打印

[问题求助] 请教各位204问题！Trust access DMZ SQL

自恋人

中级会员

精华: 0

积分: 492

帖子: 81

威望: 168 点

金钱: 115 币

贡献: 66 点

经验: 02级

阅读权限: 30

注册: 2007-7-3

状态:

发短消息加为好友

1^# 大中小发表于 2007-9-29 12:54 只看该作者

请教各位204问题！Trust access DMZ SQL

我的内网Trust，sql的客户端程序odbc访问dmz区的sql数据库服务器，根本找不到服务器，无法建立连接，我的防火墙是透明模式，服务也都any-any 了，反过来试，把服务器和客户端颠倒server放到Trust,客户端放到dmz就没有问题，以下是配置，各位专家能否帮我看看，谢谢！
set auth type 0
set auth timeout 10
set clock "timezone" 8
set admin format dos
set admin name "***"
set admin password ********
set admin manager-ip 172.23.1.* 255.255.255.0
set admin sys-ip 172.23.1.*
set admin mail mail-addr1 ***@163.com
set admin auth timeout 10
set admin auth type Local
set zone "Untrust" block
set zone "DMZ" vrouter untrust-vr
set zone "MGT" block
set ip tftp retry 10
set ip tftp timeout 2
set interface ethernet1 zone V1-Trust
set interface ethernet2 zone V1-DMZ
set interface ethernet3 zone V1-Untrust
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 manage ping
set interface ethernet1 manage scs
set interface ethernet1 manage telnet
set interface ethernet1 manage snmp
set interface ethernet1 manage global
set interface ethernet1 manage global-pro
set interface ethernet1 manage ssl
set interface ethernet1 manage web
unset interface ethernet1 ident-reset
set interface vlan1 manage ping
set interface vlan1 manage scs
set interface vlan1 manage telnet
set interface vlan1 manage snmp
set interface vlan1 manage global
set interface vlan1 manage global-pro
set interface vlan1 manage ssl
set interface vlan1 manage web
set interface v1-trust manage ping
unset interface v1-trust manage scs
unset interface v1-trust manage telnet
unset interface v1-trust manage snmp
set interface v1-trust manage global
set interface v1-trust manage global-pro
unset interface v1-trust manage ssl
set interface v1-trust manage web
unset interface v1-trust ident-reset
unset interface v1-untrust manage ping
unset interface v1-untrust manage scs
unset interface v1-untrust manage telnet
unset interface v1-untrust manage snmp
unset interface v1-untrust manage global
unset interface v1-untrust manage global-pro
unset interface v1-untrust manage ssl
unset interface v1-untrust manage web
unset interface v1-untrust ident-reset
set interface v1-dmz manage ping
unset interface v1-dmz manage scs
unset interface v1-dmz manage telnet
unset interface v1-dmz manage snmp
unset interface v1-dmz manage global
unset interface v1-dmz manage global-pro
unset interface v1-dmz manage ssl
set interface v1-dmz manage web
unset interface v1-dmz ident-reset
set interface ethernet2 manage ping
set interface ethernet2 manage scs
set interface ethernet2 manage telnet
set interface ethernet2 manage snmp
set interface ethernet2 manage global
set interface ethernet2 manage global-pro
set interface ethernet2 manage ssl
set interface ethernet2 manage web
unset interface ethernet2 ident-reset
unset interface ethernet3 manage ping
unset interface ethernet3 manage scs
unset interface ethernet3 manage telnet
unset interface ethernet3 manage snmp
unset interface ethernet3 manage global
unset interface ethernet3 manage global-pro
unset interface ethernet3 manage ssl
unset interface ethernet3 manage web
unset interface ethernet3 ident-reset
set interface v1-trust screen component-block
set interface v1-trust screen icmp-flood
set interface v1-trust screen udp-flood
set interface v1-trust screen winnuke
set interface v1-trust screen port-scan
set interface v1-trust screen ip-sweep
set interface v1-trust screen tear-drop
set interface v1-trust screen syn-flood
set interface v1-trust screen ip-spoofing
set interface v1-trust screen ping-death
set interface v1-trust screen ip-filter-src
set interface v1-trust screen land
set interface v1-trust screen syn-frag
set interface v1-trust screen tcp-no-flag
set interface v1-trust screen unknown-protocol
set interface v1-trust screen ip-bad-option
set interface v1-trust screen ip-record-route
set interface v1-trust screen ip-timestamp-opt
set interface v1-trust screen ip-security-opt
set interface v1-trust screen ip-loose-src-route
set interface v1-trust screen ip-strict-src-route
set interface v1-trust screen ip-stream-opt
set interface v1-trust screen icmp-fragment
set interface v1-trust screen icmp-large
set interface v1-trust screen syn-fin
set interface v1-trust screen fin-no-ack
set interface v1-trust screen limit-session
set interface v1-untrust screen icmp-flood
set interface v1-untrust screen udp-flood
set interface v1-untrust screen winnuke
set interface v1-untrust screen port-scan
set interface v1-untrust screen ip-sweep
set interface v1-untrust screen tear-drop
set interface v1-untrust screen syn-flood
set interface v1-untrust screen ip-spoofing
set interface v1-untrust screen ping-death
set interface v1-untrust screen ip-filter-src
set interface v1-untrust screen land
set interface v1-untrust screen syn-frag
set interface v1-untrust screen tcp-no-flag
set interface v1-untrust screen unknown-protocol
set interface v1-untrust screen ip-bad-option
set interface v1-untrust screen ip-timestamp-opt
set interface v1-untrust screen ip-loose-src-route
set interface v1-untrust screen ip-stream-opt
set interface v1-untrust screen icmp-fragment
set interface v1-untrust screen icmp-large
set interface v1-untrust screen syn-fin
set interface v1-untrust screen fin-no-ack
set interface v1-untrust screen limit-session
set interface v1-dmz screen component-block
set interface v1-dmz screen icmp-flood
set interface v1-dmz screen udp-flood
set interface v1-dmz screen winnuke
set interface v1-dmz screen port-scan
set interface v1-dmz screen ip-sweep
set interface v1-dmz screen tear-drop
set interface v1-dmz screen syn-flood
set interface v1-dmz screen ip-spoofing
set interface v1-dmz screen ping-death
set interface v1-dmz screen ip-filter-src
set interface v1-dmz screen land
set interface v1-dmz screen syn-frag
set interface v1-dmz screen tcp-no-flag
set interface v1-dmz screen unknown-protocol
set interface v1-dmz screen ip-bad-option
set interface v1-dmz screen ip-record-route
set interface v1-dmz screen ip-timestamp-opt
set interface v1-dmz screen ip-security-opt
set interface v1-dmz screen ip-loose-src-route
set interface v1-dmz screen ip-strict-src-route
set interface v1-dmz screen ip-stream-opt
set interface v1-dmz screen icmp-fragment
set interface v1-dmz screen icmp-large
set interface v1-dmz screen syn-fin
set interface v1-dmz screen fin-no-ack
set interface v1-dmz screen limit-session
set interface v1-trust screen limit-session source-ip-based 400
set interface v1-untrust screen limit-session source-ip-based 400
set flow mac-flooding
set flow check-session
set address V1-Trust "shoujiduanxin" 172.23.2.* 255.255.255.252
set address V1-Trust "telnet in" 172.23.2.* 255.255.255.252
set address V1-Trust "awsftpserver" 172.23.1.* 255.255.255.252 "aws"
set address V1-Trust "access web sql" 172.23.1.* 255.255.255.0
set address V1-Untrust "wai in" 172.23.2.* 255.255.255.252
set snmp name "ns204"
set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0
set ike policy-checking
set ike respond-bad-spi 1
set ike id-mode subnet
set l2tp default auth local
set l2tp default ppp-auth any
set l2tp default radius-port 1645
set policy id 2 name "nei-wai" from V1-Trust to V1-Untrust "Any" "Any" "ANY" Permit traffic gbw 10240 priority 0 mbw 10240
set policy id 3 name "web&ftp" from V1-Untrust to V1-DMZ "Any" "Any" "HTTP" Permit
set policy id 4 name "ftp" from V1-Untrust to V1-DMZ "Any" "Any" "FTP" Permit
set policy id 5 name "www-trust-dmz" from V1-Trust to V1-DMZ "Any" "Any" "HTTP" Permit
set policy id 5 disable
set policy id 6 name "ftp" from V1-Trust to V1-DMZ "Any" "Any" "FTP" Permit
set policy id 6 disable
set policy id 8 name "sjdx" from V1-Untrust to V1-Trust "Any" "shoujiduanxin" "TCP-ANY" Permit
set policy id 9 name "tel in" from V1-Untrust to V1-Trust "wai in" "telnet in" "TELNET" Permit
set policy id 10 name "duanxinxi ping" from V1-Untrust to V1-Trust "Any" "shoujiduanxin" ";PING" Permit
set policy id 11 name "allow ping" from V1-Untrust to V1-DMZ "Any" "Any" ";PING" Permit
set policy id 12 name "allow mail" from V1-Untrust to V1-DMZ "Any" "Any" "MAIL" Permit
set policy id 13 name "allow mail" from V1-Trust to V1-DMZ "Any" "Any" "MAIL" Permit
set policy id 13 disable
set policy id 14 name "allow ping" from V1-Trust to V1-DMZ "Any" "Any" ";PING" Permit
set policy id 14 disable
set policy id 15 name "all go out " from V1-DMZ to V1-Untrust "Any" "Any" "ANY" Permit
set policy id 16 name "all allow" from V1-DMZ to V1-Trust "Any" "Any" "ANY" Permit traffic gbw 0 priority 0
set policy id 17 name "pop3" from V1-Untrust to V1-DMZ "Any" "Any" "POP3" Permit
set policy id 18 name "pop3" from V1-Trust to V1-DMZ "Any" "Any" "POP3" Permit
set policy id 18 disable
set policy id 19 name "vpdn in 1" from V1-Untrust to V1-Trust "Any" "Any" "FTP" Permit
set policy id 20 name "vpdn in 2" from V1-Untrust to V1-Trust "Any" "Any" "HTTP" Permit
set policy id 21 name "vpdn-ping" from V1-Untrust to V1-Trust "Any" "Any" "PING" Permit
set policy id 23name "vpn" from V1-Untrust to V1-Trust "Any" "Any" "TCP-ANY" Permit
set policy id 26 name "awsallow" from V1-Untrust to V1-Trust "Any" "awsftpserver" "FTP" Permit
set policy id 28 from V1-DMZ to V1-Trust "Any" "awsftpserver" "ANY" Permit
set policy id 28 disable
set policy id 29 name "anytoany" from V1-Trust to V1-DMZ "Any" "Any" "ANY" Permit traffic gbw 0 priority 0
set ha interface ethernet4
set ha track threshold 255
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

TOP

风度君子高级会员精华: 1 积分: 671 帖子: 74 威望: 236 点金钱: 157 币贡献: 102 点经验: 02级阅读权限: 50 注册: 2007-6-26 状态: 发短消息加为好友	2^# 大中小发表于 2007-9-29 12:55 只看该作者把any的策略放最前面,然后telnet下端口
查看详细资料	TOP

葬花吟新手上路精华: 0 积分: 37 帖子: 4 威望: 12 点金钱: 11 币贡献: 4 点经验: 01级阅读权限: 10 注册: 2008-1-11 状态: 发短消息加为好友	3^# 大中小发表于 2008-1-11 14:26 只看该作者我不是专家.....................
查看详细资料	TOP

castbao 新手上路精华: 0 积分: 37 帖子: 4 威望: 12 点金钱: 11 币贡献: 4 点经验: 01级阅读权限: 10 注册: 2008-1-11 状态: 发短消息加为好友	4^# 大中小发表于 2008-1-11 17:22 只看该作者 wuli) wuli)
查看详细资料	TOP

远大的无机新手上路精华: 0 积分: 12 帖子: 1 威望: 3 点金钱: 5 币贡献: 1 点经验: 01级阅读权限: 10 注册: 2008-3-18 状态: 发短消息加为好友	5^# 大中小发表于 2008-3-18 22:18 只看该作者这是个什么东西啊,相信也只有专家能看懂.
查看详细资料	TOP