免费注册 查看新帖 |

Chinaunix

广告
  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 4047 | 回复: 1
打印 上一主题 下一主题

h3c secpath f100-a-si配置问题.求教 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2010-12-02 00:50 |只看该作者 |倒序浏览
环境: 三层交换机B-光纤-防火墙C-二层交换机-计算机D
B-ip:10.63.1.1/30 C-ip:10.63.1.2/30 10.63.18.1/24 D-ip:10.63.18.2/24
防火墙用的是h3c secpath f100-a-si
f100-a配置
firewall packet-filter enable
firewall packet-filter default permit
e1/0 ip addr 10.63.18.1 255.255.255.0
e0/0 ip addr 10.63.1.2  255.255.255.252
trust add inter e1/0
untrust add inter e0/0
ip rout 0.0.0.0 0.0.0.0 10.63.1.1
现在出现问的是从防火墙中ping 10.63.18.2正常 从防火墙中ping 10.63.1.1正常 从计算机中ping 10.63.18.1正常,从计算机中ping 10.63.1.1不通,不知道是什么原因
配置文件如下:
dis cur
#
sysname HaiHu
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password simple admin
service-type telnet terminal
level 3
#
acl number 3001
rule 0 deny tcp source-port eq 3127
rule 1 deny tcp source-port eq 1025
rule 2 deny tcp source-port eq 5554
rule 3 deny tcp source-port eq 9996
rule 4 deny tcp source-port eq 1068
rule 5 deny tcp source-port eq 135
rule 6 deny udp source-port eq 135
rule 7 deny tcp source-port eq 137
rule 8 deny udp source-port eq netbios-ns
rule 9 deny tcp source-port eq 138
rule 10 deny udp source-port eq netbios-dgm
rule 11 deny tcp source-port eq 139
rule 12 deny udp source-port eq netbios-ssn
rule 13 deny tcp source-port eq 593
rule 14 deny tcp source-port eq 4444
rule 15 deny tcp source-port eq 5800
rule 16 deny tcp source-port eq 5900
rule 18 deny tcp source-port eq 8998
rule 19 deny tcp source-port eq 445
rule 20 deny udp source-port eq 445
rule 21 deny udp source-port eq 1434
rule 30 deny tcp destination-port eq 3127
rule 31 deny tcp destination-port eq 1025
rule 32 deny tcp destination-port eq 5554
rule 33 deny tcp destination-port eq 9996
rule 34 deny tcp destination-port eq 1068
rule 35 deny tcp destination-port eq 135
rule 36 deny udp destination-port eq 135
rule 37 deny tcp destination-port eq 137
rule 38 deny udp destination-port eq netbios-ns
rule 39 deny tcp destination-port eq 138
rule 40 deny udp destination-port eq netbios-dgm
rule 41 deny tcp destination-port eq 139
rule 42 deny udp destination-port eq netbios-ssn
rule 43 deny tcp destination-port eq 593
rule 44 deny tcp destination-port eq 4444
rule 45 deny tcp destination-port eq 5800
rule 46 deny tcp destination-port eq 5900
rule 48 deny tcp destination-port eq 8998
rule 49 deny tcp destination-port eq 445
rule 50 deny udp destination-port eq 445
rule 51 deny udp destination-port eq 1434
rule 100 permit ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description WCN_INTERFACE_LAN
ip address 10.63.18.1 255.255.255.10
firewall packet-filter 3001 inbound
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
description WCN_INTERFACE_WAN
ip address 10.63.1.2 255.255.255.252
firewall packet-filter 3001 inbound
#
interface Ethernet1/1
#
interface NULL0
#
interface LoopBack0
ip address 169.0.0.1 255.0.0.0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 10.63.1.1 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
authentication-mode scheme
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
<HaiHu>
不知道是不是要加rule 100 permit soure ip这个acl
可是这个防火墙不能用
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
这样的zone互通命令.不知道是不是要用NAT但这个防火墙是用在内部网络.不用NAT可以吗?

论坛徽章:
5
IT运维版块每日发帖之星
日期:2015-08-06 06:20:00IT运维版块每日发帖之星
日期:2015-08-10 06:20:00IT运维版块每日发帖之星
日期:2015-08-23 06:20:00IT运维版块每日发帖之星
日期:2015-08-24 06:20:00IT运维版块每日发帖之星
日期:2015-11-12 06:20:00
2 [报告]
发表于 2010-12-02 09:32 |只看该作者
从防火墙上带 源地址 10.63.18.1  进行 ping 10.63.1.1
好像是pin g-a 10.63.18.1 10.63.1.1

如果不通请检查10.63.1.1的路由。
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP