防火墙USG6315E配置问题,有个网段访问不了ERP

[复制链接]
发表于 : 2020-1-14 11:19:50 最新回复:2020-01-21 17:20:48
194 7
DENGSZ
DENGSZ  

1.有两个外网出口。

2.有两个网段,都是傻瓜交换机,网关都在核心上面,DHCP下发地址。

3.有一个ERP服务器地址是1.201,是香港那边连过来的,其他OA服务器,都是接在0网段交换机

问题

0网段可以正常访问ERP服务器,2网段不能访问,防火墙查看会话正常有回包但是不能建立连接。


配置晚点上传一下,有没有哪位大佬可以看看是什么问题?


1578970083(1)

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x
  • x
  • 常规:

点评 回复

跳转到指定楼层
DENGSZ
DENGSZ   发表于 2020-1-14 13:47:39 已赞(0) 赞(0)

2020-01-14 13:43.080
!Software Version V600R007C00SPC200
#
sysname USG6300E
#
 l2tp domain suffix-separator @
#
vlan batch 2 to 3
#
authentication-profile name portal_authen_default
#
 undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone UTC add 00:00:00
#
 firewall packet-filter basic-protocol enable
#
 update schedule location-sdb weekly Sun 22:57
#
 firewall defend action discard
#
 undo log type traffic enable
 log type syslog enable
 log type policy enable
#
 undo dataflow enable
#
 undo sa force-detection enable
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 firewall ids authentication type aes256
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
 undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dns server unnumbered interface Dialer0
dns proxy enable
#
dhcp enable
#
 undo feedback type threat-log enable
#
 update schedule ips-sdb daily 23:41
 update schedule av-sdb daily 23:41
 update schedule sa-sdb daily 23:41
 update schedule ip-reputation daily 23:41
 update schedule cnc daily 23:41
 update schedule file-reputation daily 23:41
 update schedule ext-url-sdb daily 23:41
#
 disk-usage alarm threshold 95
#
ip vpn-instance default
 ipv4-family
#
ip address-set 1 type object
 address 0 192.168.1.201 mask 32
 address 1 192.168.1.200 mask 32
#
ip address-set 服务器 type group
 address 0 range 192.168.0.2 192.168.0.20
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day  
#
acl number 3333
 rule 5 permit icmp source 192.168.2.74 0 destination 192.168.1.201 0
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
web-auth-server default
 port 50100
#
portal-access-profile name default
#
aaa
 authentication-scheme admin_ad
 authentication-scheme admin_ad_local
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ldap
 authentication-scheme admin_ldap_local
 authentication-scheme admin_local
 authentication-scheme admin_radius
 authentication-scheme admin_radius_local
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike dot1x
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher $1a$2`fl~c{0\)$vS4I2v/,xSpb59<6"mO5TO<>=ulIW&GA[GG/mt[F$
  service-type web terminal
  level 15
 manager-user admin
  password cipher $1a$toVr)7zTWI$-xKTIqhY3N~~+WK|\(#V4^I"$K_Eu14X82)R]^85$
  service-type web terminal
  level 15
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
interface Dialer0
 link-protocol ppp
 ppp chap user 07554200780621@163.gd
 ppp chap password cipher %$%$'i=N:t0<,-JTigGrv~5))oyL%$%$
 ppp pap local-user 07554200780621@163.gd password cipher %$%$Sv}AE@8QOAr^wx3%Doy3pM64%$%$
 ppp ipcp dns admit-any
 ip address ppp-negotiate
 dialer user 07554200780621@163.gd
 dialer bundle 1
 service-manage ping permit
 redirect-reverse
#
interface Vlanif1
 ip address 192.168.0.1 255.255.255.0
 alias 1
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage telnet permit
 dhcp server mask 255.255.255.0
 dhcp server ip-range 192.168.0.20 192.168.0.254
 dhcp select interface
 dhcp server gateway-list 192.168.0.1
 dhcp server excluded-ip-address 192.168.0.29
 dhcp server dns-list 202.96.128.86 202.96.134.133
#
interface Vlanif2
 ip address 192.168.2.1 255.255.255.0
 alias 2
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage telnet permit
 dhcp server mask 255.255.255.0
 dhcp server ip-range 192.168.2.1 192.168.2.254
 dhcp select interface
 dhcp server gateway-list 192.168.2.1
 dhcp server dns-list 202.96.128.86 202.96.134.133
#
interface Vlanif3
 ip address 192.168.3.1 255.255.255.0
 alias 3
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage telnet permit
 dhcp server mask 255.255.255.0
 dhcp server ip-range 192.168.3.1 192.168.3.254
 dhcp select interface
 dhcp server gateway-list 192.168.3.1
 dhcp server dns-list 202.96.134.133 202.96.128.86
#
interface MEth0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.10.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 119.145.8.89 255.255.255.248
 gateway 119.145.8.94
 service-manage https permit
 service-manage ping permit
 redirect-reverse next-hop 119.145.8.94
