global current-interface 36980 inside 192.168.0.189 22 rule 4
nat server protocol tcp global current-interface 60080 inside 192.168.0.44 60080 rule 4
nat server protocol tcp global current-interface 60081 inside 192.168.0.44 60081 rule 9
nat server protocol tcp global current-interface 60084 inside 192.168.0.44 60084 rule 0
nat server protocol tcp global current-interface 61883 inside 192.168.0.44 1883 rule 1
nat server protocol tcp global current-interface 62008 inside 192.168.0.211 60080 rule web
nat server protocol tcp global current-interface 62360 inside 192.168.0.186 60211 rule 0
nat hairpin enable
gateway 117.160.247.129
#
interface GigabitEthernet1/0/9
port link-mode route
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet1/0/11
port link-mode route
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/6
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/12
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/14
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/15
port link-mode bridge
port access vlan 2
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/9
import interface Vlan-interface2
import interface Vlan-interface6
import interface Vlan-interface10
import interface GigabitEthernet1/0/1 vlan 2
import interface GigabitEthernet1/0/2 vlan 2
import interface GigabitEthernet1/0/3 vlan 2
import interface GigabitEthernet1/0/4 vlan 2 6
import interface GigabitEthernet1/0/5 vlan 2
import interface GigabitEthernet1/0/6 vlan 2
import interface GigabitEthernet1/0/7 vlan 2
import interface GigabitEthernet1/0/10 vlan 2
import interface GigabitEthernet1/0/12 vlan 2
import interface GigabitEthernet1/0/13 vlan 2
import interface GigabitEthernet1/0/14 vlan 2
import interface GigabitEthernet1/0/15 vlan 2
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer0
import interface Dialer1
import interface GigabitEthernet1/0/8
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class usb
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer0 preference 50
ip route-static 0.0.0.0 0 117.160.247.129 preference 30
ip route-static 0.0.0.0 0 Dialer1
#
ssh server enable
#
acl advanced 3000
rule 5 permit ip source 192.168.0.0 0.0.0.255
rule 10 permit ip source 192.168.6.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip destination 192.168.0.200 0
rule 5 permit ip destination 192.168.0.189 0
rule 10 permit ip destination 192.168.0.186 0
rule 15 permit ip destination 192.168.0.20 0
rule 20 permit ip destination 192.168.0.61 0
rule 25 permit ip destination 192.168.0.40 0
rule 30 permit ip destination 192.168.0.188 0
rule 35 permit ip destination 192.168.0.191 0
rule 40 permit ip destination 192.168.0.44 0
#
acl advanced 3002
rule 0 permit tcp destination-port eq 1886
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$kDx3TP+0FJf8yH0y$WdnSEALqtnjcW9QMs9tke8U/Dbmb0J0hWC7FqqhwpdNW68Gu9YrGN/23Db4rMzJGPkBV27duZ1KYz0dHjHtvag==
service-type ssh terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session statistics enable
#
ipsec logging negotiation enable
#
ike logging negotiation enable
#
ip https port 8443
ip http enable
ip https enable
webui log enable
#
app-profile 0_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
app-profile 2_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance link-group link-group
proximity enable
transparent enable
probe icmp
success-criteria at-least 1
#
loadbalance class yingshe type link-generic
match 1 acl 3001
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
link-group link-group
#
loadbalance action ob$action$#for#yingshe type link-generic
forward all
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
class yingshe action ob$action$#for#yingshe
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
service enable
bandwidth busy-protection enable
bandwidth interface statistics enable
#
loadbalance proximity
match default lb-probe icmp
#
loadbalance link pppoe0
router interface Dialer0
link-group link-group
max-bandwidth inbound 100000
max-bandwidth outbound 100000
success-criteria at-least 1
probe pppoe0
#
loadbalance link pppoe1
router interface Dialer1
link-group link-group
max-bandwidth inbound 100000
max-bandwidth outbound 100000
success-criteria at-least 1
probe pppoe1
#
loadbalance link static
router ip 117.160.247.129
link-group link-group
max-bandwidth inbound 100000
max-bandwidth outbound 100000
success-criteria at-least 1
probe static
#
loadbalance probe-template icmp icmp
#
uapp-control
policy name app audit
source-zone Trust
destination-zone Untrust
rule 1 any behavior any bhcontent any keyword include any action permit audit-logging
#
security-policy ip
rule 0 name 1
action pass
profile 0_IPv4
source-zone Trust
destination-zone Untrust
rule 14 name CESH
action pass
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Untrust
source-zone Management
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
destination-zone Management
rule 1 name 2
action pass
source-zone Local
rule 2 name 3
action pass
profile 2_IPv4
source-zone Trust
source-zone Local
destination-zone Local
destination-zone Trust
rule 4 name 5
action pass
source-zone Trust
destination-zone Local
rule 5 name Trustcal_5_IPv4
action pass
source-zone Trust
destination-zone Local
rule 6 name Localust_6_IPv4
action pass
source-zone Local
destination-zone Trust
rule 7 name Untrustcal_7_IPv4
action pass
source-zone Untrust
destination-zone Local
rule 8 name Untrustust_8_IPv4
action pass
source-zone Untrust
destination-zone Trust
rule 9 name Anyy_9_IPv4
action pass
rule 10 name Anycal_10_IPv4
action pass
destination-zone Local
rule 11 name Localy_11_IPv4
action pass
source-zone Local
rule 12 name b
action pass
source-zone Untrust
destination-zone Trust
destination-ip b
service 62008D

rule 13 name
action pass
source-zone Trust
source-zone Local
destination-zone Local
destination-zone Trust
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return

粉丝:4人 关注:1人

你这个所谓的没有生效是什么意思,从内网访问还是外网访问呢,从内网访问你要开nat harping,从外网访问你要安全策略,untrust到trust放行 0.211的60080的端口

你是不是测试的时候拨vpn了呀

垃圾非我莫属 发表时间:2024-04-25 更多>>

放了

zhiliao_kBacaA 发表时间:2024-04-25

所以说大哥,你说的没有生效是啥意思呢,你问题的现象都不明了呀

垃圾非我莫属 发表时间:2024-04-25

你是不是测试的时候拨vpn了呀

垃圾非我莫属 发表时间:2024-04-25

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明