F1000-AI-25防火墙做了端口映射,但是内网机器无法通过公网访问服务器
- 0关注
- 0收藏,796浏览
问题描述:
F1000-AI-25防火墙做了端口映射,也开启了 nat hairpin enable。但是依然内网机器无法通过公网访问服务器
内网服务器是192.168.2.12 端口映射是8112
内网接口也开启了nat hairpin enable
也做了trust到trust的策略放通。
麻烦帮忙看一下。
下面是配置文件,帮忙看一下哪里出了问题。
组网及组网描述:
#
version 7.1.064, Release 8860P1212
#
sysname SKSS_FW
#
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat log enable
#
dns server 8.8.8.8
dns server 114.114.114.114
#
password-recovery enable
#
vlan 1
#
object-group ip address 192.168.1.0
security-zone Trust
0 network subnet 192.168.1.0 255.255.255.0
#
object-group ip address 192.168.2.0
security-zone Trust
0 network subnet 192.168.2.0 255.255.255.0
#
object-group ip address 192.168.5.0
security-zone Trust
0 network subnet 192.168.5.0 255.255.255.0
#
object-group ip address trust
description 内网
security-zone Trust
0 network subnet 192.168.0.0 255.255.0.0
#
object-group service port_8098
0 service tcp destination eq 8098
#
object-group service port_81
0 service tcp destination eq 81
#
object-group service rule443
0 service tcp destination eq 443
#
object-group service server5000
0 service tcp source eq 5000 destination eq 5000
#
object-group service service1009
0 service tcp destination eq 1009
#
object-group service service1090
0 service tcp destination eq 1090
#
object-group service service1433
0 service tcp destination eq 1433
#
object-group service service1455
0 service tcp destination eq 1455
#
object-group service service1521
0 service tcp destination eq 1521
#
object-group service service1655
0 service tcp destination eq 1655
#
object-group service service21
0 service tcp destination eq 21
#
object-group service service3389
0 service tcp destination eq 3389
#
object-group service service443
0 service tcp destination eq 443
#
object-group service service5222
0 service tcp destination eq 5222
#
object-group service service5872
0 service tcp destination eq 5872
#
object-group service service6000
0 service tcp destination eq 6000
#
object-group service service6001
0 service tcp destination eq 6001
#
object-group service service6008
0 service tcp destination eq 6008
#
object-group service service6009
0 service tcp destination eq 6009
#
object-group service service7070
0 service tcp destination eq 7070
#
object-group service service80
0 service tcp destination eq 80
#
object-group service service8030
0 service tcp destination eq 8030
#
object-group service service8060
0 service tcp destination eq 8060
#
object-group service service8077
0 service tcp destination eq 8077
#
object-group service service8080
0 service tcp destination eq 8080
#
object-group service service8081
0 service tcp destination eq 8081
#
object-group service service8082
0 service tcp destination eq 8082
#
object-group service service8087
0 service tcp destination eq 8087
#
object-group service service8088
0 service tcp destination eq 8088
#
object-group service service8090
0 service tcp destination eq 8090
#
object-group service service8098
0 service tcp destination eq 8098
#
object-group service service8099
0 service tcp destination eq 8099
#
object-group service service81
0 service tcp destination eq 81
#
object-group service service8112
0 service tcp destination eq 8112
#
object-group service service8113
0 service tcp destination eq 8113
#
object-group service service8115
0 service tcp destination eq 8115
#
object-group service service8116
0 service tcp destination eq 8116
#
object-group service service8117
0 service tcp destination eq 8117
#
object-group service service82
0 service tcp destination eq 82
#
object-group service service88
0 service tcp destination eq 88
#
object-group service service8800
0 service tcp destination eq 8800
#
object-group service service8888
0 service tcp destination eq 8888
#
object-group service service8899
0 service tcp destination eq 8899
#
object-group service service89
0 service tcp destination eq 89
#
object-group service service9988
0 service tcp destination eq 9988
#
policy-based-route xuanlu permit node 10
if-match acl 2000
apply next-hop 111.34.77.129 direct track 1
apply default-output-interface GigabitEthernet1/0/0 track 1
#
policy-based-route xuanlu permit node 20
if-match acl 2001
apply next-hop 124.128.235.185 direct track 2
apply output-interface GigabitEthernet1/0/2 track 2
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 111.34.77.216 255.255.255.128
tcp mss 1024
ip last-hop hold
nat outbound 3001
manage https inbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
ipsec apply policy 1
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 192.168.16.2 255.255.255.0
tcp mss 1024
nat hairpin enable
manage https inbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
ip policy-based-route xuanlu
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 124.128.235.186 255.255.255.248
ip last-hop hold
nat outbound 3001
nat server protocol tcp global 124.128.235.186 443 inside 192.168.2.13 443 rule ServerRule_3
nat server protocol tcp global 124.128.235.186 8077 inside 192.168.2.13 8077 rule ServerRule_2
nat server protocol tcp global 124.128.235.186 8088 inside 192.168.2.13 8088 rule ServerRule_1
manage ping inbound
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/24
port link-mode route
#
interface GigabitEthernet1/0/25
port link-mode route
#
interface M-GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/26
port link-mode route
#
interface Ten-GigabitEthernet1/0/27
port link-mode route
#
interface Tunnel0 mode gre
ip address 10.10.10.10 255.255.255.0
source 111.34.77.216
destination 60.216.86.50
keepalive 10 3
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
import interface Tunnel0
#
security-zone name Management
import interface M-GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 223.98.185.81
ip route-static 0.0.0.0 0 111.34.77.129
ip route-static 60.216.86.50 32 223.98.185.81
ip route-static 60.216.86.50 32 111.34.77.129
ip route-static 192.168.1.0 24 192.168.16.1
ip route-static 192.168.2.0 24 192.168.16.1
ip route-static 192.168.5.0 24 223.98.185.81
ip route-static 192.168.5.0 24 111.34.77.129
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
ssh server enable
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 192.168.2.0 0.0.0.255
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 1 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 10 permit ip
#
acl advanced 3333
rule 0 permit ip source 192.168.2.85 0 destination 124.128.235.186 0
rule 1 permit ip source 124.128.235.186 0 destination 192.168.2.85 0
rule 2 permit ip source 124.128.235.186 0 destination 192.168.2.13 0
rule 3 permit ip source 192.168.2.13 0 destination 124.128.235.186 0
#
acl advanced 3999
rule 0 permit ip source 192.168.5.15 0 destination 192.168.1.9 0
rule 5 permit ip source 192.168.1.9 0 destination 192.168.5.15 0
#
password-control length 8
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$jtXvdjnQnojsAhX9$4FO01OEDWCFtYKztHDMwuuTPWn2yG0EQ77HYUWgHDbKYPazErxGM9uY/UPus2HLzJTz/tO6l6f/Nred0cy9wOQ==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session statistics enable
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
local-address 111.34.77.216
remote-address 60.216.86.50
description IPSec@123
ike-profile 1
#
nat policy
#
nat global-policy
rule name rule81
service service81
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.6 local-port 81
disable
counting enable
rule name rule5872
service service5872
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.6 local-port 5872
disable
counting enable
rule name rule1433
service service1433
source-zone Untrust
destination-ip host 223.98.185.83
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.9 local-port 1433
disable
counting enable
rule name rule3389
service service3389
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 3389
disable
counting enable
rule name rule1655
service service1655
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 1655
disable
counting enable
rule name rule1009
service service1009
source-zone Untrust
destination-ip host 223.98.185.83
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 1099
disable
counting enable
rule name rule21
service service21
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 21
disable
counting enable
rule name rule88
service service88
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 88
disable
counting enable
rule name rule8888
service service8888
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 8888
disable
counting enable
rule name rule82
service service82
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.182 local-port 82
disable
counting enable
rule name rule89
service service89
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.13 local-port 89
disable
counting enable
rule name rule6000
service service6000
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.91 local-port 6000
disable
rule name rule6001
service service6001
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.91 local-port 6001
disable
rule name rule8800
service service8800
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.13 local-port 8800
disable
rule name rule6008
service service6008
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.0.2 local-port 6008
disable
rule name rule6009
service service6009
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.0.2 local-port 6009
disable
rule name rule8090
service service8090
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.85
action snat easy-ip
action dnat ip-address 192.168.1.39 local-port 8090
disable
rule name rule8081
service service8081
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.22 local-port 8081
disable
rule name rule8082
service service8082
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.85
action snat easy-ip
action dnat ip-address 192.168.1.39 local-port 8082
disable
rule name rule8087
service service8087