#
interface GigabitEthernet0/0/1
 pppoe-client dial-bundle-number 1 ipv4
 undo shutdown
 service-manage ping permit
#
interface GigabitEthernet0/0/2
 portswitch
 undo shutdown
 port link-type access
#
interface GigabitEthernet0/0/3
 portswitch
 undo shutdown
 port link-type access
#
interface GigabitEthernet0/0/4
 portswitch
 undo shutdown
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/0/5
 portswitch
 undo shutdown
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/0/6
 portswitch
 undo shutdown
 port link-type access
 port default vlan 3
#
interface GigabitEthernet0/0/7
 portswitch
 undo shutdown
 port link-type access
#
interface WAN0/0/0
 undo shutdown
#
interface WAN0/0/1
 undo shutdown
#
interface XGigabitEthernet0/0/0
 undo shutdown
#
interface XGigabitEthernet0/0/1
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/3
 add interface GigabitEthernet0/0/4
 add interface GigabitEthernet0/0/5
 add interface GigabitEthernet0/0/6
 add interface MEth0/0/0
 add interface Vlanif1
 add interface Vlanif2
 add interface Vlanif3
#
firewall zone untrust
 set priority 5
 add interface Dialer0
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/7
#
api
#
undo icmp name timestamp-request receive
undo icmp name timestamp-reply receive
undo icmp type 17 code 0 receive
undo icmp type 18 code 0 receive
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 119.145.8.94
ip route-static 192.168.1.200 255.255.255.255 192.168.0.29
ip route-static 192.168.1.201 255.255.255.255 192.168.0.29
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
ssh server dh-exchange min-len 2048
#
firewall detect ftp
#
 v-gateway ssl-renegotiation-attack defend enable
#
 nat server oa protocol tcp global 119.145.8.89 8082 inside 192.168.0.3 8082 no-reverse
 nat server u8 protocol tcp global 119.145.8.89 3389 inside 192.168.0.18 3389 no-reverse
 nat server u8-hr protocol tcp global 119.145.8.89 8099 inside 192.168.0.18 www no-reverse
 nat server shr protocol tcp global 119.145.8.89 8083 inside 192.168.0.10 8080 no-reverse
#
 undo hardware fast-forwarding enable
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
nat address-group 1 0
 mode pat
 section 0 1.1.1.1 1.1.1.1
#
multi-interface
 mode proportion-of-bandwidth
 add interface GigabitEthernet0/0/0
 add interface Dialer0
#
right-manager server-group
#
IoT
#
network-scan
 network-scan timeout per-asset 300
 network-scan timeout entire-scan 23
 conflict-resolve override
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 rule name policy
  source-zone dmz
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone dmz
  destination-zone local
  destination-zone trust
  destination-zone untrust
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
 rule name 4
  source-zone trust
  source-address 192.168.0.0 mask 255.255.255.0
  source-address 192.168.2.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  destination-address 192.168.0.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.3.0 mask 255.255.255.0
  action no-pbr
 rule name 3
  source-zone trust
  destination-address address-set 1
  action no-pbr
 rule name 2
  source-zone trust
  action pbr egress-interface Dialer0
 rule name 1
  source-zone trust
  source-address address-set 服务器
  action pbr egress-interface GigabitEthernet0/0/0 next-hop 119.145.8.94
#
nat-policy
 rule name nat-server
  source-zone trust
  destination-zone trust
  source-address 192.168.0.0 mask 255.255.255.0
  destination-address 192.168.0.10 mask 255.255.255.255
  destination-address 192.168.0.18 mask 255.255.255.255
  destination-address 192.168.0.3 mask 255.255.255.255
  action source-nat easy-ip
 rule name nat1
  source-zone trust
  egress-interface GigabitEthernet0/0/0
  action source-nat easy-ip
 rule name nat2
  source-zone trust
  egress-interface Dialer0
  action source-nat easy-ip
 rule name 1
  source-zone trust
  destination-zone trust
  action no-nat
#
proxy-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
 dns server bind interface GigabitEthernet0/0/0 preferred 202.96.128.86 alternate 202.96.134.133
 dns server bind interface Vlanif1 preferred 202.96.128.86 alternate 202.96.134.133
 dns server bind interface Vlanif2 preferred 202.96.128.86 alternate 202.96.134.133
 dns server bind interface Vlanif3 preferred 202.96.134.133 alternate 202.96.128.86
 mode based-on-multi-interface
#
rightm-policy
#
decryption-policy
#
flow-probe-policy
#
mac-access-profile name mac_access_profile
#
return

