FW1020,配置了策略路由不生效
- 0关注
- 0收藏,795浏览
问题描述:
需求:172.16.2.252走出口36.48.248.1,没生效
是需要重启防火墙吗
[BEGIN] 2023/12/13 9:07:01
#
version 7.1.064, Release 9360P27
#
sysname 赴ºːҽԺFW1020
#
clock timezone Beijing add 08:00:00
clock protocol ntp context 1
#
context Admin id 1
#
context t id 2
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
undo irf link-delay
irf member 1 priority 1
#
security-policy disable
#
ip unreachables enable
ip ttl-expires enable
#
nat address-group 2222
#
dhcp enable
#
dns server 114.114.114.114
dns server 202.98.0.68
dns server 219.149.194.55
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 100
description ¹݀
#
object-group ip address 9990
0 network subnet 172.16.0.0 255.255.240.0
#
policy-based-route 1 permit node 0
if-match acl 3888
#
policy-based-route 1 permit node 1
if-match acl 2001
apply next-hop 36.48.248.1
#
policy-based-route 1 permit node 2
if-match acl 2002
apply next-hop 218.62.90.65
#
policy-based-route 1 permit node 3
if-match acl 2000
apply next-hop 122.136.193.193
#
policy-based-route 1 permit node 4
if-match acl 3889
#
policy-based-route 200 permit node 200
if-match acl 2222
apply next-hop 36.48.248.1
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface LoopBack111
#
interface Vlan-interface100
ip address 192.168.0.254 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
description to ¹݀
#
interface GigabitEthernet1/0/1
port link-mode route
description to θ
bandwidth 400000000
ip address 122.136.193.249 255.255.255.192
ip last-hop hold
nat outbound 3333
nat outbound 2000
ipsec apply policy syx
ipsec no-nat-process enable
#
interface GigabitEthernet1/0/2
port link-mode route
bandwidth 400000000
ip address 192.168.99.251 255.255.255.0
nat hairpin enable
ip policy-based-route 1
#
interface GigabitEthernet1/0/3
port link-mode route
description TO-JL-HC-ZXJ-DSW-1.MAN.S9312
bandwidth 400000000
ip address 36.48.248.159 255.255.255.0
ip last-hop hold
nat outbound 3333
nat outbound 2222
nat outbound 2001
#
interface GigabitEthernet1/0/4
port link-mode route
description ¸¾ԗ
ip address 111.26.64.238 255.255.255.192
#
interface GigabitEthernet1/0/5
port link-mode route
bandwidth 100000
ip address 218.62.90.115 255.255.255.192
ip last-hop hold
nat outbound 3334
nat outbound 3333
nat outbound 2223
nat outbound 2002
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 192.168.200.200 255.255.255.0
ip policy-based-route 200
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode bridge
description TO-6-25U-H3CWangZha-MAN
port access vlan 100
#
interface GigabitEthernet1/0/15
port link-mode bridge
description TO-6-28U-H3CFW-G1/0/1
port access vlan 100
#
interface SSLVPN-AC1
ip address 10.1.1.100 255.255.255.0
#
object-policy ip Local-Local
rule 0 pass
#
object-policy ip Trust-Local
rule 54353 inspect 3_2_54353_IPv4 disable logging counting
#
object-policy ip Trust-Trust
rule 0 pass
#
object-policy ip Trust-Untrust
rule 64944 inspect 3_5_64944_IPv4 logging counting
#
object-policy ip Untrust-Local
rule 30957 inspect 5_2_30957_IPv4 logging counting
#
object-policy ip Untrust-Trust
rule 33601 inspect 5_3_33601_IPv4 logging counting
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/7
import interface Vlan-interface100
import interface GigabitEthernet1/0/14 vlan 100
import interface GigabitEthernet1/0/15 vlan 100
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
import interface GigabitEthernet1/0/5
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name SSLVPN
import interface SSLVPN-AC1
#
zone-pair security source Local destination Local
object-policy apply ip Local-Local
#
zone-pair security source Local destination Management
packet-filter 2000
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Management destination Local
packet-filter 2000
#
zone-pair security source SSLVPN destination Trust
packet-filter 3000
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
packet-filter 3000
#
zone-pair security source Trust destination SSLVPN
packet-filter 3000
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
packet-filter 2000
packet-filter 2001
packet-filter 2002
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 36.48.248.1 preference 70
ip route-static 0.0.0.0 0 218.62.90.65 preference 50
ip route-static 0.0.0.0 0 122.136.193.193
ip route-static 123.123.123.0 24 193.168.0.2
ip route-static 123.123.123.0 24 192.168.99.254
ip route-static 172.16.0.0 16 193.168.0.2
ip route-static 172.16.0.0 16 192.168.99.254
ip route-static 172.17.0.0 16 193.168.0.2
ip route-static 172.17.0.0 16 192.168.99.254
ip route-static 172.20.0.0 16 193.168.0.2 description to θθ¹
ip route-static 172.20.0.0 16 192.168.99.254
ip route-static 192.168.98.0 24 193.168.0.2
ip route-static 192.168.98.0 24 192.168.99.254
ip route-static 192.168.99.0 24 193.168.0.2
ip route-static 192.168.99.0 24 192.168.99.254
ip route-static 192.168.100.0 24 192.168.99.254
#
info-center logbuffer size 1024
info-center loghost 172.16.2.57
#
snmp-agent
snmp-agent local-engineid 800063A280307BAC75946600000001
snmp-agent community read cipher $c$3$Nmj1YNGbcztUsBFrj2lvZ++yNFCo0sSaLKNBNw==
snmp-agent community write cipher $c$3$1XHeSrnzyJG4q2ZMbymBCZJmfPWGbhjF+aAaXw==
snmp-agent sys-info version all
#
performance-management
#
ssh server enable
#
acl basic 2000
rule 10 permit source 172.16.100.0 0.0.0.255
rule 15 permit
#
acl basic 2001
description µ葅
rule 0 permit source 172.17.0.0 0.0.255.255
rule 20 permit source 172.16.15.62 0
rule 20 comment ¼풩¿ljϱ¨т¹ۊ
rule 25 permit source 172.16.2.11 0
rule 30 permit source 172.16.1.75 0
rule 35 permit source 172.16.1.251 0
rule 40 permit source 172.16.1.252 0
rule 45 permit source 172.16.17.9 0
rule 45 comment µ蘓Ʊ¾ݷþϱǷ
rule 50 permit source 172.16.2.252 0
#
acl basic 2002
description jͨ·þϱԚǕͨ¿ͻ§»
rule 0 permit source 172.16.0.0 0.0.15.255
rule 5 permit source 172.16.16.0 0.0.0.255
rule 5 comment ¿ǂ¥
rule 10 permit source 172.16.18.0 0.0.0.255
rule 10 comment 120¥
rule 15 permit source 172.20.0.0 0.0.255.255
rule 15 comment тθIP
#
acl basic 2222
rule 0 permit source 192.168.200.0 0.0.0.255
#
acl basic 2223
rule 0 deny source 172.16.2.252 0
#
acl advanced 3000
rule 0 permit ip
#
acl advanced 3010
description IPSEC
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
acl advanced 3333
rule 0 deny ip source 192.168.100.56 0.0.0.7
#
acl advanced 3334
rule 0 deny ip source 172.16.2.252 0
#
acl advanced 3456
rule 5 permit ip source 172.16.2.253 0
#
acl advanced 3888
rule 0 permit ip source 172.16.0.0 0.0.15.255 destination 122.136.193.249 0
rule 10 permit ip source 172.16.2.253 0 destination 172.16.17.2 0
rule 20 permit ip source 122.136.193.249 0 destination 172.16.17.2 0
rule 25 permit ip source 172.16.17.2 0 destination 122.136.193.249 0
rule 30 permit ip source 172.16.17.2 0 destination 172.16.2.253 0
rule 40 permit ip source 122.136.193.249 0 destination 172.16.0.0 0.0.15.255
rule 45 permit tcp destination 122.136.193.249 0 destination-port eq 8081
rule 50 permit tcp source 122.136.193.249 0 source-port eq 8081
rule 55 permit ip source 172.16.0.0 0.0.15.255
rule 60 permit ip destination 172.16.100.11 0
#
acl advanced 3901
rule 0 permit ip source 172.16.2.253 0 destination 122.136.193.249 0
rule 5 permit ip source 122.136.193.249 0 destination 172.16.2.253 0
rule 10 permit ip source 122.136.193.249 0 destination 172.16.17.2 0
rule 15 permit ip source 172.16.17.2 0 destination 122.136.193.249 0
rule 20 permit ip source 218.62.90.115 0 destination 172.16.17.2 0
rule 25 permit ip source 172.16.17.2 0 destination 218.62.90.115 0
#
acl advanced 3999
rule 0 permit ip source 10.1.1.1 0
rule 5 permit ip destination 172.16.100.23 0
#
acl advanced name IPsec_syx_IPv4_1
rule 0 permit ip source 192.168.100.56 0.0.0.7 destination 10.28.0.49 0
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$em4uaa44aMItFr+q$k8xO1KqjT5aBevb321jD7vb10AzsNpO0mFiM5+xJbaf88xxmCLvw7TBPbvkwpVB0W8+5I7WXQmSXE1Iyfsw4TA==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
password-control login-attempt 5 exceed lock-time 15
#
local-user test class manage
authorization-attribute user-role network-operator
#
local-user bas class network
password cipher $c$3$03S4hgZ1SXQ0xF+rmr0Uo49I9hIo4cqyrw==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-aperator
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user cui class network
password cipher $c$3$32QABnMAfInrExiM2d8zB3jxfy+A1lngWQ==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user fang class network
password cipher $c$3$yCnNGpr/EEnHnCFbak+AtYHWBbxBHxzyYXc=
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user h3c class network
password cipher $c$3$DmtqoyXHFawCGN+arMLJiT4Ed1tPJXSRBOvStw==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user hrp class network
password cipher $c$3$X9vSFoKXZwqGSWlVjkd8dNqhZcJsYqdeGEvtrA==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user lin class network
password cipher $c$3$KWRZVLQvD2CsfvXSlduxSN1te1X76Xjfg9tZgw==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user quan class network
password cipher $c$3$UwGtKadRC+EBMc2YZN4ec4VjMmrSEB2xiHw=
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user test class network
password cipher $c$3$07z4PCLuCxCGD9iC6Omzl2ymzEnlIsq9Vg==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user tijian class network
password cipher $c$3$9Nn1OBDi7ulm8Q1WAQaJU1NB1bAUZGa3VWBFlw==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user tongmai class network
password cipher $c$3$ktvX4TMPoUwRcSpIltRhUgxZgKavzvZAI0Xsw50=
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user wangjinyu class network
password cipher $c$3$KuqtAFKTgOa3o8RTTmh/zUJEoYqNFxObGlHA1n4=
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user zhang class network
password cipher $c$3$tjrsMEjeQz/NJKt6UWWUQg7h0uD9jv0/bZoD
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
local-user zhonglian class network
password cipher $c$3$+P1WOrDpgcMAx9YtilBBgcH6BRHK22xfAA==
service-type sslvpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group pgroup
#
pki domain sslvpn
public-key rsa general name sslvpn
undo crl check enable
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
session synchronization enable
session state-machine mode loose
#
ipsec sa global-duration time-based 86400
ipsec sa idle-time 28800
#
ipsec transform-set syx_IPv4_1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
pfs dh-group1
#
ipsec policy syx 1 isakmp
transform-set syx_IPv4_1
security acl name IPsec_syx_IPv4_1
local-address 122.136.193.249
remote-address 221.8.66.219
ike-profile syx_IPv4_1
sa trigger-mode auto
sa duration time-based 28800
sa idle-time 28780
#
ike dpd interval 300 retry 30 on-demand
ike identity address 122.136.193.249
#
ike profile syx_IPv4_1
keychain syx_IPv4_1
dpd interval 300 retry 30 on-demand
local-identity address 122.136.193.249
match remote identity address 221.8.66.219 255.255.255.255
match local address GigabitEthernet1/0/1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain syx_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 221.8.66.219 255.255.255.255 key cipher $c$3$I63j4dDGVVN74ghuLS7T+XKqeoGgDrf2eQ==
#
ip https enable
#
blacklist ip 5.180.180.134
blacklist ip 5.255.231.96
blacklist ip 33.5.217.218
blacklist ip 36.99.136.129
blacklist ip 40.77.167.105
blacklist ip 40.77.167.181
blacklist ip 45.143.147.152
blacklist ip 46.101.210.212
blacklist ip 46.232.122.33
blacklist ip 47.92.244.59
blacklist ip 47.101.154.14
blacklist ip 49.234.59.18
blacklist ip 50.31.21.7
blacklist ip 52.167.144.57
blacklist ip 60.11.4.199
blacklist ip 60.28.193.14
blacklist ip 60.28.193.54
blacklist ip 60.28.193.98
blacklist ip 60.28.193.171
blacklist ip 64.62.197.55
blacklist ip 64.62.197.87
blacklist ip 64.95.103.187
blacklist ip 65.49.20.67
blacklist ip 68.183.64.176
blacklist ip 68.183.206.17
blacklist ip 80.82.70.228
blacklist ip 87.236.176.92
blacklist ip 87.236.176.102
blacklist ip 87.236.176.106
blacklist ip 87.236.176.125
blacklist ip 87.236.176.145
blacklist ip 87.236.176.148
blacklist ip 87.236.176.233
blacklist ip 87.250.224.251
blacklist ip 91.121.59.189
blacklist ip 94.102.61.40
blacklist ip 95.108.213.214
blacklist ip 95.214.27.62
blacklist ip 95.214.27.114
blacklist ip 95.214.27.204
blacklist ip 115.182.2.58
blacklist ip 147.75.61.38
blacklist ip 147.75.63.87
blacklist ip 154.55.138.141
blacklist ip 173.231.184.124
blacklist ip 173.231.189.15
blacklist ip 176.58.104.168
blacklist ip 178.128.242.134
blacklist ip 185.180.143.80
blacklist ip 185.213.174.115
blacklist ip 199.247.27.41
blacklist ip 206.189.61.126
#
ips signature auto-update
update schedule weekly sun start-time 02:00:00 tingle 120
#
app-profile 3_2_54353_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
app-profile 3_5_64944_IPv4
ips apply policy default mode protect
#
app-profile 5_2_30957_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
app-profile 5_3_33601_IPv4
ips apply policy default mode protect
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect logging parameter-profile waf_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
sslvpn ip address-pool ippool 10.1.1.1 10.1.1.50
#
sslvpn gateway gw
ip address 122.136.193.249 port 2000
service enable
#
sslvpn context ctx
gateway gw
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool ippool mask 255.255.255.0
ip-route-list rtlist
include 123.123.123.0 255.255.255.0
include 172.16.0.0 255.255.0.0
include 172.16.0.0 255.255.255.0
include 172.17.0.0 255.255.0.0
include 192.168.0.0 255.255.255.0
include 192.168.98.0 255.255.255.0
include 192.168.99.0 255.255.255.0
include 193.168.0.0 255.255.255.252
policy-group pgroup
filter ip-tunnel acl 3000
ip-tunnel access-route ip-route-list rtlist
service enable
#
waf logging parameter-profile waf_logging_default_parameter
#
security-policy ip
rule 3 name IPsec_syx_1_20231210173950_IN
action pass
destination-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 2 name IPsec_syx_1_20231210173950_OUT
action pass
source-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 1 name IPsec_ʳԴє_1_20231208131305_IN
action pass
destination-zone Local
service ike
service ipsec-ah
service ipsec-esp
service nat-t-ipsec
rule 0 name IPsec_ʳԴє_1_20231208131305_OUT
action pass
source-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus policy normal
inspect ftp direction both action alert
inspect http direction both action alert
#
anti-virus signature auto-update
update schedule daily start-time 15:30:00 tingle 120
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return
[END] 2023/12/13 9:07:13
- 2023-12-13提问
- 举报
-
(0)
ip route-static 172.16.0.0 16 193.168.0.2
ip route-static 172.16.0.0 16 192.168.99.254
看路由,172.16.2.252的入接口有可能是2个接口,一个接口下应用的PBR 1,一个接口下应用的PBR 200,PBR 200 下的按策略是不包含源地址172.16.2.252的,若从此接口进来的流量自然无法匹配PBR选路。
- 2023-12-13回答
- 评论(0)
- 举报
-
(0)
暂无评论
您好,请知:
策略路由不生效,以下是排查要点,请参考:
1、检查基础路由是否可达。
2、检查安全策略是否有拦截。
3、检查策略路由的ACL匹配的源是否正确。
4、检查策略路由是否调用到了正确的端口。
- 2023-12-13回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论