华为防火墙无法在内网登录,求帮助 !!

新人帖[复制链接]
发表于 : 2018-8-21 18:00:59 最新回复:2019-12-16 15:17:03
4535 22
scy
scy  

  求助帖: (未解决)
不管是HTPPS还是Telnet,内网机器都无法访问。公网机器就可以
#
sysname FW-1.PEMS
#
undo l2tp sendaccm enable
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo factory-configuration prohibit
#
undo telnet ipv6 server enable
#
clock timezone Beijing add 08:00:00
#
hrp configuration auto-check 1440
#
firewall detect ftp
#
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend ip-fragment enable
firewall defend fraggle enable
firewall defend large-icmp enable
firewall defend smurf enable
firewall defend land enable
firewall defend ip-spoofing enable
firewall defend action discard
firewall defend arp-flood interface GigabitEthernet1/0/1
firewall defend arp-flood interface GigabitEthernet1/0/4
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
sa force-detection enable
#
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet" set filename china-educationnet.csv
#
slb enable
#
user-manage web-authentication security port 8887
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage sso-sync radius
page-setting
user-manage security version tlsv1.1 tlsv1.2
#
firewall blacklist enable
#
firewall ids authentication type sha256
#
firewall tcp-mss 1200
snmp-agent session history-max-number enable
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 02:54
update schedule av-sdb daily 02:54
update schedule sa-sdb daily 02:54
update schedule ip-reputation daily 02:54
update schedule cnc daily 02:54
#
set disk-scan parameter attach on
set disk-scan parameter cycle 15
set disk-scan parameter iostat 80
set disk-scan parameter speed 10
set disk-scan parameter switch on
set disk-scan parameter parallel 50
#
ip ***-instance default
ipv4-family
#
ad-server template temp1
ad-server authentication base-dn dc=my-domain,dc=com
ad-server authentication ldap-port 3899
ad-server user-filter sAMAccountName
ad-server group-filter ou
ad-server time-stamp-filter createTimeStamp
#
ip address-set in2out type object
address 0 172.16.201.0 mask 24
#
ip address-set server type object
address 0 172.16.151.0 mask 24
address 1 172.16.100.0 mask 24
#
ip address-set 24serverNOHTTP type object
address 0 202.13.81.8 mask 255.255.255.252
#
ip address-set Server24F type object
address 0 202.13.81.8 mask 255.255.255.252
#
ip address-set Collection type group
address 0 172.16.10.0 mask 24
address 1 172.16.20.0 mask 24
address 2 172.16.30.0 mask 24
#
ip address-set WIFI type group
address 0 172.16.101.0 mask 24
address 1 172.16.102.0 mask 24
address 2 172.16.103.0 mask 24
address 3 172.16.104.0 mask 24
address 4 172.16.105.0 mask 24
address 5 172.16.106.0 mask 24
address 6 172.16.107.0 mask 24
#
ip address-set 24server2int type group
address 0 172.16.6.0 mask 30
#
ip address-set pdu type group
address 0 172.16.31.0 mask 24
#
ip address-set BackWall type group
address 0 172.16.108.0 mask 24
#
ip address-set 互联201 type group
address 0 172.16.201.0 mask 24
#
time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
rule 0 permit ip
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
  service-type internetaccess ssl-*** l2tp ike
  internet-access mode password
  reference user current-domain
manager-user audit-admin
  password cipher @%@%OsUr,K]Yj3}i5=2p4P&+^S<yoeWW)MGX/u(=^YIc%^S~+@%@%
  service-type web terminal
  level 15

manager-user rxtx
  password cipher @%@%I`Ou-f(jYd$_XEJ>gpTl6*DBFYq"Ky3R:F[X6[j)7Y6*l@%@%
  service-type web terminal telnet ssh
  level 15
  authentication-scheme admin_local

manager-user api-admin
  password cipher @%@%7rT-$Uga.M+QT(ChvC2,H(;1%`Se<'ZU%O*C$TGZs#(>,@%@%
  service-type api
  level 15

manager-user admin
  password cipher @%@%-=d2;u;E0PG)T=2I~~80hGn],OuLJqw[-_zo"WI{p11G`h@%@%
  service-type web terminal telnet ssh
  level 15
  authentication-scheme admin_local

manager-user sf-4f-fw
  password cipher @%@%if1F!_v,"OiDVFE]mE2WSK)I{bM+G*@-}dsmLfZ~%SK,W@%@%
  service-type telnet
  level 15
  access-limit 1
  authentication-scheme admin_local

