• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙如何设置DNS地址转换

2020-06-13提问
  • 0关注
  • 1收藏,2374浏览
粉丝:0人 关注:0人

问题描述:

不知道是什么原因,防火墙F100-A-G2(V7)配置好以后,内网客户端能上QQ、微信,但无法打开网页,发现防火墙和客户端均无法ping通已设置好的本地运营商DNS 61.139.2.69,但是能ping通114.114.114.114。由于客户端数量较多,且全为手动配置的IP和DNS,请问有什么临时的方法在不更改客户端DNS 61.139.2.69设置情况下,通过防火墙将该DNS转换成114.114.114.114,以便客户端能正常上网?

附上配置文件,已隐藏公网IP

最佳答案

粉丝:11人 关注:3人

61.139.2.69这个DNS也是公网的DNS服务器,理论上和114没有差别,可能是防火墙上做了什么限制策略,导致内网客户端无法使用 61.139.2.69解析域名,建议从根本上找原因。防火墙上有DNS代理的功能,但是也是终端把DNS服务器指向防火墙,由防火墙代理去权威DNS查询的,不符合现场情况。

1 个回答
zhiliao_VtmAmV 知了小白
粉丝:0人 关注:0人

#
version 7.1.064, Release 9313P1901
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dns proxy enable
dns server 61.139.2.69

#
password-recovery enable
#
vlan 1
#
interface Route-Aggregation1
ip address 172.18.6.2 255.255.255.0
undo dhcp select server
#
interface Route-Aggregation2
undo dhcp select server
#
interface Route-Aggregation3
ip address 171.***.***.*** 255.255.255.0
nat outbound 3000
nat outbound 2000
nat server protocol tcp global 171.***.***.*** 3330 inside 172.18.10.3 3330
nat server protocol tcp global 171.***.***.*** 3331 inside 172.18.10.3 3331
nat server protocol tcp global 171.***.***.*** 3334 inside 172.18.10.2 3334
nat server protocol tcp global 171.***.***.*** 3335 inside 172.18.10.2 3335
nat server protocol tcp global 171.***.***.*** 3340 inside 172.18.10.24 8080
nat server protocol tcp global 171.***.***.*** 8081 inside 172.18.10.12 8081
nat server protocol tcp global 171.***.***.*** 8086 inside 172.18.10.12 8086
nat server protocol tcp global 171.***.***.*** 8089 inside 172.18.10.12 8089
nat server protocol tcp global 171.***.***.*** 9990 inside 172.18.10.12 9990
nat server protocol tcp global 171.***.***.*** 9996 inside 172.18.10.12 9996
nat server protocol tcp global 171.***.***.*** 59001 inside 172.18.10.210 5900
nat server protocol tcp global 171.***.***.*** 59002 inside 172.18.10.220 5900
nat server protocol tcp global 171.***.***.*** 59008 inside 172.18.10.8 5900
nat server protocol tcp global 171.***.***.*** 59010 inside 172.18.10.10 5900
nat server protocol tcp global current-interface 8085 inside 172.18.10.12 8085
undo dhcp select server
#
interface Route-Aggregation4
ip address 172.18.8.248 255.255.255.0
undo dhcp select server
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
undo dhcp select server
port link-aggregation group 3
#
interface GigabitEthernet1/0/1
port link-mode route
undo dhcp select server
port link-aggregation group 3
#
interface GigabitEthernet1/0/2
port link-mode route
undo dhcp select server
port link-aggregation group 2
#
interface GigabitEthernet1/0/3
port link-mode route
undo dhcp select server
port link-aggregation group 2
#
interface GigabitEthernet1/0/4
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/5
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/6
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/7
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/8
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/9
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/10
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/11
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/12
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/13
port link-mode route
undo dhcp select server
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-mode route
undo dhcp select server
port link-aggregation group 4
#
interface GigabitEthernet1/0/15
port link-mode route
undo dhcp select server
port link-aggregation group 4
#
interface GigabitEthernet1/0/16
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/17
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/18
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/19
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/20
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/21
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/22
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/23
port link-mode route
undo dhcp select server
#
object-policy ip Local-Trust
rule 0 pass logging
#
object-policy ip Trust-Local
rule 0 pass logging
#
object-policy ip Trust-Trust
rule 0 pass logging
#
object-policy ip Trust-Untrust
rule 0 pass logging
#
object-policy ip Untrust-Local
rule 0 pass logging
#
object-policy ip Untrust-Trust
rule 0 pass logging
#
security-zone name Local
#
security-zone name Trust
import interface Route-Aggregation1
import interface Route-Aggregation4
#
security-zone name DMZ
#
security-zone name Untrust
import interface Route-Aggregation2
import interface Route-Aggregation3
#
security-zone name Management
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Any
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 171.***.***.1
ip route-static 0.0.0.0 0 172.18.6.1
ip route-static 172.18.0.0 16 172.18.6.1
#
acl basic 2000 match-order auto
step 1
rule 4 permit source 172.18.1.44 0
rule 5 permit source 172.18.1.22 0
rule 6 permit source 172.18.1.8 0
rule 7 permit source 172.18.1.145 0
rule 8 permit source 172.18.1.220 0
rule 9 permit source 172.18.1.221 0
rule 10 permit source 172.18.1.222 0
rule 11 permit source 172.18.1.223 0
rule 12 permit source 172.18.1.224 0
rule 13 permit source 172.18.1.225 0
rule 14 permit source 172.18.1.226 0
rule 15 permit source 172.18.1.227 0
rule 16 permit source 172.18.1.228 0
rule 17 permit source 172.18.1.229 0
rule 18 permit source 172.18.1.231 0
rule 19 permit source 172.18.1.232 0
rule 20 permit source 172.18.1.235 0
rule 21 permit source 172.18.1.236 0
rule 22 permit source 172.18.5.41 0
rule 1 deny source 172.18.1.0 0.0.0.255
rule 2 deny source 172.18.2.0 0.0.0.255
rule 3 deny source 172.18.5.0 0.0.0.255
rule 0 permit source 172.18.0.0 0.0.255.255
#
acl advanced 3000
step 10
rule 0 permit icmp
rule 100 deny tcp destination-port eq telnet counting
rule 300 deny tcp destination-port eq 3389
rule 400 permit tcp destination-port eq 1723
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
ips policy default
#
anti-virus policy default
#
return

防火墙下面有一个三层交换机,172.18.6.2是防火墙内网端口的地址。内网客户端全是手动配置ip172.18.***.***。那条静态路由是从原旧防火墙照搬过来的,旧防火墙可以正常ping通61.139.2.69,是因为使用太久才要更换新设备

zhiliao_VtmAmV 发表时间:2020-06-13 更多>>

ip route-static 0.0.0.0 0 172.18.6.1 //这个缺省路由指向内网是什么作用啊?如果是这样的话,路由表上会有两条缺省路由,报文到防火墙上查表转发的时候可能会有问题。

铁头娃呆头鹅 发表时间:2020-06-13

防火墙下面有一个三层交换机,172.18.6.2是防火墙内网端口的地址。内网客户端全是手动配置ip172.18.***.***。那条静态路由是从原旧防火墙照搬过来的,旧防火墙可以正常ping通61.139.2.69,是因为使用太久才要更换新设备

zhiliao_VtmAmV 发表时间:2020-06-13

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明