|
|
本帖最后由 fengzi110 于 2010-5-27 17:53 编辑
VPN设置好之后,客户端能连接上来,但是只能访问内部的一台服务器(192.168.0.2 这台服务器),其他的访问不了
具体配置如下, 希望大虾们能找出原因, 在下感激不尽!!!!!!!!!!!!
<Eudemon>display current-configuration
#
sysname Eudemon
#
web-manager enable
#
l2tp enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 x.x.x.67 x.x.x.67 (公网IP)
nat server protocol tcp global x.x.x.67 (公网IP) www inside 192.168.0.2 www
undo nat alg enable esp
nat alg enable ftp
nat alg enable dns
nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
undo nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable sip
undo nat alg enable mgcp
undo nat alg enable mms
undo nat alg enable sqlnet
undo nat alg enable rtsp
firewall permit sub-ip
#
firewall defend ip-spoofing enable
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend ip-sweep enable
firewall defend port-scan enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend tracert enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
firewall defend teardrop enable
firewall defend tcp-flag enable
firewall defend ip-fragment enable
firewall defend ftp-bounce enable
firewall defend packet-header check enable
firewall defend large-icmp enable
firewall defend arp-spoofing enable
firewall defend tcp-flood enable
#
firewall statistic system enable
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer a
exchange-mode aggressive
pre-shared-key gzlsjwl
ike-proposal 1
local-id-type name
remote-name windowsxp2
nat traversal
#
ipsec proposal lsj1
esp encryption-algorithm 3des
#
ipsec policy-template map2 10
ike-peer a
proposal lsj1
#
ipsec policy map1 20 isakmp template map2
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
ip address x.x.x.67 (公网IP) 255.255.255.192
ipsec policy map1
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
ip address 192.168.0.9 255.255.255.0
undo ip fast-forwarding qff
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Virtual-Template0
ppp authentication-mode chap pap
ip address 10.10.10.1 255.255.255.0
remote address pool 1
ipsec policy map1
#
interface Secp0/0/0
#
interface NULL0
#
right-manager server-group
#
acl number 2002
rule 1 permit
rule 5 permit source 192.168.0.0 0.0.0.255
#
acl number 3002
rule 1 permit 255 precedence priority
rule 5 permit ip
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
nat 2001 address-group 1
add interface Ethernet0/0/2
add interface Virtual-Template0
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
packet-filter 3002 inbound
packet-filter 3002 outbound
#
firewall interzone local untrust
packet-filter 3002 inbound
packet-filter 3002 outbound
#
firewall interzone local dmz
packet-filter 3002 inbound
packet-filter 3002 outbound
#
firewall interzone trust untrust
packet-filter 3002 inbound
packet-filter 3002 outbound
nat outbound 2002 address-group 1
nat inbound 2002 address-group 1
#
firewall interzone trust dmz
packet-filter 3002 inbound
packet-filter 3002 outbound
#
firewall interzone dmz untrust
packet-filter 3002 inbound
packet-filter 3002 outbound
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
tunnel name lsj1
#
aaa
local-user test password simple test
local-user test service-type ppp
local-user test level 3
ip pool 1 10.10.10.2 10.10.10.100
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
packet-filter interzone trust untrust 2002 outbound
packet-filter interzone trust untrust 2002 inbound
#
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.65 (公网IP)
ip route-static 192.168.0.0 255.255.255.0 Virtual-Template0
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return
设备为 华为的 Quidway E100E Firewall
请高手指教下 !!!!!!!!!! |
评分
-
1
查看全部评分
-
|
发表于 2010-5-27 17:43:51
发表于 2010-5-28 07:56:38