role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
bind manager-user sf-4f-fw role device-admin(monitor)
bind manager-user rxtx role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding ***-instance default
ip address 172.16.201.100 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 202.111.8.188 255.255.255.252
anti-ddos flow-statistic enable
alias Internet
gateway 202.111.8.187
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.201.1 255.255.255.0
alias Intranet
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.203.2 255.255.255.252
alias 24server2int
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 202.111.81.188 255.255.255.248
anti-ddos flow-statistic enable
alias BackWall
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface Virtual-if0
#
interface Cellular0/0/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/4
#
firewall zone dmz
set priority 50
#
ip route-static default-preference 255
#
ip route-static 0.0.0.0 0.0.0.0 202.111.8.187 preference 60
ip route-static 172.16.6.0 255.255.255.252 GigabitEthernet1/0/3 172.16.203.1
ip route-static 172.16.10.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.20.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.30.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.31.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.100.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.101.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.102.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.103.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.104.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.105.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.106.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.107.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.108.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 172.16.151.0 255.255.255.0 GigabitEthernet1/0/2 172.16.201.254
ip route-static 202.111.81.176 255.255.255.255 NULL0
ip route-static 202.111.81.177 255.255.255.255 NULL0
ip route-static 202.111.81.178 255.255.255.255 NULL0
ip route-static 202.111.81.179 255.255.255.255 NULL0
#
undo ssh server compatible-ssh1x enable
sftp server enable
stelnet server enable
ssh authentication-type default password
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type all
ssh user admin sftp-directory hda1:
ssh user rxtx
ssh user rxtx authentication-type password
ssh user rxtx service-type all
ssh user rxtx sftp-directory hda1:
#
bandwidth-limit destination-ip type icmp max-speed 2000
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood source-detect mode basic
anti-ddos baseline-learn start
anti-ddos baseline-learn mode loop
anti-ddos baseline-learn learn-duration 10080
anti-ddos baseline-learn learn-interval 0
anti-ddos baseline-learn tolerance-value 100
#
nat server HK-HK-SF4F-SERVER-1.PEMS 0 protocol tcp global 202.111.8.188 15180 inside 172.16.151.1 www
nat server WIFIServer22 1 protocol tcp global 202.111.8.188 10022 inside 172.16.100.20 22
nat server WIFIServer5901 5 protocol tcp global 202.111.8.188 6000 inside 172.16.100.20 5901
nat server server24Fudp2088 25 protocol udp global 202.111.91.10 32088 inside 172.16.6.1 2088
nat server PDU3101toINT80 26 protocol tcp global 202.111.8.188 31080 inside 172.16.31.1 www
nat server server24F22 27 protocol tcp global 202.111.8.10 1122 inside 172.16.6.1 22
nat server server24F23 28 protocol tcp global 202.111.8.10 1123 inside 172.16.6.1 telnet
nat server server24F80 29 protocol tcp global 202.111.8.10 1180 inside 172.16.6.1 www
nat server PDU3101toINT4001 30 protocol tcp global 202.111.8.188 24001 inside 172.16.31.1 4001
#
user-interface con 0
authentication-mode password
user-interface vty 0 2
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound all
user-interface vty 3 4
user-interface vty 16 20
#
sa
#
location
#
nat address-group internet 0
mode pat
section 0 202.111.8.188 202.111.8.188
#
nat address-group 24server2int 1
mode pat
section 0 202.111.81..10 202.111.81..10
#
nat address-group backwall 2
mode pat
section 0 202.111.81.139 202.111.81.142
#
interface-group 0 isp "china telecom"
add interface GigabitEthernet1/0/1
#
slb
#
multi-interface
mode proportion-of-weight
#
right-manager server-group
#
agile-network
#
api
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
security-policy
default action permit
rule name trust2untrust
  source-zone trust
  destination-zone untrust
  source-address address-set Collection
  source-address address-set WIFI
  source-address address-set pdu
  source-address address-set server
  action permit
rule name 24server2int
  source-zone trust
  destination-zone untrust
  source-address address-set 24server2int
  action permit
rule name BackWall(T2UN)
  policy logging
  session logging
  source-zone trust
  destination-zone untrust
  source-address address-set BackWall
  action permit
rule name 123
  source-zone untrust
  destination-zone local
  action deny
#
auth-policy
#
traffic-policy
#
policy-based-route
rule name pbr1
  source-zone trust
  source-address 172.16.108.0 mask 255.255.255.0
  action pbr next-hop 202.111.81.137
#
nat-policy
rule name trust2untrust
  egress-interface GigabitEthernet1/0/1
  source-address address-set Collection
  source-address address-set WIFI
  source-address address-set pdu
  source-address address-set 互联201
  source-address address-set server
  action nat address-group internet
rule name 24server2int
  egress-interface GigabitEthernet1/0/1
  source-address address-set 24server2int
  action nat address-group 24server2int
rule name BackWall
  egress-interface GigabitEthernet1/0/4
  source-address address-set BackWall
  action nat address-group backwall
#
proxy-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
dns server bind interface GigabitEthernet1/0/1 preferred 200.6.45.134
dns server bind interface GigabitEthernet1/0/4 preferred 200.6.45.134
mode based-on-multi-interface
#
rightm-policy
#
sms
#
return
  • x
  • 常规:

