新手在防火墙这里。 。 我需要我的信任区访问互联网,但问题是我不能做到这一点。 到目前为止,从信任区域,我能够ping不信任区域中的IP,但是我不能ping信任区域或bgroup0内的IP。
我也可以在信任区内使用telnet到untrust区域。
这是我的configuration:
{ unset key protection enable set clock timezone 0 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set alg appleichat enable unset alg appleichat re-assembly enable set alg sctp enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set admin name "netscreen" set admin password "I'm an idiot for including my password on a public site" set admin auth web timeout 10 set admin auth dial-in timeout 3 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block unset zone "V1-Trust" tcp-rst unset zone "V1-Untrust" tcp-rst set zone "DMZ" tcp-rst unset zone "V1-DMZ" tcp-rst unset zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Untrust" set interface "ethernet0/1" zone "DMZ" set interface "bgroup0" zone "Trust" set interface bgroup0 port ethernet0/2 set interface bgroup0 port ethernet0/3 set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6 unset interface vlan1 ip set interface ethernet0/0 ip 192.168.200.225/24 set interface ethernet0/0 route set interface bgroup0 ip 192.168.201.1/24 set interface bgroup0 nat set interface ethernet0/0 gateway 192.168.200.1 set interface "ethernet0/0" pmtu ipv4 set interface "bgroup0" pmtu ipv4 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/0 ip manageable set interface bgroup0 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage ssh set interface ethernet0/0 manage telnet set interface ethernet0/0 manage snmp set interface ethernet0/0 manage ssl set interface ethernet0/0 manage web set interface ethernet0/0 manage ident-reset set interface bgroup0 manage mtrace set interface bgroup0 dhcp server service set interface bgroup0 dhcp server auto set interface bgroup0 dhcp server ip 192.168.201.10 to 192.168.201.20 unset interface bgroup0 dhcp server config next-server-ip set interface "serial0/0" modem settings "USR" init "AT&F" set interface "serial0/0" modem settings "USR" active set interface "serial0/0" modem speed 115200 set interface "serial0/0" modem retry 3 set interface "serial0/0" modem interval 10 set interface "serial0/0" modem idle-time 10 set flow tcp-mss unset flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set pki authority default scep mode "auto" set pki x509 default cert-path partial set crypto-policy exit set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 1 exit set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit set policy id 2 exit set policy id 3 from "Trust" to "Trust" "Any" "Any" "ANY" permit set policy id 3 exit set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 unset license-key auto-update set telnet client enable set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit } 第一件事比修正更多的是build议 – 不要把你的接口放在NAT模式下。 转到界面并将其放入路由模式。 然后进入Trust – > Untrust策略页面,select您的any / any / any策略,然后单击Advanced,并将该规则放入Source Nat模式。 当您点击“应用”并保存时,规则的图标应变为蓝色。 (为什么要这么做呢?那么在政策页面中可以清楚地看到NAT正在发生,如果您愿意,还可以通过防火墙实现非NAT的灵活性。)
第二。 你的“不信任”的地址是192.168.200.x / 24 – 看起来像一个保留的IP。 你能ping通192.168.200.1的防火墙的不信任网关吗? 你确定/ 24是正确的面具尺寸? 你可以使用这些参数在“不信任”networking上设置一个系统,并连接到互联网吗? 你能知道在默认网关之后下一跳的IP是什么吗?
第三。 您似乎没有将DNS设置为DHCP选项,所以您的DHCP客户端不会获得DNS服务器。 这是故意的吗?
第四。 除非来自“不信任”方的IP将启动与信任方的连接,否则您不需要策略2。 在策略1中,stream回信任端的stream量被隐含地允许为关联的。
第五。 除非有多个标记为“信任”的安全区域,否则不应使用“信任” – >“信任”规则。
第六。 你似乎正在通过不信任的界面进行所有的pipe理。 这可能是你想要的,但是对我来说倒退一些,允许不信任的networking访问你的pipe理。