防火墙F1000问题,新加了一条海外VPN 后原来的链路不通了
- 0关注
- 0收藏,65浏览
问题描述:
#
version 7.1.064, Release 9524P41
#
sysname H3C
#
context Admin id 1
#
ip vpn-instance 端口映射
#
ip vpn-instance 内网
description 回包路由
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 11
address 115.238.71.246 115.238.71.246
#
dhcp enable
#
dns server 202.101.172.47
dns server 202.101.172.35
#
password-recovery enable
#
vlan 1
#
object-group ip address 10.0.0.2_5222
0 network host address 10.0.0.2
#
object-group ip address 10.0.0.2_7070
0 network host address 10.0.0.2
#
object-group ip address 10.0.0.2_89
0 network host address 10.0.0.2
#
object-group ip address 10.0.0.35_1981
security-zone Trust
0 network host address 10.0.0.35
#
object-group ip address 10.0.0.35_3389
0 network host address 10.0.0.35
#
object-group ip address 10.0.0.35_8933
0 network host address 10.0.0.35
#
object-group ip address 10.0.0.35_9000
0 network host address 10.0.0.35
#
object-group ip address 10.0.0.36_5872
0 network host address 10.0.0.36
#
object-group ip address 10.0.0.36_8088
0 network host address 10.0.0.36
#
object-group ip address 10.0.0.5_5900
0 network host address 10.0.0.5
#
object-group ip address 10.0.0.8_1433
0 network host address 10.0.0.8
#
object-group ip address 10.0.0.8_1980
0 network host address 10.0.0.8
#
object-group ip address 10.0.0.8_1981
security-zone Trust
0 network host address 10.0.0.8
#
object-group ip address 10.0.0.8_9001
0 network host address 10.0.0.8
#
object-group ip address 10.0.0.95_1227
0 network host address 10.0.0.95
#
object-group ip address nas
security-zone Trust
0 network host address 172.16.100.251
#
object-group ip address oa服务器
security-zone Trust
0 network host address 10.0.0.2
#
object-group ip address trust
0 network subnet 172.16.80.0 255.255.255.0
#
object-group ip address untrust
0 network subnet 115.238.71.244 255.255.255.252
#
object-group ip address 加密服务器
security-zone Trust
0 network host address 10.0.0.28
#
object-group ip address 监控映射ip
security-zone Trust
0 network host address 192.168.1.43
10 network host address 192.168.1.46
20 network host address 192.168.1.52
#
object-group ip address "轴承 mes系统"
security-zone Trust
0 network host address 172.16.120.201
10 network host address 172.16.120.203
20 network host address 172.16.120.204
#
object-group service 1227
0 service tcp destination eq 1227
#
object-group service 1433
0 service tcp destination eq 1433
#
object-group service 1980
0 service tcp destination eq 1980
#
object-group service 1981
0 service tcp destination eq 1981
#
object-group service 3389
0 service tcp destination eq 3389
#
object-group service 5222
0 service tcp destination eq 5222
#
object-group service 5872
0 service tcp destination eq 5872
#
object-group service 5900
0 service tcp destination eq 5900
#
object-group service 7070
0 service tcp destination eq 7070
#
object-group service 8088
0 service tcp destination eq 8088
#
object-group service 89
0 service tcp destination eq 89
#
object-group service 8933
0 service tcp destination eq 8933
#
object-group service 9001
0 service tcp destination eq 9001
#
object-group service 9444
0 service tcp destination eq 9444
#
object-group service OA
0 service tcp destination eq 8080
#
object-group service RDP
0 service tcp destination eq 3389
#
object-group service 加密
0 service tcp destination eq 9444
#
dhcp server ip-pool 内网
gateway-list 172.16.80.2
network 172.16.80.0 mask 255.255.255.0
dns-list 202.101.172.47 202.101.172.35
#
controller Cellular1/0/0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 115.238.71.246 255.255.255.252
tcp mss 1300
