H3C防火墙双线接入上网问题

2017年2月20日09:02:21H3C防火墙双线接入上网问题已关闭评论 856

公司要使用一台H3C防火墙(带路由)接入双线,写好了接入配置后发现部分设备断网,无法联网。不对啊,我是写了静态路由的啊,怎么可能不能上网呢?

最后检查了发现根本没有去到静态路由。

上网检查了下F10000是要写策略路由的,否则是走默认路由啦!
H3C防火墙双线接入上网问题
记录下配置,以备不时之用。

#
version 5.20, Release 3733
#
sysname SecPath-F1000-A-G
#
clock timezone BJ add 08:00:00
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
interzone policy default by-priority
#
nat address-group 1 10.10.10.110 10.10.10.110 level 1
nat address-group 2 14.14.14.114 10.10.10.110 level 1
#
domain default enable system
#
telnet server enable
#
ip http acl 2000
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
blacklist enable
#
time-range time_ssh 08:00 to 19:00 daily
time-range douyuan_ser 07:00 to 21:00 daily
time-range dou_temp1 09:45 to 11:00 daily
#
acl number 2000
rule 1 permit source 192.168.168.248 0.0.0.7 time-range time_ssh
rule 2 permit source 192.168.114.248 0.0.0.7 time-range time_ssh
rule 20 deny
#
acl number 3002
description CRM inside-to-outside
rule 1 permit ip source 192.168.22.0 0.0.0.255
rule 2 permit ip source 192.168.11.0 0.0.0.255
rule 20 deny ip
acl number 3004
description all inside-to-outside
rule 1 deny ip source 192.168.22.0 0.0.0.255
rule 2 deny ip source 192.168.11.0 0.0.0.255
rule 30 permit ip source 192.168.0.0 0.0.255.255
rule 50 deny ip
acl number 3010
description inside-adv-outside qos time
rule 1 permit ip destination 192.168.22.250 0 time-range douyuan_ser
rule 2 permit ip source 192.168.22.250 0 time-range douyuan_ser
rule 3 permit ip source 192.168.10.250 0 time-range douyuan_ser
rule 4 permit ip destination 192.168.10.250 0 time-range douyuan_ser
rule 5 permit ip destination 192.168.10.252 0 time-range douyuan_ser
rule 6 permit ip source 192.168.10.252 0 time-range douyuan_ser
rule 10 permit ip destination 192.168.0.0 0.0.255.255
#
vlan 1
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 192.168.100.2 192.168.100.100
#
pki domain default
crl check disable
#
ike peer 1
exchange-mode aggressive
pre-shared-key cipher $c$3$b7Iv7qQg/II2qiqvtbcCtFV1ig12tg==
id-type name
remote-name zchen
local-address 14.14.14.114
nat traversal
#
ike peer 2
exchange-mode aggressive
pre-shared-key cipher $c$3$b7Iv7qQg/II2qiqvtbcCtFV1ig12tg==
id-type name
remote-name zchen
local-address 10.10.10.110
nat traversal
#
policy-based-route ser permit node 10 //配置策略路由
if-match acl 3002 //应用到acl
apply ip-precedence network
apply ip-address next-hop 14.14.14.113 //下一跳为网关
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$62MRbGtpHnWpJ90O56g9YwTGxU9rI1u5fFKq9w==
authorization-attribute level 3
service-type telnet
service-type web
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
description Internet_ChinaNet
nat outbound 3004 address-group 1
nat server protocol tcp global 10.10.10.110 8080 inside 192.168.10.250 80
nat server protocol tcp global 10.10.10.110 8282 inside 192.168.10.252 80
ip address 10.10.10.110 255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
nat outbound 3004 address-group 2
nat outbound 3002 address-group 2
nat server protocol tcp global 14.14.14.114 8090 inside 192.168.22.250 8090
ip address 14.14.14.114 255.255.255.255
#
interface GigabitEthernet0/11
port link-mode route
description LAN-to-AC1600
ip address 172.16.0.1 255.255.255.0
qos car inbound acl 3010 cir 1000 cbs 62500 ebs 0 green pass red discard
qos car outbound acl 3010 cir 2000 cbs 125000 ebs 0 green pass red discard
ip policy-based-route ser //策略路由须应用到内网端口中
#
interface GigabitEthernet0/2
port link-mode bridge
shutdown
#
interface GigabitEthernet0/3
port link-mode bridge
shutdown
#
interface GigabitEthernet0/4
port link-mode bridge
shutdown
#
interface GigabitEthernet0/5
port link-mode bridge
shutdown
#
interface GigabitEthernet0/6
port link-mode bridge
shutdown
#
interface GigabitEthernet0/7
port link-mode bridge
shutdown
#
interface GigabitEthernet0/8
port link-mode bridge
shutdown
#
interface GigabitEthernet0/9
port link-mode bridge
shutdown
#
interface GigabitEthernet0/10
port link-mode bridge
shutdown
#
vd Root id 1
#
zone name Management id 0
priority 100
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet0/11
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface GigabitEthernet0/0
import interface GigabitEthernet0/1
switchto vd Root
object network host crm_ser
host address 192.168.10.250
object network host crm_sql
host address 192.168.10.252
object network host ehr_ser
host address 192.168.22.250
object service 80
service tcp destination-port 80
object service 8090
service tcp destination-port 8090
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
interzone source Trust destination Untrust
rule 0 permit
comment Trust-Untrust
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Untrust destination Trust
rule 1 permit
comment sangforac
source-ip any_address
destination-ip crm_sql
service 80
rule enable
rule 2 permit
source-ip any_address
destination-ip ehr_ser
service 8089
rule enable
rule 3 permit
source-ip any_address
destination-ip crm_ser
service 80
rule enable
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.109
ip route-static 0.0.0.0 0.0.0.0 14.14.14.113 preference 70 //配置路由及级别,默认为60
ip route-static 192.168.0.0 255.255.0.0 172.16.0.3
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
acl 2000 inbound
user privilege level 3
set authentication password cipher $c$3$27VPzHhljeXcPc9FQ0Ycn9ulOcinxcXH4/wkblA40Q==
idle-timeout 0 0
#
return

ITBIJI