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.39 local-port 8087
disable
rule name rule8098
service port_8098
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.85
action snat easy-ip
action dnat ip-address 192.168.1.141 local-port 8098
disable
rule name rule80
service service80
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 80
disable
rule name rule8030
service service8030
source-zone Untrust
destination-ip host 111.34.77.216
action dnat ip-address 192.168.1.244 local-port 8030
rule name rule8060
service service8060
source-zone Untrust
destination-ip host 111.34.77.216
action dnat ip-address 192.168.1.9 local-port 80
rule name rule8099
service service8099
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.108 local-port 8099
disable
rule name rule8899
service service8899
source-zone Untrust
destination-ip host 223.98.185.83
action dnat ip-address 192.168.1.74 local-port 8899
disable
rule name rule5222
service service5222
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.83
action snat easy-ip
action dnat ip-address 192.168.1.141 local-port 5222
disable
rule name rule7070
service service7070
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.83
action snat easy-ip
action dnat ip-address 192.168.1.41 local-port 7070
disable
rule name GlobalPolicyRule_1
source-zone Trust
destination-zone Untrust
action snat easy-ip
disable
counting enable
rule name rule_8090
service service8090
source-zone Trust
source-zone Untrust
destination-ip host 223.98.185.83
action snat easy-ip
action dnat ip-address 192.168.1.141 local-port 8090
disable
rule name rule1521
service service1521
source-zone Untrust
destination-ip host 223.98.185.85
action dnat ip-address 192.168.1.39 local-port 1521
disable
rule name IPSec_VPN
source-zone Trust
destination-zone Untrust
source-ip 192.168.1.0
source-ip 192.168.2.0
destination-ip 192.168.5.0
action snat no-nat
rule name rule8080
service service8080
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8080
rule name rule443
service rule443
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 443
rule name rule8112
service service8112
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8112
rule name rule8113
service service8113
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8113
rule name rule8115
service service8115
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8115
rule name rule8117
service service8117
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8117
rule name rule8116
service service8116
source-zone Untrust
destination-ip host 124.128.235.186
action dnat ip-address 192.168.2.12 local-port 8116
#
ike profile 1
keychain 1
local-identity address 111.34.77.216
match remote identity address 60.216.86.50 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain 1
match local address GigabitEthernet1/0/0
pre-shared-key address 60.216.86.50 255.255.255.255 key cipher $c$3$tPKMa5QqY6TWkH7okncsPcWtzBJ07MYUk02Exu0=
#
ip https enable
#
blacklist global enable
#
app-profile 6_IPv4
anti-virus apply policy default mode protect
#
app-profile 7_IPv4
anti-virus apply policy default mode protect
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
packet-capture max-bytes 4096
packet-capture max-file-packets 1000
packet-capture storage local limit 10240
#
security-policy ip
rule 6 name test
action pass
counting enable
profile 6_IPv4
source-zone Local
source-zone Trust
destination-zone Untrust
source-ip trust
rule 5 name any_any
action pass
counting enable
source-zone Trust
source-zone Local
destination-zone Local
destination-zone Trust
rule 9 name xiaochengxu
action pass
source-zone Trust
source-zone Local
destination-zone Trust
destination-zone Local
rule 7 name Untrust-Trust_new
description 192.168.0.2,192.168.1.9,192.168.1.22,192.168.1.99,192.168.1.244,192.168.2.12
action pass
logging enable
counting enable
profile 7_IPv4
source-zone Untrust
destination-zone Trust
rule 8 name ipsec
action pass
#
anti-virus signature auto-update
update schedule weekly sat start-time 02:00:00 tingle 120
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
- 2024-05-16提问
- 举报
-
(0)
最佳答案
有没有策略路由
加个这个试试:security-zone intra-zone default permit
- 2024-05-16回答
- 评论(4)
- 举报
-
(0)
可能跟策略路由有关系,配置一下保持上一跳功能
有策略路由。就是2条外网做了一个策略选路。刚才加你这个条命令报错。无法加入。
安全策略先全放开试试
现在安全策略全是any的
可能跟策略路由有关系,配置一下保持上一跳功能
你的所有映射都是源区域都是Untrust,加一个Trust试试
- 2024-05-16回答
- 评论(1)
- 举报
-
(0)
添加了还是不可以
添加了还是不可以
你是所有内网段,全部无法访问吗,还是部分内网段访问不了呢
- 2024-05-16回答
- 评论(7)
- 举报
-
(0)
在加一条策略路由 策略路由的node 要写成1 ,源地址 是这两个内网网段,下一条指向192.168.16.1,就解决了你的问题
所有的。
可以先这样测试下,把策略放通 ,any 到any ,看看行不行,如果行,那确实可能是策略,安全域接口配置问题,如果any 到any 放通都不行,有可能是策略路由回包的原因
现在安全策略全是any的
也就是说安全策略全any 的还是不通咯,那问题基本上可以定位是在策略路由回包的问题,再加一条策略路由,源 内网ip 下一跳 与内网互联的ip,就可以了
而且看你路由总共就2个网段 是有回程路由,所有内网段就2个网段吗。那访问不了的网段是否回有回程路由,如果是有,在加一条策略路由 回包的路由
就2个网段。通过内网IP是可以正常访问这个服务器的。现在是外网可以正常访问这个端口映射的IP,但是内网电脑用公网IP无法访问这个服务器
在加一条策略路由 策略路由的node 要写成1 ,源地址 是这两个内网网段,下一条指向192.168.16.1,就解决了你的问题
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明