|
网络设备实施包括出口防火墙USG5530、生产区核心交换机C4506E、DMZ接入交换机ZXR5952、容灾区接入交换机ZXR5952。两台USG5530硬件防火墙通过虚拟防火墙的形式模拟成4台防火墙。分别命名为Internet-1、Internet-2、VPN-1、VPN-2,其中Internet-1、Internet-2用于连接Internet出口和DMZ区域接入交换机,VPN-1、VPN-2用于连接社保核心路由器和生产区核心交换机。生产区与DMZ区实现逻辑隔离。两个隔离区域各运行OSPF区域0,交换路由信息。DMZ区域服务器的网关设置在DMZ接入交换机上,通过VRRP实现网关冗余。生产区及容灾区的业务网关设置在生产区核心交换机上通过HSRP实现网关冗余,在C4506-1、C4506-2、容灾区ZXR5952上通过MSTP实现链路冗余。
我现在主要是:VPN设备上短信认证,测试失败,显示连接网关失败,短信认证是用的WEBserver认证,短信网关的地址是电信外网IP,所以请教大家该怎么办呢
下面是防火墙的配置: [QUZ-JYW-XXZX3F-H5500-FW002] [QUZ-JYW-XXZX3F-H5500-FW002]dis cur [QUZ-JYW-XXZX3F-H5500-FW002]dis current-configuration 10:29:20 2017/12/13 # sysname QUZ-JYW-XXZX3F-H5500-FW002 # l2tp domain suffix-separator @ # info-center loghost source LoopBack0 info-center loghost 10.84.128.16 514 vpn-instance shebao # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone vpn-instance internet local trust direction inbound firewall packet-filter default permit interzone vpn-instance internet local trust direction outbound firewall packet-filter default permit interzone vpn-instance internet local untrust direction outbound firewall packet-filter default permit interzone vpn-instance internet local dmz direction outbound firewall packet-filter default permit interzone vpn-instance internet local zfwuntrust direction outbound firewall packet-filter default permit interzone vpn-instance internet trust untrust direction outbound firewall packet-filter default permit interzone vpn-instance internet trust zfwuntrust direction outbound firewall packet-filter default permit interzone vpn-instance shebao local trust direction inbound firewall packet-filter default permit interzone vpn-instance shebao local trust direction outbound firewall packet-filter default permit interzone vpn-instance shebao local untrust direction outbound firewall packet-filter default permit interzone vpn-instance shebao local dmz direction outbound firewall packet-filter default permit interzone vpn-instance shebao local sslvpnuntrust direction inbound firewall packet-filter default permit interzone vpn-instance shebao local sslvpnuntrust direction outbound firewall packet-filter default permit interzone vpn-instance shebao trust untrust direction outbound firewall packet-filter default permit interzone vpn-instance shebao trust sslvpnuntrust direction inbound firewall packet-filter default permit interzone vpn-instance shebao trust sslvpnuntrust direction outbound # nat address-group 1 122.227.89.118 122.227.89.118 nat address-group 2 172.27.8.130 172.27.8.130 nat server 0 vpn-instance internet protocol tcp global 122.227.89.118 www inside 172.17.255.25 www vpn-instance internet nat server 1 vpn-instance internet protocol tcp global 122.227.89.118 443 inside 172.17.255.25 443 vpn-instance internet nat server 2 vpn-instance internet protocol tcp global 122.227.89.118 4430 inside 172.17.255.25 4430 vpn-instance internet nat server 3 vpn-instance internet protocol tcp global 122.227.89.118 3389 inside 172.17.1.65 3389 vpn-instance internet # ip df-unreachables enable # ipv6 firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # vrrp mode # vlan batch 1 5 51 to 52 59 95 to 96 # undo firewall session link-state check tcp undo firewall session link-state check icmp # # firewall statistic system enable # undo dns proxy # license-server domain lic.huawei.com # web-manager enable web-manager security enable port 1133 undo web-manager config-guide enable # user-manage web-authentication port 8888 # ip vpn-instance internet route-distinguisher 200:200 # ip vpn-instance shebao route-distinguisher 100:100 # vlan 95 binding vpn-instance internet # acl number 3001 # acl number 3002 rule 1 permit ip source 172.17.255.25 0 rule 2 permit ip destination 172.17.255.25 0 rule 3 permit tcp destination-port eq https # interface Vlanif51 description TO-FW001 ip binding vpn-instance shebao ip address 10.84.255.6 255.255.255.252 # interface Vlanif52 ip binding vpn-instance shebao ip address 10.84.255.10 255.255.255.252 ospf cost 65535 service-manage enable service-manage ping permit # interface Vlanif95 description TO-FW001 ip binding vpn-instance internet ip address 172.17.255.18 255.255.255.252 # interface Vlanif96 ip binding vpn-instance internet ip address 172.17.255.13 255.255.255.252 ospf cost 65535 # interface Cellular0/1/0 link-protocol ppp # interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server gateway-list 192.168.0.1 # interface GigabitEthernet0/0/1 description TO-QUZ-JYW-CORE-XXZX3F-C4506-SW002 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 52 # interface GigabitEthernet0/0/2 