防火墙二层部署不通
- 0关注
- 0收藏,168浏览
问题描述:
H3C防火墙设备型号SECPATH F100-M-G2,SN序列号219801A0X19185Q0007F。当前部署方式为二层透明部署。
我将接口跑二层,上联设备为运营商光猫,配置为vlan111,上联口access vlan 111,下联口也配置为access vlan 111。配置为当前写了一个全通的策略。下联口接的是路由器,下联口直接配置的公网IP。当前问题是加了防火墙之后,接口显示UP,但没有任何流量,路由器的公网IP也不通。
请教是不是和防火墙授权文件有关,当前防火墙文件已过质保。
组网及组网描述:
授权文件截图和配置见附件
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
接口都没加安全域,怎么通?把二层口加入安全域,然后放通对应的安全域
- 2024-05-09回答
- 评论(1)
- 举报
-
(0)
接口加安全域怎么配的,需要import二层接口的时候加上vlan
#
security-znoe Trust
import interface gigabitetthernet1/0/1 vlan 11
#
security-zone Untrust
import interface gigabitetthernet1/0/2 vlan 11
#
security-policy ip
#
rule 0 name 0_IPv4
#
action pass
- 2024-05-09回答
- 评论(0)
- 举报
-
(0)
<H3C>dis cu
#
version 7.1.064, Release 9510P06
#
sysname H3C
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
password-recovery enable
#
vlan 1
#
vlan 111
description 7L
#
vlan 115
description 3710A1119547-ISP-3L
#
vlan 222
description 7L
#
vlan 1002
description ַ
#
vlan 1115
description 3710A1119547-ISP-3L
#
object-group ip address 3Lַ
0 network subnet 192.168.3.0 255.255.255.0
10 network subnet 192.168.4.0 255.255.255.0
20 network subnet 121.0.0.0 255.255.255.0
30 network subnet 171.17.0.0 255.255.0.0
#
object-group ip address 3Lӳַ
0 network host address 222.143.22.133
#
object-group ip address 3Lַ
0 network range 100.79.0.21 100.79.0.22
#
object-group ip address 3LIP
0 network range 222.143.22.129 222.143.22.142
#
object-group ip address 59
0 network subnet 59.0.0.0 255.0.0.0
#
object-group ip address 7L
0 network range 192.168.10.1 192.168.11.254
10 network range 192.168.1.1 192.168.1.254
#
object-group ip address 7LIP
0 network range 218.28.141.34 218.28.141.38
#
object-group ip address 7Lַ
0 network range 192.168.2.1 192.168.3.254
#
object-group ip address 7LIP
0 network host address 117.160.8.46
10 network host address 117.160.8.47
#
object-group ip address
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address IP
0 network range 59.207.22.129 59.207.22.142
#
object-group ip address
0 network range 100.79.4.21 100.79.4.22
#
object-group service TCP12345
0 service tcp destination eq 12345
#
object-group service TCP54321
0 service tcp destination eq 54321
#
object-group service TCP64443
0 service tcp destination eq 64443
#
object-group service UDP11111
0 service udp destination eq 11111
#
interface NULL0
#
interface Vlan-interface1002
ip address 192.168.4.201 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.198.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/0
port link-mode bridge
description to-3L
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 115 1002 1115
port trunk pvid vlan 1115
combo enable fiber
speed 1000
duplex full
#
interface GigabitEthernet1/0/1
port link-mode bridge
description to-isp-liantong-59zhengwu-waiwang
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 115 1115
port trunk pvid vlan 115
combo enable fiber
speed 1000
duplex full
#
interface GigabitEthernet1/0/4
port link-mode bridge
description vlan111
port access vlan 111
#
interface GigabitEthernet1/0/5
port link-mode bridge
description vlan111
port access vlan 111
#
interface GigabitEthernet1/0/6
port link-mode bridge
description vlan222
port access vlan 222
#
interface GigabitEthernet1/0/7
port link-mode bridge
description vlan222
port access vlan 222
#
interface GigabitEthernet1/0/8
port link-mode bridge
description vlan222
port access vlan 222
#
interface GigabitEthernet1/0/10
port link-mode bridge
description
port access vlan 111
#
interface GigabitEthernet1/0/11
port link-mode bridge
#
object-policy ip Any-Any
rule 0 pass source-ip IP destination-ip 59ogging counting
rule 0 comment ʡ
rule 1 pass source-ip 59estination-ip IP logging counting
rule 1 comment 59
rule 2 pass source-ip destination-ip logging counting
rule 2 comment 3L
rule 2 append source-ip 3Lַ
rule 2 append source-ip
rule 2 append destination-ip 3Lַ
rule 2 append destination-ip
rule 3 pass source-ip 3LIP destination-ip logging counting
rule 3 comment 3LIP
rule 4 pass source-ip 7LIP destination-ip logging counting
rule 4 comment 7LIP
rule 4 append source-ip 7LIP
rule 5 pass source-ip 7Lestination-ip logging counting
rule 5 comment 7L
rule 6 pass source-ip 7Lַ destination-ip logging counting
rule 6 comment 7L
rule 7 pass source-ip 3Lַ destination-ip logging counting
rule 7 comment ǽsslvpnκ
rule 10 pass source-ip destination-ip 3Lӳַ service TCP12345 logging counting
rule 11 pass source-ip destination-ip 3Lӳַ service TCP54321 logging counting
rule 12 pass source-ip destination-ip 3Lӳַ service TCP64443 logging counting
rule 12 append service ike
rule 12 append service nat-t-ipsec
rule 13 pass source-ip destination-ip 3Lӳַ service UDP11111 logging counting
rule 9 pass source-ip destination-ip
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/2
import interface Vlan-interface1002
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Vlan-interface1002 192.168.4.2
#
ssh server enable
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$LCWFNwTXY8fqE5cT$dsBe8ptx3HJuFX7WqXy/bjcmV8Qp1pOpFXEvtPFyhb25/OyeJ52kF9R+OGjIvXNkT/9TFySgADccsWdDOiVO7A==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
return
- 2024-05-09回答
- 评论(1)
- 举报
-
(0)
你这就没加域
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
谢谢指导,我试试