3,834
社区成员
发帖
与我相关
我的任务
分享华为USG6000防火墙配置IPSEC
先谢过各位大神
问题:无法打开对端10.0.0.6这个服务端
打开后提示:
HTTP Status 404 - /ccds
type Status report
message /ccds
description The requested resource is not available.
Apache Tomcat/7.0.86
本地网络环境: 电信猫——TP路由器——华为USG6000防火墙
路由器:20.23.202.1
防火墙:0口 管理口
1口 外网20.23.202.135接TP路由器
2口 内网10.0.19.1 接内部网络交换机
对端网络环境
电信光纤——华为USG6000防火墙
对端IP:20.24.202.1
对端内部服务器10.0.0.6
本人操作的步骤:
1、按USG6000向导配置上网方式为DHCP,
设置上网接口0/0/1,
设置内网接口0/0/2,
设置DHCP
设置完成后测试可以接口2中内网电脑可以上外网,打开网页。
2、设置IPSEC
设置策略--安全策略,允许两端内网可以访问对端设备内网,允许两端自身访问对端公网IP,共4条策略;
设置网络--静态路由;
设置网络--IPSEC
3、配置NAT
设置策略--安全策略,
设置策略--NAT策略,配置NAT地址池,配置源NAT;
配完后还是无法打开对端10.0.0.6上的服务器应用
打开后提示
HTTP Status 404 - /ccds
type Status report
message /ccds
description The requested resource is not available.
Apache Tomcat/7.0.86
请问是哪里没有配对?
详细配置如下:
!Software Version V500R001C60SPC500
!Last configuration was saved at 2019-08-12 07:30:31 UTC
#
sysname USG6300
#
l2tp domain suffix-separator @
#
authentication-profile name portal_authen_default
#
ipsec sha2 compatible enable
#
undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone Beijing add 08:00:00
#
firewall detect ftp
#
firewall defend action discard
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
undo sa force-detection enable
#
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet" set filename china-educationnet.csv
#
user-manage web-authentication security port 8887
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
page-setting
user-manage security version tlsv1.1 tlsv1.2
#
firewall ids authentication type aes256
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dns resolve
dns server unnumbered interface GigabitEthernet0/0/1
dns proxy enable
#
dhcp enable
#
update schedule ips-sdb daily 22:50
update schedule av-sdb daily 22:50
update schedule sa-sdb daily 22:50
update schedule cnc daily 22:50
update schedule file-reputation daily 22:50
#
ike dpd type periodic
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
rule 5 permit ip source 10.0.19.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec proposal prop12814327690
esp authentication-algorithm md5
esp encryption-algorithm des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm des
dh group1
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1
#
ike peer ike12814327690
exchange-mode aggressive
pre-shared-key %^%#uwy~O2GExL<[:`Mpm/wMY_4>0L-xPSPrDB2Xj+>2%^%#
ike-proposal 1
remote-address 20.24.202.1
#
ipsec policy ipsec1281432772 1 isakmp
security acl 3000
ike-peer ike12814327690
proposal prop12814327690
tunnel local applied-interface
alias policy_1
sa trigger-mode auto
sa duration traffic-based 1843200
sa duration time-based 3600
#
web-auth-server default
port 50100
#
portal-access-profile name default
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%e#}"@a&DB%!]]0Q=i(CQ5bKhE}sVOzsBM"d9l='i*E-XbKk5@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%7n$"#Bhm2&`_%D3Ta/~7/"]z,zx{7ab9U+#)T%3Z~8{V"]}/@%@%
service-type api
level 15
manager-user admin
password cipher @%@%<'H8%:)6Y=IW33<dP{aDK2]rd1LU<BBT\ByUBeTun\L$2]uK@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet0/0/1
undo shutdown
ip address dhcp-alloc
ipsec policy ipsec1281432772
#
interface GigabitEthernet0/0/2
undo shutdown
ip address 10.0.19.1 255.255.255.0
dhcp server ip-range 10.0.19.2 10.0.19.254
dhcp select interface
dhcp server dns-list 10.0.19.1
#
interface GigabitEthernet0/0/3
undo shutdown
#
interface GigabitEthernet0/0/4
undo shutdown
#
interface GigabitEthernet0/0/5
undo shutdown
#
interface GigabitEthernet0/0/6
undo shutdown
#
interface GigabitEthernet0/0/7
undo shutdown
#
interface Virtual-if0
#
interface Cellular0/0/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
api
#
ip route-static 10.0.0.0 255.255.255.0 20.23.202.1
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
undo crl auto-update enable
#
sa
#
location
#
nat address-group 111 0
mode pat
section 0 10.0.19.1 10.0.19.254
#
multi-interface
mode proportion-of-weight
#
right-manager server-group
#
agile-network
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
default action permit
rule name polocy_ipsec1
source-zone trust
destination-zone untrust
source-address 10.0.19.0 mask 255.255.255.0
destination-address 10.0.0.0 mask 255.255.255.0
action permit
rule name policy_ipsec2
source-zone untrust
destination-zone trust
source-address 10.0.0.0 mask 255.255.255.0
destination-address 10.0.19.0 mask 255.255.255.0
action permit
rule name policy_ipsec3
source-zone local
destination-zone untrust
destination-address 20.24.202.1 mask 255.255.255.255
action permit
rule name policy_ipsec4
source-zone untrust
destination-zone local
source-address 20.24.202.1 mask 255.255.255.255
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name GuideNat1565537608651
egress-interface GigabitEthernet0/0/1
action nat easy-ip
rule name nat_1
source-zone trust
destination-zone untrust
action nat address-group 111
#
proxy-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
mode based-on-multi-interface
#
rightm-policy
#
sms
#
return
问题:无法打开对端10.0.0.6这个服务端
打开后提示:
HTTP Status 404 - /ccds
type Status report
message /ccds
description The requested resource is not available.
Apache Tomcat/7.0.86
本地网络环境: 电信猫——TP路由器——华为USG6000防火墙
路由器:20.23.202.1
防火墙:0口 管理口
1口 外网20.23.202.135接TP路由器
2口 内网10.0.19.1 接内部网络交换机
对端网络环境
电信光纤——华为USG6000防火墙
对端IP:20.24.202.1
对端内部服务器10.0.0.6
本人操作的步骤:
1、按USG6000向导配置上网方式为DHCP,
设置上网接口0/0/1,
设置内网接口0/0/2,
设置DHCP
设置完成后测试可以接口2中内网电脑可以上外网,打开网页。
2、设置IPSEC
设置策略--安全策略,允许两端内网可以访问对端设备内网,允许两端自身访问对端公网IP,共4条策略;
设置网络--静态路由;
设置网络--IPSEC
3、配置NAT
设置策略--安全策略,
设置策略--NAT策略,配置NAT地址池,配置源NAT;
配完后还是无法打开对端10.0.0.6上的服务器应用
打开后提示
HTTP Status 404 - /ccds
type Status report
message /ccds
description The requested resource is not available.
Apache Tomcat/7.0.86
请问是哪里没有配对?
详细配置如下:
!Software Version V500R001C60SPC500
!Last configuration was saved at 2019-08-12 07:30:31 UTC
#
sysname USG6300
#
l2tp domain suffix-separator @
#
authentication-profile name portal_authen_default
#
ipsec sha2 compatible enable
#
undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone Beijing add 08:00:00
#
firewall detect ftp
#
firewall defend action discard
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
undo sa force-detection enable
#
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet" set filename china-educationnet.csv
#
user-manage web-authentication security port 8887
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
page-setting
user-manage security version tlsv1.1 tlsv1.2
#
firewall ids authentication type aes256
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dns resolve
dns server unnumbered interface GigabitEthernet0/0/1
dns proxy enable
#
dhcp enable
#
update schedule ips-sdb daily 22:50
update schedule av-sdb daily 22:50
update schedule sa-sdb daily 22:50
update schedule cnc daily 22:50
update schedule file-reputation daily 22:50
#
ike dpd type periodic
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
rule 5 permit ip source 10.0.19.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec proposal prop12814327690
esp authentication-algorithm md5
esp encryption-algorithm des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm des
dh group1
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1
#
ike peer ike12814327690
exchange-mode aggressive
pre-shared-key %^%#uwy~O2GExL<[:`Mpm/wMY_4>0L-xPSPrDB2Xj+>2%^%#
ike-proposal 1
remote-address 20.24.202.1
#
ipsec policy ipsec1281432772 1 isakmp
security acl 3000
ike-peer ike12814327690
proposal prop12814327690
tunnel local applied-interface
alias policy_1
sa trigger-mode auto
sa duration traffic-based 1843200
sa duration time-based 3600
#
web-auth-server default
port 50100
#
portal-access-profile name default
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%e#}"@a&DB%!]]0Q=i(CQ5bKhE}sVOzsBM"d9l='i*E-XbKk5@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%7n$"#Bhm2&`_%D3Ta/~7/"]z,zx{7ab9U+#)T%3Z~8{V"]}/@%@%
service-type api
level 15
manager-user admin
password cipher @%@%<'H8%:)6Y=IW33<dP{aDK2]rd1LU<BBT\ByUBeTun\L$2]uK@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet0/0/1
undo shutdown
ip address dhcp-alloc
ipsec policy ipsec1281432772
#
interface GigabitEthernet0/0/2
undo shutdown
ip address 10.0.19.1 255.255.255.0
dhcp server ip-range 10.0.19.2 10.0.19.254
dhcp select interface
dhcp server dns-list 10.0.19.1
#
interface GigabitEthernet0/0/3
undo shutdown
#
interface GigabitEthernet0/0/4
undo shutdown
#
interface GigabitEthernet0/0/5
undo shutdown
#
interface GigabitEthernet0/0/6
undo shutdown
#
interface GigabitEthernet0/0/7
undo shutdown
#
interface Virtual-if0
#
interface Cellular0/0/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
api
#
ip route-static 10.0.0.0 255.255.255.0 20.23.202.1
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
undo crl auto-update enable
#
sa
#
location
#
nat address-group 111 0
mode pat
section 0 10.0.19.1 10.0.19.254
#
multi-interface
mode proportion-of-weight
#
right-manager server-group
#
agile-network
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
default action permit
rule name polocy_ipsec1
source-zone trust
destination-zone untrust
source-address 10.0.19.0 mask 255.255.255.0
destination-address 10.0.0.0 mask 255.255.255.0
action permit
rule name policy_ipsec2
source-zone untrust
destination-zone trust
source-address 10.0.0.0 mask 255.255.255.0
destination-address 10.0.19.0 mask 255.255.255.0
action permit
rule name policy_ipsec3
source-zone local
destination-zone untrust
destination-address 20.24.202.1 mask 255.255.255.255
action permit
rule name policy_ipsec4
source-zone untrust
destination-zone local
source-address 20.24.202.1 mask 255.255.255.255
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name GuideNat1565537608651
egress-interface GigabitEthernet0/0/1
action nat easy-ip
rule name nat_1
source-zone trust
destination-zone untrust
action nat address-group 111
#
proxy-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
mode based-on-multi-interface
#
rightm-policy
#
sms
#
return
...全文
请发表友善的回复…
发表回复