点评 回复

网络管理员木头
网络管理员木头 发表于 2018-9-20 11:35
楼主好,请问您的问题解决了吗?若下面楼层的答复可以解答您的问题,请点击右下角“最佳答案”设置,谢谢!  
跳转到指定楼层
cici10235
cici10235  导师 发表于 2018-8-21 18:14:12 已赞(0) 赞(0)

user-interface vty 0 2
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound all


把user privilege level 3 改成 user privilege level 15 再试试
  • x
  • 常规:

点评 回复

后来重温往事如耳边过风不慌不乱
scy
scy   发表于 2018-8-23 10:44:39 已赞(0) 赞(0)

cici10235 发表于 2018-08-21 18:14 user-interface vty 0 2authentication-mode aaauser privilege level 3idle-timeout 5 0protocol inbound ...
改了,没有用...
  • x
  • 常规:

点评 回复

cici10235
cici10235  导师 发表于 2018-8-23 23:44:12 已赞(0) 赞(0)

scy 发表于 2018-08-23 10:44 改了,没有用...
找个不影响业务的时间,把设备重启一下在试试吧,感觉遇到了未知bug
  • x
  • 常规:

点评 回复

后来重温往事如耳边过风不慌不乱
scy
scy   发表于 2018-8-24 10:51:42 已赞(0) 赞(0)

cici10235 发表于 2018-08-23 23:44 找个不影响业务的时间,把设备重启一下在试试吧,感觉遇到了未知bug
重启了,没用。内网通信也正常,也可以PING通防火墙,就是不能在内网telnet或者HTTP访问到防火墙
  • x
  • 常规:

点评 回复

聪聪1992
聪聪1992   发表于 2018-8-24 11:14:11 已赞(0) 赞(0)

本帖最后由 聪聪1992 于 2018-08-24 11:17 编辑 telnet server enable
http server enable 打上试试
  • x
  • 常规:

点评 回复

user_3095373
user_3095373   发表于 2018-8-24 11:20:18 已赞(0) 赞(0)

防火墙上配置VPN,内网通过连接VPN访问防火墙
  • x
  • 常规:

点评 回复

scy
scy   发表于 2018-8-27 09:25:28 已赞(0) 赞(0)

聪聪1992 发表于 2018-08-24 11:14 telnet server enablehttp server enable 打上试试
公网都可以访问,和这个没有关系吧?
  • x
  • 常规:

点评 回复

scy
scy   发表于 2018-8-27 09:38:50 已赞(0) 赞(0)

聪聪1992 发表于 2018-08-24 11:14 telnet server enablehttp server enable 打上试试
也试过了,没有用
  • x
  • 常规:

点评 回复

完颜
完颜   发表于 2018-8-27 11:14:27 已赞(0) 赞(0)

试一下这个 service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
  • x
  • 常规:

点评 回复

123
返回列表
发表回复
您需要登录后才可以回帖 登录 | 注册

警告 内容安全提示:尊敬的用户您好,为了保障您、社区及第三方的合法权益,请勿发布可能给各方带来法律风险的内容,包括但不限于政治敏感内容,涉黄赌毒内容,泄露、侵犯他人商业秘密的内容,侵犯他人商标、版本、专利等知识产权的内容,侵犯个人隐私的内容等。也请勿向他人共享您的账号及密码,通过您的账号执行的所有操作,将视同您本人的行为,由您本人承担操作后果。详情请参看“隐私声明
如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
登录参与交流分享

登录参与交流分享

登录