防火墻配同一地址段IP不能互相通信-有解無憂

華為fw1防火墻ping不通天融信防火墻fw2

配置如下
fw1 是華為的防火墻
dis cu
08:19:39  2016/05/16
#
sysname NX-DAWL-ANQUAN-USG5320
#
update schedule dpi daily 03:01
security server domain sec.huawei.com
#
web-manager enable
web-manager security enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
#
firewall statistic system enable
#
interface GigabitEthernet0/0/0
ip address 172.16.30.242 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 10.1.6.1 255.255.255.252
#
interface GigabitEthernet0/0/3
ip address 172.16.20.242 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#
policy interzone local trust inbound
policy 0
action permit
#
policy interzone local trust outbound
policy 0
action permit
#
policy interzone local untrust inbound
policy 0
action permit
#
policy interzone local untrust outbound
policy 0
action permit
#
policy interzone trust untrust inbound
policy 1
action permit
#
policy interzone trust untrust outbound
policy 0
action permit
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type web terminal telnet
local-user admin level 3
local-user huawei password simple a12345678
local-user huawei service-type ftp web telnet ssh
local-user huawei level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
right-manager server-group
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 10.1.6.2
ip route-static 10.12.17.0 255.255.255.0 10.1.6.2
ip route-static 172.16.20.0 255.255.255.0 172.16.30.254
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
#
return

中間交換機的配置
<NX-AQ-S5700-DZWL>display current-configuration
#
!Software Version V100R005C01SPC100
sysname NX-AQ-S5700-DZWL
#
super password level 3 cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
vlan batch 501 600 to 601 1000 2000
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
dhcp enable
#
undo http server enable
#
drop illegal-mac alarm
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user huawei service-type telnet
#
interface Vlanif1
ip address dhcp-alloc
#
interface Vlanif501
ip address 10.1.6.2 255.255.255.0
#
interface Vlanif600
ip address 192.168.10.250 255.255.255.0
#
interface Vlanif601
ip address 10.1.7.2 255.255.255.0
#
interface Vlanif1000
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif2000
ip address 10.12.200.254 255.255.0.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 1000
port hybrid untagged vlan 600 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/5
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/6
port hybrid pvid vlan 600
port hybrid untagged vlan 600 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/8
port link-type access
port default vlan 501
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/9
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/10
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/11
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/12
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/13
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/14
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/15
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/16
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/17
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/18
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 2000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/20
port link-type access
port default vlan 2000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/21
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/22
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/23
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/24
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
ip route-static 10.12.0.0 255.255.0.0 10.12.202.1
ip route-static 172.16.20.0 255.255.255.0 10.1.6.1
ip route-static 172.16.30.0 255.255.255.0 10.1.6.1
ip route-static 173.16.30.0 255.255.255.0 10.1.6.3
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100005E99
snmp-agent sys-info version v3
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode aaa
#
return

FW2 是天融信的防火墻
<NX-AQ-S5700-DZWL>display current-configuration
#
!Software Version V100R005C01SPC100
sysname NX-AQ-S5700-DZWL
#
super password level 3 cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
vlan batch 501 600 to 601 1000 2000
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
dhcp enable
#
undo http server enable
#
drop illegal-mac alarm
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user huawei service-type telnet
#
interface Vlanif1
ip address dhcp-alloc
#
interface Vlanif501
ip address 10.1.6.2 255.255.255.0
#
interface Vlanif600
ip address 192.168.10.250 255.255.255.0
#
interface Vlanif601
ip address 10.1.7.2 255.255.255.0
#
interface Vlanif1000
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif2000
ip address 10.12.200.254 255.255.0.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 1000
port hybrid untagged vlan 600 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/5
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/6
port hybrid pvid vlan 600
port hybrid untagged vlan 600 1000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/8
port link-type access
port default vlan 501
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/9
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/10
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/11
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/12
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/13
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/14
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/15
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/16
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/17
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/18
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 2000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/20
port link-type access
port default vlan 2000
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/21
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/22
port link-type access
port default vlan 501
undo ntdp enable
undo ndp enable
#
interface GigabitEthernet0/0/23
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/24
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
ip route-static 10.12.0.0 255.255.0.0 10.12.202.1
ip route-static 172.16.20.0 255.255.255.0 10.1.6.1
ip route-static 172.16.30.0 255.255.255.0 10.1.6.1
ip route-static 173.16.30.0 255.255.255.0 10.1.6.3
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100005E99
snmp-agent sys-info version v3
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode aaa
#
return

uj5u.com熱心網友回復：

防火墻要開通ICMP協議啊

uj5u.com熱心網友回復：

先開通連個防火墻的所有協議試驗一下

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/125179.html

標籤：網絡維護與管理

上一篇：如何提取cap資料包中的url

下一篇：請教雙頻路由器同時啟用2.4G與5G的wps server的問題