description TO-ZFW ip binding vpn-instance internet ip address 172.27.8.130 255.255.255.128 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 combo enable fiber description To-CHINANET ip binding vpn-instance internet ip address 122.227.89.118 255.255.255.252 # interface GigabitEthernet0/0/6 combo enable fiber description TO-QUZ-JYW-DMZ-XXZX3F-Z5952-SW005 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 96 # interface GigabitEthernet0/0/7 combo enable fiber description TO-QUZ-JYW-XXZX3F-H5500-FW001 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 51 95 # interface GigabitEthernet0/0/8 combo enable fiber description TO-RPVPN.QUZ.ZJ-G1/8 ip binding vpn-instance shebao ip address 10.84.255.45 255.255.255.252 service-manage enable service-manage http permit service-manage https permit service-manage ping permit service-manage telnet permit # interface NULL0 # interface LoopBack0 ip binding vpn-instance shebao ip address 10.84.255.249 255.255.255.255 # interface LoopBack1 ip binding vpn-instance internet ip address 172.17.255.252 255.255.255.255 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # firewall zone vpn-instance internet local set priority 100 # firewall zone vpn-instance internet trust set priority 85 add interface GigabitEthernet0/0/7 add interface Vlanif95 add interface Vlanif96 # firewall zone vpn-instance internet untrust set priority 5 add interface GigabitEthernet0/0/5 # firewall zone vpn-instance internet dmz set priority 50 # firewall zone vpn-instance internet name zfwuntrust set priority 20 add interface GigabitEthernet0/0/2 # firewall zone vpn-instance shebao local set priority 100 # firewall zone vpn-instance shebao trust set priority 85 add interface Vlanif51 add interface Vlanif52 # firewall zone vpn-instance shebao untrust set priority 5 add interface GigabitEthernet0/0/8 # firewall zone vpn-instance shebao dmz set priority 50 # firewall zone vpn-instance shebao name sslvpnuntrust set priority 25 detect ftp detect rtsp detect mgcp detect sip detect pptp detect sqlnet detect h323 detect qq detect msn detect netbios # firewall interzone vpn-instance internet trust untrust detect ftp detect mgcp detect pptp detect sip detect sqlnet detect h323 detect rtsp detect qq detect msn detect netbios detect icq # firewall interzone vpn-instance shebao trust untrust detect ftp detect mgcp detect pptp detect sip detect sqlnet detect h323 detect rtsp detect qq detect msn detect netbios detect icq # # aaa local-user admin password cipher %$%$HI`3)/[;i8)305'd_KJD*lcZ%$%$ local-user admin service-type web terminal telnet local-user admin level 15 local-user huawei password cipher %$%$  \>0{i&rVh5`t.}|;=D+]TK%$%$ local-user huawei service-type web telnet local-user huawei level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # ospf 1 router-id 10.84.255.249 vpn-instance shebao import-route direct import-route static type 1 vpn-instance-capability simple area 0.0.0.0 network 10.84.255.10 0.0.0.0 network 10.84.255.6 0.0.0.0 # ospf 2 router-id 172.17.255.252 vpn-instance internet default-route-advertise always import-route direct import-route static type 1 vpn-instance-capability simple area 0.0.0.0 network 172.17.255.18 0.0.0.0 network 172.17.255.13 0.0.0.0 # route-policy r1 permit node 1 if-match ip-prefix FX route-policy r1 deny node 2 # nqa-jitter tag-version 1
# ip ip-prefix FX index 10 permit 10.0.0.0 8 greater-equal 8 less-equal 32 # ip route-static vpn-instance internet 0.0.0.0 0.0.0.0 122.227.89.117 ip route-static vpn-instance internet 10.0.0.0 255.0.0.0 172.27.8.129 ip route-static vpn-instance internet 172.0.0.0 255.0.0.0 172.27.8.129 ip route-static vpn-instance shebao 10.84.0.0 255.255.128.0 10.84.255.46 ip route-static vpn-instance shebao 10.84.128.0 255.255.192.0 10.84.255.46 ip route-static vpn-instance shebao 10.84.128.173 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.129.0 255.255.255.0 10.84.255.46 ip route-static vpn-instance shebao 10.84.129.112 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.134.0 255.255.255.0 10.84.255.46 ip route-static vpn-instance shebao 10.84.153.132 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.153.133 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.153.134 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.0 255.255.224.0 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.124 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.125 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.126 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.149 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.84.192.150 