1、要在防火墙内PING通防火墙外的地址,必须要放通Local域到其他域的域间策略。
2、以下是H3C防火墙域间配置的典型举例,请参考:
"全放行"
[FW]acl basic 2001
[FW-acl-ipv4-basic-2001]rule 0 permit source any
[FW-acl-ipv4-basic-2001]quit
[FW]
[FW]zone-pair security source trust destination untrust
[FW-zone-pair-security-Trust-Untrust]packet-filter 2001
[FW-zone-pair-security-Trust-Untrust]quit
[FW]
[FW]zone-pair security source untrust destination trust
[FW-zone-pair-security-Untrust-Trust]packet-filter 2001
[FW-zone-pair-security-Untrust-Trust]quit
[FW]
[FW]zone-pair security source trust destination local
[FW-zone-pair-security-Trust-Local]packet-filter 2001
[FW-zone-pair-security-Trust-Local]quit
[FW]
[FW]zone-pair security source local destination trust
[FW-zone-pair-security-Local-Trust]packet-filter 2001
[FW-zone-pair-security-Local-Trust]quit
[FW]
[FW]zone-pair security source untrust destination local
[FW-zone-pair-security-Untrust-Local]packet-filter 2001
[FW-zone-pair-security-Untrust-Local]quit
[FW]
[FW]zone-pair security source local destination untrust
[FW-zone-pair-security-Local-Untrust]packet-filter 2001
[FW-zone-pair-security-Local-Untrust]quit
"将需要通信的接口划分到Trust中"
[FW]security-zone name Trust
[FW-security-zone-Trust]import interface GigabitEthernet 1/0/0
[FW-security-zone-Trust]import interface GigabitEthernet 1/0/4
[FW-security-zone-Trust]import interface Tunnel 0
[FW-security-zone-Trust]import interface LoopBack 0
[FW-security-zone-Trust]quit
[FW]
注:这样配置全放行的安全域与安全控制只是为了方便配置网络,当配置完毕后请配置相应的安全策略