论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2010-07-28 23:30 |只看该作者 |倒序浏览

本帖最后由 loveoov 于 2010-07-28 23:39 编辑

set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 1000 "internet"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "internet" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1/1" zone "Untrust"
set interface "ethernet1/1.1" tag 111 zone "Trust"
set interface "ethernet1/2" zone "Trust"
set interface "tunnel.1" zone "Trust"
unset interface vlan1 ip
set interface mgt ip 192.168.1.1/24
set interface ethernet1/1 ip 61.1.1.1/30
set interface ethernet1/1 route
set interface ethernet1/2 ip 10.20.29.1/30
set interface ethernet1/2 nat
set interface tunnel.1 ip unnumbered interface ethernet1/1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1/1 ip manageable
set interface ethernet1/2 ip manageable
set interface ethernet1/1 manage ping
set interface ethernet1/1 manage telnet
set interface ethernet1/1 manage snmp
set interface ethernet1/1 manage web
set interface "ethernet1/1" mip 71.1.1.1 host 10.20.36.8 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.20.0.0/16" 10.20.0.0 255.255.0.0
set address "Trust" "10.20.0.0/24" 10.20.0.0 255.255.255.0
set address "Trust" "10.20.40.0/21" 10.20.40.0 255.255.248.0
set address "Trust" "AAA-Self-Portal" 10.20.36.8 255.255.255.255
set address "Trust" "FOR AAA" 71.1.1.1 255.255.255.255
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set icap av-vendor-id symantec-5
set url protocol websense
exit
set policy id 10 from "Untrust" to "Trust" "Any" "MIP(71.1.1.1)" "PING" permit log
set policy id 10
exit
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
exit
set policy id 6 from "Trust" to "Untrust" "10.20.40.0/21" "Any" "ANY" permit log
set policy id 6
exit
set policy id 8 from "Untrust" to "Trust" "Any" "MIP(71.1.1.1)" "ANY" permit log
set policy id 8
exit
set policy id 7 from "Untrust" to "Trust" "Any" "FOR AAA" "ANY" nat dst ip 10.20.36.8 permit log
set policy id 7
exit
set policy id 9 from "Trust" to "Untrust" "AAA-Self-Portal" "Any" "ANY" permit log
set policy id 9
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 71.1.1.1/32 vrouter "trust-vr" preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet1/1 gateway 61.1.1.2 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

复制代码

PC---交换机-----ISG1000---CISCO路由器（外网）
我这样配置MIP之后，在PC上登陆iphost.info后显示自己的IP是71.1.1.1，并且能够上网，路由没问题
但问题就是为什么从外网ping不通这个地址 "71.1.1.1" 呢？(该PC内网可以Ping通)

文库|博客

cflmumu

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2010-07-29 15:51 |只看该作者

本帖最后由 cflmumu 于 2010-07-29 15:56 编辑

我看了一下你的防火墙配置，发现一个问题，你所说的MIP（71.1.1.1)中 71.1.1.1 是个公网IP（美国宾夕法尼亚州），在外网ping 71.1.1.1的时候，恐怕数据包根本就不会跑到你的防火墙1口，那还哪里来的MIP转换了呢？
我不太清楚你内网的拓扑结构，不知道为什么会有个公网地址在内网。还有你的外网IP 61.1.1.2（印度）。好奇怪的IP。
有需要加我QQ 619360977 大家一起讨论。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cflmumu

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2010-07-29 20:47 |只看该作者

解决了添加了一条 10.20.36.0/24 interface ethernet1/2 gateway 10.20.29.2 的路由原来中间有个路由器需要添加个gateway

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

飞扬起舞飞扬起舞当前离线禁止访问好友博客消息论坛徽章: 0	4楼 [报告] 发表于 2010-07-31 12:39 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
飞扬起舞飞扬起舞当前离线禁止访问好友博客消息论坛徽章: 0	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › IT运维 › 数据安全 › Juniper ISG1000 MIP后从公网咋就是Ping不通MIP地址呢 ...

飞扬起舞飞扬起舞当前离线禁止访问好友博客消息论坛徽章: 0	4楼 [报告] 发表于 2010-07-31 12:39 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
飞扬起舞飞扬起舞当前离线禁止访问好友博客消息论坛徽章: 0	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

Juniper ISG1000 MIP后从公网咋就是Ping不通MIP地址呢？（但MIP地址上可以上网） [复制链接]

浏览过的版块

Juniper ISG1000 MIP后 从公网咋就是Ping不通MIP地址呢？（但MIP地址上可以上网） [复制链接]

浏览过的版块

Juniper ISG1000 MIP后从公网咋就是Ping不通MIP地址呢？（但MIP地址上可以上网） [复制链接]