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.87.1.140 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.87.250.213 255.255.255.255 10.84.255.46 ip route-static vpn-instance shebao 10.87.253.67 255.255.255.255 10.84.255.46 # snmp-agent snmp-agent local-engineid 000007DB7F000001000001C2 snmp-agent community write %$%$MI3$6R]leD[PN-8>~fW($SJA%$%$ snmp-agent sys-info contact R&D Huawei Technologies Co.,Ltd. snmp-agent sys-info version v2c v3 # stelnet server enable # banner enable # user-interface con 0 user-interface tty 2 authentication-mode password modem both user-interface vty 0 4 authentication-mode aaa protocol inbound all # ip address-set 阳光政务服务器 type object address 0 range 10.84.252.128 10.84.252.160 # ip address-set 柯城区人社局 type object address 0 range 10.84.145.66 10.84.145.96 # ip address-set 江山人社局 type object address 0 range 10.84.184.47 10.84.184.150 # ip service-set dbserver vpn-instance shebao type object service 1 protocol tcp destination-port 1512 service 2 protocol tcp destination-port 1521 # ip service-set p_7001 type object service 0 protocol tcp source-port 0 to 65535 destination-port 7001 # dpi # slb # right-manager server-group # policy interzone vpn-instance internet trust untrust inbound policy 1 action permit policy destination 172.17.255.25 mask 255.255.255.255 policy destination 172.17.1.2 mask 255.255.255.255 policy destination 172.17.1.65 mask 255.255.255.255 # policy interzone vpn-instance shebao local untrust inbound policy 1 action permit policy source 10.84.128.16 mask 255.255.255.255 # policy interzone vpn-instance shebao trust untrust inbound policy 1 action permit policy source 10.84.128.22 mask 255.255.255.255 policy source 10.84.139.195 mask 255.255.255.255 policy source 10.84.129.1 mask 255.255.255.255 policy source 10.84.128.16 mask 255.255.255.255 policy source 10.84.200.121 mask 255.255.255.255 policy source 10.87.253.67 mask 255.255.255.255 policy source 10.84.128.21 mask 255.255.255.255 policy source 10.84.128.15 mask 255.255.255.255 policy source 10.84.128.120 mask 255.255.255.255 policy source 10.84.192.124 mask 255.255.255.255 policy source 10.84.192.125 mask 255.255.255.255 policy source 10.84.192.126 mask 255.255.255.255 policy source 10.84.192.149 mask 255.255.255.255 policy source 10.84.192.150 mask 255.255.255.255 policy source 10.84.129.112 mask 255.255.255.255 policy source 10.87.250.213 mask 255.255.255.255 policy source 10.84.129.88 mask 255.255.255.255 policy source 10.84.129.89 mask 255.255.255.255 policy source 10.84.129.93 mask 255.255.255.255 policy source 10.84.129.87 mask 255.255.255.255 policy source 10.84.134.0 mask 255.255.255.0 policy source 10.84.128.11 mask 255.255.255.255 policy source 10.84.193.0 mask 255.255.255.0 policy source 10.84.153.132 mask 255.255.255.255 policy source 10.84.153.133 mask 255.255.255.255 policy source 10.84.153.134 mask 255.255.255.255 policy source 10.84.129.144 mask 255.255.255.255 policy source 10.84.129.149 mask 255.255.255.255 policy destination 10.84.252.158 mask 255.255.255.255 policy destination 10.84.252.128 mask 255.255.255.224 policy destination 10.84.252.225 mask 255.255.255.255 policy destination 10.84.252.154 mask 255.255.255.255 policy destination 10.84.252.155 mask 255.255.255.255 policy destination 10.84.252.156 mask 255.255.255.255 policy destination 10.84.252.226 mask 255.255.255.255 policy destination 10.84.252.227 mask 255.255.255.255 policy destination 10.84.252.161 mask 255.255.255.255 policy destination 10.84.252.228 mask 255.255.255.255 policy destination 10.84.252.235 mask 255.255.255.255 policy destination 10.84.252.163 mask 255.255.255.255 policy destination 10.84.255.67 mask 255.255.255.255 policy destination 10.84.255.66 mask 255.255.255.255 policy destination 10.84.254.124 mask 255.255.255.255 policy destination 10.84.254.125 mask 255.255.255.255 policy destination 10.84.252.229 mask 255.255.255.255 policy destination 10.84.252.230 mask 255.255.255.255 # policy zone trust policy 0 action permit # policy zone untrust policy 0 action permit # nat-policy interzone vpn-instance internet trust untrust outbound policy 1 action source-nat policy source 172.16.0.0 mask 255.255.0.0 policy source 172.17.0.0 mask 255.255.0.0 address-group 1 # nat-policy interzone vpn-instance internet trust zfwuntrust outbound policy 1 action source-nat policy source 172.16.0.0 mask 255.255.0.0 policy source 172.17.0.0 mask 255.255.0.0 address-group 2 # return [QUZ-JYW-XXZX3F-H5500-FW002] | 
发表于 2017-12-18 16:11
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
楼主
