免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 关于netscreen问题
最近访问板块 发新帖
查看: 1632 | 回复: 3
打印 上一主题 下一主题

关于netscreen问题 [复制链接]

xujian200412

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-09-25 15:39 |只看该作者 |倒序浏览
这是我netscreen208的配置,现在ping 134.134.33.58ping不通了,本来是可以的突然不行了,检查半天也不知道是什么原因,麻烦各位帮忙看看
ns208-> get config
Total Config size 2280:
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
--- more ---
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.1.1.208/24
set interface ethernet1 nat
set interface ethernet3 ip 134.134.33.57/26
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
--- more ---
set interface ethernet3 ip manageable
set interface ethernet3 manage telnet
set interface "ethernet3" mip 134.134.33.58 host 10.1.1.52 netmask 255.255.255.255 vrouter "trust-vr"
set hostname ns208
set ike respond-bad-spi 1
set policy id 1 name "NAT-src" from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit
set policy id 2 name "97-to-app2" from "Untrust" to "Trust"  "Any" "Any" "ANY" permit
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route  0.0.0.0/0 interface ethernet3 gateway 134.134.33.1
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr"
exit
untrust

论坛徽章:
0
2 [报告]
发表于 2006-09-25 21:32 |只看该作者
是不是修改了policy之后不通?
我看少了一条从untrust 到mip的policy
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
xujian200412

论坛徽章:
0
3 [报告]
发表于 2006-09-26 11:32 |只看该作者
原帖由 untrust 于 2006-9-25 21:32 发表
是不是修改了policy之后不通?
我看少了一条从untrust 到mip的policy



突然不行的,也不知道什么原因,我做了
set policy id 2 name "97-to-app2" from "Untrust" to "Trust"  "Any" "Any" "ANY" permit
还需要单独做条untrust到mip的policy吗?
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
untrust

论坛徽章:
0
4 [报告]
发表于 2006-09-26 18:47 |只看该作者
如果你作了mip
在web作policy from untrust to trust时,在选择destination address时会出现Global Mip类似的
加上这个policy就行了
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP