Cisco网络技术论坛

返回   Cisco网络技术论坛 > 网络产品区 > 华为、H3C

发表新主题 回复
 
主题工具
旧 2018-04-16, 16:11   #1
0x0org
注册用户
级别:0 | 在线时长:4小时 | 升级还需:1小时
 
注册日期: Jun 2009
住址: 广州
帖子: 3
现金:507金币
资产:507金币
声望力: 0
声望: 10 0x0org 向着好的方向发展
声望力: 0
0x0org 向着好的方向发展
禁止访问外网网段应用程序启动速度慢的问题

因为公司管理需要,研发部门的网段(172.16.59.0)禁止上外网,我直接在防火墙上把这个网段的路由删掉,现在目的实现了,但新的问题出来了,这个网段的电脑上的应用程序启动的很慢(比如OFFICE、设计软件之类的),如果把网线拨掉就正常了。我估计可能还是路由的问题,应用程序在启动的时候不断去尝试联网寻找公网的服务器。我把配置发出来,麻烦大家帮忙看一下问题在哪。谢谢!xxx.xxx.xxx.xxx 为我司公网地址
<USG5310>dis cu
09:46:54 2018/04/16
#
acl number 3001
description pc_upload_limit
rule 0 permit ip source 192.168.16.0 0.0.0.255
rule 1 permit ip source 172.16.50.0 0.0.0.255
rule 2 permit ip source 193.168.120.0 0.0.0.255
rule 3 permit ip source 192.168.200.0 0.0.0.255
rule 4 permit ip source 192.168.130.0 0.0.0.255
rule 5 permit ip source 172.16.100.0 0.0.0.255
rule 6 permit ip source 172.16.51.0 0.0.0.255
rule 7 permit ip source 172.16.52.0 0.0.0.255
rule 8 permit ip source 172.16.53.0 0.0.0.255
rule 9 permit ip source 172.16.54.0 0.0.0.255
rule 10 permit ip source 172.16.55.0 0.0.0.255
rule 11 permit ip source 172.16.56.0 0.0.0.255
rule 12 permit ip source 172.16.57.0 0.0.0.255
rule 13 permit ip source 172.16.58.0 0.0.0.255
rule 14 deny ip source 172.16.59.0 0.0.0.255
acl number 3002
description pc_download_limit
rule 0 permit ip destination 192.168.16.0 0.0.0.255
rule 1 permit ip destination 172.16.50.0 0.0.0.255
rule 2 permit ip destination 193.168.120.0 0.0.0.255
rule 3 permit ip destination 192.168.200.0 0.0.0.255
rule 4 permit ip destination 192.168.130.0 0.0.0.255
rule 5 permit ip destination 172.16.100.0 0.0.0.255
rule 6 permit ip destination 172.16.51.0 0.0.0.255
rule 7 permit ip destination 172.16.52.0 0.0.0.255
rule 8 permit ip destination 172.16.53.0 0.0.0.255
rule 9 permit ip destination 172.16.54.0 0.0.0.255
rule 10 permit ip destination 172.16.55.0 0.0.0.255
rule 11 permit ip destination 172.16.56.0 0.0.0.255
rule 12 permit ip destination 172.16.57.0 0.0.0.255
rule 13 permit ip destination 172.16.58.0 0.0.0.255
rule 14 deny ip source 172.16.59.0 0.0.0.255
#
sysname USG5310
#
update schedule dpi daily 01:41
security server domain sec.huawei.com
#
web-manager enable
web-manager security enable
#
l2tp enable
l2tp up-down log enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local vzone direction inbound
firewall packet-filter default permit interzone local vzone direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust vzone direction inbound
firewall packet-filter default permit interzone trust vzone direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone untrust vzone direction inbound
firewall packet-filter default permit interzone untrust vzone direction outbound
firewall packet-filter default permit interzone dmz vzone direction inbound
firewall packet-filter default permit interzone dmz vzone direction outbound
#
nat address-group 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
nat server 0 protocol tcp global xxx.xxx.xxx.xxx smtp inside 172.16.10.11 smtp
nat server 1 protocol tcp global xxx.xxx.xxx.xxx www inside 172.16.10.11 www
nat server 2 protocol tcp global xxx.xxx.xxx.xxx pop3 inside 172.16.10.11 pop3
nat server 3 protocol tcp global xxx.xxx.xxx.xxx 143 inside 172.16.10.11 143
nat server 4 protocol tcp global xxx.xxx.xxx.xxx 443 inside 172.16.10.11 443
nat server 5 protocol tcp global xxx.xxx.xxx.xxx 8080 inside 172.16.10.21 8080
nat server 6 protocol tcp global xxx.xxx.xxx.xxx 993 inside 172.16.10.11 993
nat server 7 protocol tcp global xxx.xxx.xxx.xxx 995 inside 172.16.10.11 995
nat server 8 protocol tcp global xxx.xxx.xxx.xxx 42176 inside 172.16.8.8 42176
nat server 9 protocol tcp global xxx.xxx.xxx.xxx 14686 inside 172.16.8.8 14686
nat server 10 protocol udp global xxx.xxx.xxx.xxx 61177 inside 172.16.8.8 61177
nat server 11 protocol tcp global xxx.xxx.xxx.xxx 808 inside 172.16.8.8 808
nat server 12 protocol tcp global xxx.xxx.xxx.xxx 3389 inside 172.16.8.8 3389
nat server 15 protocol tcp global xxx.xxx.xxx.xxx 8088 inside 172.16.10.20 8088
nat server 17 protocol tcp global xxx.xxx.xxx.xxx 9943 inside 172.16.10.20 9943
nat server 20 protocol tcp global xxx.xxx.xxx.xxx 5222 inside 172.16.10.21 5222
nat server 21 protocol tcp global xxx.xxx.xxx.xxx 9999 inside 172.16.10.21 9999
nat server 22 protocol tcp global xxx.xxx.xxx.xxx 8000 inside 172.16.8.8 www
nat server 23 protocol tcp global xxx.xxx.xxx.xxx 5021 inside 172.16.10.21 3389
nat server 24 protocol tcp global xxx.xxx.xxx.xxx 5011 inside 172.16.10.11 3389
nat server 25 protocol tcp global xxx.xxx.xxx.xxx 5010 inside 172.16.10.10 3389
nat server 26 protocol tcp global xxx.xxx.xxx.xxx 5020 inside 172.16.10.20 3389
nat server 27 protocol tcp global xxx.xxx.xxx.xxx 8235 inside 172.16.10.20 8235
nat server 28 protocol tcp global xxx.xxx.xxx.xxx 8236 inside 172.16.10.20 8236
nat server 29 protocol tcp global xxx.xxx.xxx.xxx 8237 inside 172.16.10.20 8237
nat server 30 protocol tcp global xxx.xxx.xxx.xxx 8599 inside 172.16.10.20 8599
#
time-range worktime 08:00 to 17:30 working-day
time-range sleeptime 00:00 to 08:00 working-day
#
firewall defend route-record enable
firewall defend ping-of-death enable
firewall defend large-icmp enable
firewall defend port-scan enable
#
firewall statistic system enable
firewall car-class 1 8000000
firewall car-class 2 8000000
firewall conn-class 1 600
#
interface Virtual-Template10
ppp authentication-mode chap pap
ppp ipcp dns 172.16.10.10
description MOBILE VPN
ip address 172.16.100.1 255.255.255.0
remote address pool
#
interface GigabitEthernet0/0/0
ip address 172.16.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
ip address xxx.xxx.xxx.xxx 255.255.255.128
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-Template10
statistic enable ip inzone
statistic enable ip outzone
statistic connect-number ip tcp outbound 1 acl-number 3001
statistic car ip outbound 1 acl-number 3001
statistic car ip inbound 2 acl-number 3002
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#
firewall interzone trust untrust
detect ftp
detect h323
detect sqlnet
detect http
#
policy interzone trust untrust outbound
policy 1
action permit
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.10.0 mask 255.255.255.0
policy source 172.16.8.0 mask 255.255.255.0
policy source 192.168.200.0 mask 255.255.255.0
policy source 192.168.130.0 mask 255.255.255.0
policy source 172.16.50.0 mask 255.255.255.0
policy source 192.168.16.0 mask 255.255.255.0
policy source 172.16.100.0 mask 255.255.255.0
policy source 172.16.51.0 mask 255.255.255.0
policy source 172.16.52.0 mask 255.255.255.0
policy source 172.16.53.0 mask 255.255.255.0
policy source 172.16.54.0 mask 255.255.255.0
policy source 172.16.55.0 mask 255.255.255.0
policy source 172.16.56.0 mask 255.255.255.0
policy source 172.16.57.0 mask 255.255.255.0
policy source 172.16.58.0 mask 255.255.255.0
address-group 1
#
nat-policy zone trust
policy 1
action source-nat
policy source 172.16.10.0 0.0.0.255
policy source 172.16.8.0 0.0.0.255
policy source 192.168.200.0 0.0.0.255
policy source 192.168.130.0 0.0.0.255
policy source 192.168.18.0 0.0.0.255
policy source 172.16.50.0 mask 255.255.255.0
policy source 192.168.16.0 mask 255.255.255.0
policy source 172.16.100.0 0.0.0.255
policy source 172.16.51.0 mask 255.255.255.0
policy source 172.16.52.0 mask 255.255.255.0
policy source 172.16.53.0 mask 255.255.255.0
policy source 172.16.54.0 mask 255.255.255.0
policy source 172.16.55.0 mask 255.255.255.0
policy source 172.16.56.0 mask 255.255.255.0
policy source 172.16.57.0 mask 255.255.255.0
policy source 172.16.58.0 mask 255.255.255.0
address-group 1
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 10
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
right-manager server-group
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 58.20.55.1
ip route-static 172.16.8.0 255.255.255.0 172.16.1.1
ip route-static 172.16.10.0 255.255.255.0 172.16.1.1
ip route-static 172.16.50.0 255.255.255.0 172.16.1.1
ip route-static 172.16.51.0 255.255.255.0 172.16.1.1
ip route-static 172.16.52.0 255.255.255.0 172.16.1.1
ip route-static 172.16.53.0 255.255.255.0 172.16.1.1
ip route-static 172.16.54.0 255.255.255.0 172.16.1.1
ip route-static 172.16.55.0 255.255.255.0 172.16.1.1
ip route-static 172.16.56.0 255.255.255.0 172.16.1.1
ip route-static 172.16.57.0 255.255.255.0 172.16.1.1
ip route-static 172.16.58.0 255.255.255.0 172.16.1.1
ip route-static 172.16.100.0 255.255.255.0 172.16.1.1
ip route-static 192.168.16.0 255.255.255.0 172.16.1.1
ip route-static 192.168.120.0 255.255.255.0 172.16.1.1
ip route-static 192.168.130.0 255.255.255.0 172.16.1.1
ip route-static 192.168.200.0 255.255.255.0 172.16.1.1
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher '"3S]D08#^,GI7*3@2SKX1!!
#
return
0x0org 当前离线  
回复时引用此帖
发表新主题 回复

主题工具

发帖规则
不可以发表新主题
不可以发表回复
不可以上传附件
不可以编辑自己的帖子

启用 BB 代码
论坛启用 表情符号
论坛启用 [IMG] 代码
论坛禁用 HTML 代码

论坛跳转

相似的主题
主题 主题作者 版面 回复 最后发表
联通、电信互联互通访问速度慢的问题解决方案 xtera 其它网络产品 1 2010-05-20 18:00


所有时间均为北京时间。现在的时间是 22:32


Powered by vBulletin® 版本 3.8.3
版权所有 ©2000 - 2018,Jelsoft Enterprises Ltd.
增强包 [3.4] 制作: PHP源动力   官方中文站: vBulletin 中文
Copyright © 2003 - 2013 Net130.com, All Rights Reserved 备案号:皖ICP备11007528号