问题描述:
H3C SecPath F1000内网无法上网,PING内网是可以PING通的,但PING外网的IP是无法PING通。
以下几个方法都检测了。没有问题。望大神指点,配置文件我发上来。公网地址我已经换掉了。配置内的公网地址非实际地址。
- NAT地址绑定错误,公网IP未正确映射到私网IP
- 安全策略未放行对应服务流量(如HTTP、HTTPS、FTP等)
- ACL配置不当,限制了外网访问
- 路由配置错误,导致回程流量无法正确返回
- 运营商端可能存在端口限制或NAT限制
组网及组网描述:
#
version 7.1.064, Release 9660P52
#
sysname H3C-BRCYY
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 172
address 172.27.0.244 172.27.0.244
#
nat address-group 224
address 172.27.0.224 172.27.0.224
#
nat address-group 236 name 236
address 172.27.0.236 172.27.0.236
#
undo nat alg ftp
nat dns-map domain asss.br.top protocol tcp ip 212.45.23.6 port 43430
#
dns proxy enable
dns server 58.242.2.2
dns server 114.114.114.114
dns server 223.5.5.5
#
sysid BR-F1005
#
password-recovery enable
#
vlan 1
#
object-group service 43430
description 43430
0 service tcp destination eq 43430
#
object-group service 37900
description 37900
0 service tcp destination eq 37900
#
object-group service 38292
0 service tcp destination eq 38292
#
object-group service 8006
description 8006
0 service tcp destination eq 8006
#
dhcp server ip-pool 172DHCP
gateway-list 172.72.0.254
network 172.72.0.0 mask 255.255.255.0
dns-list 58.242.2.2
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.111.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
description GuideWan Interface(公网口)
bandwidth 10000000
ip address 212.45.23.6 255.255.255.0
dns server 58.242.2.2
dns server 218.104.78.2
nat outbound disable counting
nat server protocol tcp global 212.45.23.6 43430 inside 172.27.0.236 43430 rule ServerRule_10 counting
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
gateway 212.45.23.1
#
interface GigabitEthernet1/0/4
port link-mode route
description GuideLan Interface(内网口)
ip address 172.72.0.254 255.255.255.0
nat hairpin enable
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage netconf-http inbound
manage netconf-https inbound
manage netconf-ssh inbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/9
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/10
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/11
port link-mode route
ip address dhcp-alloc
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/4
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 212.45.23.1
ip route-static 172.27.0.0 24 GigabitEthernet1/0/4 172.72.0.253
#
performance-management
#
ssh server enable
#
arp ip-conflict log prompt
#
ntp-service enable
ntp-service source GigabitEthernet1/0/3
ntp-service unicast-server 120.25.115.20 version 1
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user webshow class manage
password hash $h$6$F5Ad3TUQ1LFd7suq$8hkDra2SWcrlXbs8MKy37eI5l4EPf6INC2jQdruYe0GnOvCy5qpWTNY021b7pnhyvlv9pZ3q4yq+lIxr7JSlgQ==
service-type ftp
service-type pad ssh telnet terminal http https
authorization-attribute work-directory slot1#flash:
authorization-attribute user-role network-admin
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
ipsec logging negotiation enable
#
nat global-policy
rule name GlobalPolicyRule_1
description 保证Trust安全域内的Host可以访问Untrust安全域内的DNS
source-zone Trust
destination-zone Untrust
action snat no-nat
counting enable
#
ike logging negotiation enable
#
ip http enable
ip https enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
traffic-policy
rule 1 name GuideWANAccPolicy
action qos profile guidewanaccprofile
service ike
service ipsec-ah
service ipsec-esp
service l2tp
service nat-t-ipsec
rule 2 name GuideAVCPolicy
action qos profile guideavcprofile1
profile name guideavcprofile1
bandwidth downstream guaranteed 7000000
bandwidth downstream maximum 7000000
profile name guidewanaccprofile
bandwidth downstream guaranteed 3000000
bandwidth downstream maximum 3000000
#
security-policy ip
rule 0 name Trust-Untrust
action pass
logging enable
source-zone Trust
destination-zone Untrust
rule 1 name Secpolicy
action pass
disable
logging enable
source-zone Untrust
destination-zone Trust
destination-ip-host 172.27.0.242
service 8006
rule 2 name Secpolicy224
action pass
disable
logging enable
source-zone Untrust
destination-zone Trust
destination-ip-host 172.27.0.224
service 38292
rule 4 name Secpolic37900
action pass
disable
logging enable
source-zone Untrust
destination-zone Trust
destination-ip-host 172.27.0.236
service 37900
rule 5 name Secpolicy43430
action pass
disable
logging enable
source-zone Untrust
destination-zone Trust
destination-ip-host 172.27.0.236
service 43430
#
ips policy guideipspolicy
object-dir client
severity-level critical
protect-target WebServer Any
protect-target WebServer Other
protect-target WebServer WebLogic
#
cloud-management server domain secops.h3c.com
#
return
没明白什么意思,到底是内网不能上外网,还是内网通过外网地址不能访问内网服务器?
上网不能够上外网
内网不能够上外网。网关PING外网的IP全部都没有办法PING通
security-policy ip rule 0 name Trust-Untrust action pass logging enable source-zone Trust destination-zone Untrust 已经配置了全通策略,防火墙PING公网无法PING通
Ping 223.5.5.5 (223.5.5.5): 56 字节 请求超时。 请求超时。 请求超时。 请求超时。 请求超时。 --- Ping 223.5.5.5 的统计信息 --- 5 个包已发送 0 个包已接收 100% 包丢失率
全局NAT策略拒绝了。” action snat no-nat“这个。要么就配接口NAT,要么就全局NAT,你这个冲突了。
nat global-policy
rule name GlobalPolicyRule_1
description 保证Trust安全域内的Host可以访问Untrust安全域内的DNS
source-zone Trust
destination-zone Untrust
action snat no-nat
counting enable
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
Ping 223.5.5.5 (223.5.5.5): 56 字节 请求超时。 请求超时。 请求超时。 请求超时。 请求超时。 --- Ping 223.5.5.5 的统计信息 --- 5 个包已发送 0 个包已接收 100% 包丢失率