nat outbound 3999
nat server protocol tcp global current-interface 80 inside 10.0.0.87 80 rule 10.0.0.87:80 disable
nat server protocol tcp global current-interface 100 inside 10.0.0.87 80 rule web服务器 disable
nat server protocol tcp global current-interface 1227 inside 10.0.0.95 1227 rule 10.0.0.95_1227 disable
nat server protocol tcp global current-interface 1939 inside 10.0.0.35 3389 rule 10.0.0.35_1939 disable
nat server protocol tcp global current-interface 1981 inside 10.0.0.8 1981 rule 外部访问杭州ERP disable
nat server protocol tcp global current-interface 5222 inside 10.0.0.2 5222 rule 10.0.0.2_5222 disable
nat server protocol tcp global current-interface 5872 inside 10.0.0.36 5872 rule 10.0.0.36_5872 disable
nat server protocol tcp global current-interface 5900 inside 10.0.0.5 5900 rule 10.0.0.5_5900 disable
nat server protocol tcp global current-interface 7070 inside 10.0.0.2 7070 rule 10.0.0.2_7070 disable
nat server protocol tcp global current-interface 7951 inside 10.0.0.29 3389 vpn-instance 内网 rule ServerRule_2 disable
nat server protocol tcp global current-interface 8088 inside 10.0.0.36 8088 rule 10.0.0.36_8088 disable
nat server protocol tcp global current-interface 8933 inside 10.0.0.35 8933 rule 10.0.0.35_8933 disable
nat server protocol tcp global current-interface 9000 inside 10.0.0.35 9000 rule erp disable
nat server protocol tcp global current-interface 9001 inside 10.0.0.8 9001 rule 10.0.0.8ERP counting
nat server protocol tcp global current-interface 9444 inside 10.0.0.28 9444 rule 加密服务器 disable
nat server protocol tcp global current-interface 9834 inside 10.0.0.2 8080 rule 外部访问oa disable
nat server protocol tcp global current-interface 9889 inside 10.0.0.2 89 rule 10.0.0.2_9889 disable
nat server protocol tcp global current-interface 10001 inside 192.168.1.52 10001 rule 监控192.168.1.52 counting
nat server protocol tcp global current-interface 10002 inside 192.168.1.52 10002 rule 监控192.168.1.52_2 counting
nat server protocol tcp global current-interface 10003 inside 192.168.1.46 10003 rule 监控192.168.1.46 counting
nat server protocol tcp global current-interface 10004 inside 192.168.1.46 10004 rule 监控192.168.1.46_2 counting
nat server protocol tcp global current-interface 10005 inside 192.168.1.43 10005 rule 监控192.168.1.43 counting
nat server protocol tcp global current-interface 10006 inside 192.168.1.43 10006 rule 监控192.168.1.43_2 counting
nat server protocol tcp global current-interface 10007 inside 192.168.1.25 10007 rule 监控192.168.1.43_3 counting
nat server protocol tcp global current-interface 10008 inside 192.168.1.25 10008 rule 监控192.168.1.25_2 counting
nat server protocol tcp global current-interface 16666 inside 172.16.100.251 16666 rule naswebserver counting
nat server protocol tcp global current-interface 18888 inside 172.16.100.251 18888 rule NAS外网访问 counting
nat server protocol tcp global current-interface 19999 inside 172.16.100.251 6690 rule NAS外网客户端 counting
nat server protocol tcp global current-interface 28888 inside 172.16.100.253 28888 rule ServerRule_25 counting description 陈进
nat server protocol tcp global current-interface 29999 inside 172.16.100.253 6690 rule 陈进nas外网客户端 counting
nat server protocol tcp global current-interface 50000 inside 172.16.120.201 5000 rule 172.16.120.201_5000 counting
nat server protocol tcp global current-interface 50001 inside 172.16.120.201 5001 rule 172.16.120.201_5001 counting
nat server protocol tcp global current-interface 50002 inside 172.16.120.201 5002 rule 172.16.120.201_5002 counting