  • x
  • 常规:

点评 回复

小倪
小倪   发表于 2020-1-14 13:34:21 已赞(0) 赞(0)

华为论坛是没人来给你做回复的,建议洗洗睡吧
  • x
  • 常规:

点评 回复

DENGSZ
DENGSZ   发表于 2020-1-14 13:44:43 已赞(0) 赞(0)

2020-01-14 13:43:13.080 
!Software Version V600R007C00SPC200
#
sysname USG6300E
#
 l2tp domain suffix-separator @
#
vlan batch 2 to 3
#
authentication-profile name portal_authen_default
#
 undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone UTC add 00:00:00
#
 firewall packet-filter basic-protocol enable
#
 update schedule location-sdb weekly Sun 22:57
#
 firewall defend action discard
#
 undo log type traffic enable
 log type syslog enable
 log type policy enable
#
 undo dataflow enable
#
 undo sa force-detection enable
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 firewall ids authentication type aes256
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
 undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dns server unnumbered interface Dialer0 
dns proxy enable
#
dhcp enable
#
 undo feedback type threat-log enable 
#
 update schedule ips-sdb daily 23:41
 update schedule av-sdb daily 23:41
 update schedule sa-sdb daily 23:41
 update schedule ip-reputation daily 23:41
 update schedule cnc daily 23:41
 update schedule file-reputation daily 23:41
 update schedule ext-url-sdb daily 23:41
#
 disk-usage alarm threshold 95 
#
ip vpn-instance default
 ipv4-family
#
ip address-set 1 type object
 address 0 192.168.1.201 mask 32
 address 1 192.168.1.200 mask 32
#
ip address-set 服务器 type group
 address 0 range 192.168.0.2 192.168.0.20
#
 time-range worktime
  period-range 08:00:00 to 18:00:
  • x
  • 常规:

点评 回复

DENGSZ
DENGSZ   发表于 2020-1-14 13:49:15 已赞(0) 赞(0)

管理员能不能@一下大神,防火墙USG6315E配置问题,有个网段访问不了ERP-3198762-1
  • x
  • 常规:

点评 回复

三清
三清  新锐 发表于 2020-1-14 14:59:55 已赞(0) 赞(0)

路由问题
  • x
  • 常规:

点评 回复

三清
三清  新锐 发表于 2020-1-14 15:03:02 已赞(0) 赞(0)

0段可以访问是路由器有vpn网关,也有0段地址,可以说直连路由了,2段没有去往路由器的路由啊,
  • x
  • 常规:

点评 回复

宏宇有毒
宏宇有毒   发表于 2020-1-21 17:20:48 已赞(0) 赞(0)

除了路由问题以外,要善于使用disp firewall session 这个命令来监测一下 ,测试并查看会话 基本就把问题定位了
  • x
  • 常规:

点评 回复

发表回复
您需要登录后才可以回帖 登录 | 注册

警告 内容安全提示:尊敬的用户您好,为了保障您、社区及第三方的合法权益,请勿发布可能给各方带来法律风险的内容,包括但不限于政治敏感内容,涉黄赌毒内容,泄露、侵犯他人商业秘密的内容,侵犯他人商标、版本、专利等知识产权的内容,侵犯个人隐私的内容等。也请勿向他人共享您的账号及密码,通过您的账号执行的所有操作,将视同您本人的行为,由您本人承担操作后果。详情请参看“隐私声明
如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
登录参与交流分享

登录参与交流分享

登录