nat server protocol tcp global current-interface 50003 inside 172.16.120.201 5003 rule 172.16.120.201_5003 counting
nat server protocol tcp global current-interface 50004 inside 172.16.120.201 5004 rule 172.16.120.201_5004 counting
nat server protocol tcp global current-interface 50005 inside 172.16.120.201 5005 rule 172.16.120.201_5005 counting
nat server protocol tcp global current-interface 50006 inside 172.16.120.201 22345 rule 172.16.120.201_22345 counting
nat server protocol tcp global current-interface 50007 inside 172.16.120.203 1433 rule 172.16.120.203_1433 counting
nat server protocol tcp global current-interface 50008 inside 172.16.120.204 8888 rule 172.16.120.204_8888 counting
nat server protocol udp global current-interface 38888 inside 172.16.100.251 38888 rule nas_vpn_udp counting
ipsec apply policy js
gateway 115.238.71.245
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 172.16.80.2 255.255.255.0
tcp mss 1300
nat hairpin enable
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
import interface GigabitEthernet1/0/4
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
authentication-mode none
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 115.238.71.245
ip route-static 10.0.0.0 24 172.16.80.1
ip route-static 172.16.0.0 16 172.16.80.1
ip route-static 172.16.100.0 24 172.16.80.1
ip route-static 172.168.0.0 16 172.16.80.1
ip route-static 192.168.0.0 24 115.238.71.245
ip route-static 192.168.1.0 24 172.16.80.1
ip route-static 192.168.15.0 24 115.238.71.245
#
info-center source FILTER logfile deny
#
ssh server enable
#
acl advanced 3999
rule 0 deny ip source 172.16.100.0 0.0.0.255 destination 192.168.15.0 0.0.0.255
rule 5 permit ip
#
acl advanced name IPsec_js_IPv4_128
rule 1 permit ip source 172.16.100.0 0.0.0.255 destination 192.168.15.0 0.0.0.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$lC+ippPSJAuxbGKs$Kijp2sukHsf+SP0mhrw+LutVCLXdIvA7XjBPqLPr6BZlu7+jfctDxZ31a62pQALoJdeat0+EqLhBOpVgm9kIxw==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user test class manage
password hash $h$6$JqGmKu5oa9Y0HddH$mUESD4D9M0YpLQ4VhxyDMZqjGa4ucKEwBotlk9nGyUGl7f9eBDucsLr6HwVeCY+zDJigQAWkzAbmJnmTjItwOA==
service-type ssh https
authorization-attribute work-directory slot1#flash:
authorization-attribute user-role network-admin
#
session statistics enable
session synchronization enable
session synchronization http
#
ipsec limit max-tunnel 1000
ipsec logging negotiation enable
#
ipsec transform-set js_IPv4_128
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy js 128 isakmp
transform-set js_IPv4_128
security acl name IPsec_js_IPv4_128
local-address 115.238.71.246
remote-address 61.130.64.194
ike-profile js_IPv4_128
sa duration time-based 180
sa idle-time 60
#
nat global-policy
rule name fangwenwaiwang
source-zone Untrust
destination-zone Untrust
source-ip host 192.168.0.2
action snat address-group 11
counting enable
#
ike dpd interval 10 on-demand
ike identity address 115.238.71.246
ike logging negotiation enable
#
ike profile js_IPv4_128
keychain js_IPv4_128
dpd interval 30 on-demand
exchange-mode aggressive
local-identity address 115.238.71.246
match remote identity address 61.130.64.194 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 1
#
ike proposal 1
dh group2
authentication-algorithm md5
#
ike proposal 100
dh group2
#
ike keychain js_IPv4_128
match local address GigabitEthernet1/0/1
pre-shared-key address 61.130.64.194 255.255.255.255 key cipher $c$3$VxeVoncZ+XNAVOvZi+zsSgYr1AI=
#
ip https port 4434
ip https enable
#
app-profile 0_IPv4
ips apply policy default mode protect
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 37 name TCE上网
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Untrust
source-ip-subnet 192.168.0.0 255.255.255.252
rule 36 name TCR到内网
action pass
logging enable
counting enable
source-zone Untrust
source-zone Trust
destination-zone Trust
destination-zone Untrust
source-ip-subnet 10.0.0.0 255.255.255.0
source-ip-subnet 192.168.0.0 255.255.255.252
destination-ip-subnet 10.0.0.0 255.255.255.0
destination-ip-subnet 192.168.0.0 255.255.255.252
rule 35 name 国外访问ERP
action pass
disable
counting enable
source-zone Local
destination-zone Untrust
rule 17 name 外网
action pass
counting enable
source-zone Local
destination-zone Untrust
rule 16 name 互通
action pass
source-zone Trust
source-zone Local
destination-zone Local
destination-zone Trust
rule 13 name Inside_to_outside
action pass
source-zone Trust
destination-zone Untrust
source-ip trust
rule 0 name 内到外安全策略
action pass
logging enable
counting enable
profile 0_IPv4
source-zone Trust
destination-zone Untrust
rule 18 name Untrust→Local_18_IPv4
action pass
source-zone Untrust
destination-zone Local
rule 12 name 10.0.0.29-3389
action pass
source-zone Untrust
destination-zone Trust
destination-ip-host 10.0.0.29
service RDP
rule 14 name 10.0.0.2-8080
action pass
source-zone Untrust
destination-zone Trust
destination-ip oa服务器
destination-ip 10.0.0.2_5222
destination-ip 10.0.0.2_7070
destination-ip 10.0.0.2_89
destination-ip-host 10.0.0.2
service OA
service 5222
service 7070
service 89
rule 19 name 10.0.0.28
action pass
source-zone Untrust
destination-zone Trust
destination-ip 加密服务器
destination-ip-host 10.0.0.28
service 加密
rule 20 name 10.0.0.36_8088
action pass
source-zone Untrust
destination-zone Trust
destination-ip 10.0.0.36_8088
destination-ip 10.0.0.36_5872
destination-ip-host 10.0.0.36
service 8088
service 5872
rule 25 name 10.0.0.35_9000
action pass
disable
source-zone Untrust
destination-zone Trust
destination-ip 10.0.0.35_9000
destination-ip 10.0.0.35_3389
destination-ip 10.0.0.35_8933
destination-ip 10.0.0.35_1981
destination-ip-host 10.0.0.35
service 9001
service 8933
service 3389
service 1981
rule 26 name 10.0.0.5_5900
action pass
source-zone Untrust
destination-zone Trust
destination-ip 10.0.0.5_5900
destination-ip-host 10.0.0.5
service 5900
rule 27 name 10.0.0.95_1227
action pass
source-zone Untrust
destination-zone Trust
destination-ip 10.0.0.95_1227
destination-ip-host 10.0.0.95
service 1227
rule 28 name 10.0.0.8_9000
action pass
counting enable
source-zone Untrust
destination-zone Trust
destination-ip 10.0.0.8_1981
destination-ip 10.0.0.8_1433
destination-ip 10.0.0.8_1980
destination-ip 10.0.0.8_9001
destination-ip-host 10.0.0.8
service 1980
service 1981
service 1433
service 9001
rule 29 name VPN
action pass
counting enable
source-zone Untrust
destination-zone Trust
source-ip-subnet 192.168.15.0 255.255.255.0
destination-ip-subnet 172.16.100.0 255.255.255.0
rule 30 name NAS外网访问
action pass
counting enable
source-zone Untrust
destination-zone Trust
destination-ip nas
destination-ip-host 172.16.100.251
rule 31 name 陈进NAS外网访问
action pass
counting enable
source-zone Untrust
destination-zone Trust
destination-ip nas
destination-ip-host 172.16.100.253
rule 32 name mes_bcp
description 轴承mes外网的三个地址
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Trust
destination-ip "轴承 mes系统"
rule 33 name 监控映射
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Trust
destination-ip 监控映射ip
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return
防火墙F1000问题,新加了一条海外VPN 后原来的链路不通了,附上添加前和添加后的配置,请大神给看看
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论