MSR3600怎么配置外网访问规则和主机(端口)映射??
网络环境:S5560S+MSR3600(V7)
g0/0:电信拨号,主网
g0/1:联通拨号,备用网1
g0/2:联通专线4个固定IP(7.7.7.1-7.7.7.4),备用网2
内网网段:
192.168.1.0-192.168.7.0,走g0/0电信拨号,部分设备映射端口
192.168.8.0-192.168.9.0,走g0/1联通拨号,部分设备映射端口
192.168.10.1-192.168.10.4,走联通专线,一对一映射对应7.7.7.1-7.7.7.4的专线IP
当g0/0电信拨号断网时,对应的内网设备访问外网自动转到g0/1联通拨号,当两个拨号都断网时,自动转到专线。
当g0/1或者g0/2断网时,自动转到g0/0
需要怎么配置好,没做过访问策略,例子也看多了,就是配置不成功。
以下是现在配好的配置,大部分都是在WEB页面下配的。
#
version 7.1.064, Release 6728P25
#
sysname H3C
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
wlan global-configuration
#
telnet server enable
#
undo resource-monitor output syslog snmp-notification netconf-event
#
security-zone intra-zone default permit
#
track 1021 nqa entry ge0/2 1 reaction 1
#
track 1022 nqa entry ge0/1 1 reaction 1
#
track 1023 nqa entry ge0/0 1 reaction 1
#
ip pool l2tp1 192.168.70.2 192.168.70.9
#
dialer-group 1 rule ip permit
dialer-group 2 rule ip permit
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
lldp global enable
#
system-working-mode standard
password-recovery enable
#
vlan 1
#
dhcp server ip-pool lan1
gateway-list 192.168.0.1
network 192.168.0.0 mask 255.255.254.0
address range 192.168.1.2 192.168.1.254
dns-list 192.168.0.1
#
ddns policy WAN0(GE0)
url oray://***.***
username Pro-link
password cipher $c$34=
interval 0 0 10
#
nqa entry ge0/0 1
type icmp-echo
destination ip 121.14.77.221
frequency 10000
out interface Dialer0
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry ge0/1 1
type icmp-echo
destination ip 121.14.77.221
frequency 10000
out interface Dialer1
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry ge0/2 1
type icmp-echo
destination ip 121.14.77.221
frequency 10000
out interface GigabitEthernet0/2
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule ge0/0 1 start-time now lifetime forever
nqa schedule ge0/1 1 start-time now lifetime forever
nqa schedule ge0/2 1 start-time now lifetime forever
#
controller Cellular0/0
#
interface Dialer0
mtu 1492
ppp chap password cipher $c$3$Ir7FU
ppp chap user 076312345
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 076312344 password cipher $c$3$
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1360
ip last-hop hold
nat outbound
nat outbound 2000
nat server protocol tcp global current-interface 22 inside 192.168.10.30 22
nat server protocol tcp global current-interface 25 inside 192.168.1.251 22
nat static enable
ddns apply policy WAN0(GE0) fqdn ***.***
#
interface Dialer1
mtu 1492
ppp chap password cipher $c$3$ZtvkBKNe8Hl
ppp chap user QYFTH28@16900.gd
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user QYFTH28@16900.gd password cipher $c$3$hK3Fi1yhy
dialer bundle enable
dialer-group 2
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1280
ip last-hop hold
nat static enable
#
interface Dialer2
mtu 1492
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool l2tp1
ppp account-statistics enable
ip address 192.168.70.1 255.255.255.0
#
interface NULL0
#
interface Vlan-interface1
description LAN-interface
ip address 192.168.0.1 255.255.254.0
tcp mss 1280
nat hairpin enable
#
interface GigabitEthernet0/0
port link-mode route
description Multiple_Line1
nat static enable
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet0/1
port link-mode route
description Multiple_Line2
nat static enable
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/2
port link-mode route
description Multiple_Line3
ip address 7.7.7.1 255.255.255.248
ip address 7.7.7.2 255.255.255.248 sub
ip address 7.7.7.3 255.255.255.248 sub
ip address 7.7.7.4 255.255.255.248 sub
dns server 120.80.88.88
dns server 221.5.88.88
tcp mss 1280
ip last-hop hold
nat outbound
nat static enable
#
interface GigabitEthernet0/26
port link-mode route
ip address 192.168.100.253 255.255.255.0
nat outbound 2000
nat hairpin enable
#
interface GigabitEthernet0/27
port link-mode route
#
interface GigabitEthernet0/28
port link-mode route
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
interface GigabitEthernet0/6
port link-mode bridge
#
interface GigabitEthernet0/7
port link-mode bridge
#
interface GigabitEthernet0/8
port link-mode bridge
#
interface GigabitEthernet0/9
port link-mode bridge
#
interface GigabitEthernet0/10
port link-mode bridge
#
interface GigabitEthernet0/11
port link-mode bridge
#
interface GigabitEthernet0/12
port link-mode bridge
#
interface GigabitEthernet0/13
port link-mode bridge
#
interface GigabitEthernet0/14
port link-mode bridge
#
interface GigabitEthernet0/15
port link-mode bridge
#
interface GigabitEthernet0/16
port link-mode bridge
#
interface GigabitEthernet0/17
port link-mode bridge
#
interface GigabitEthernet0/18
port link-mode bridge
#
interface GigabitEthernet0/19
port link-mode bridge
#
interface GigabitEthernet0/20
port link-mode bridge
#
interface GigabitEthernet0/21
port link-mode bridge
#
interface GigabitEthernet0/22
port link-mode bridge
#
interface GigabitEthernet0/23
port link-mode bridge
#
interface GigabitEthernet0/24
port link-mode bridge
#
interface GigabitEthernet0/25
port link-mode bridge
#
object-policy ip Any-Any
rule 65533 inspect 8048_url_profile_global disable
rule 65534 pass
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
#
zone-pair security source Local destination Trust
packet-filter name SWXWSGL
#
zone-pair security source Local destination Untrust
packet-filter name SWXWSGL
#
zone-pair security source Trust destination Local
packet-filter name SWXWSGL
#
zone-pair security source Untrust destination Local
packet-filter name SWXWSGL
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0 track 1023
ip route-static 0.0.0.0 0 GigabitEthernet0/2 7.7.7.1
ip route-static 0.0.0.0 0 Dialer1 preference 100
ip route-static 121.14.77.221 32 Dialer0 description NqaTrack
ip route-static 121.14.77.221 32 Dialer1 description NqaTrack
ip route-static 121.14.77.221 32 GigabitEthernet0/2 7.7.7.1 description NqaTrack
ip route-static 192.168.0.0 16 192.168.100.254 description TO-核心S5560
#
info-center loghost 127.0.0.1 port 3301
info-center source CFGLOG loghost level informational
#
snmp-agent
snmp-agent local-engineid 800063A28
snmp-agent sys-info version v3
#
performance-management
#
ntp-service enable
#
acl basic 2000
rule 0 permit source 192.168.0.0 0.0.0.255
#
acl advanced name SWXWSGL
rule 1 permit ip
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type ftp
service-type telnet terminal http https
authorization-attribute user-role network-admin
#
local-user ye class network
password cipher $c$3$3kAOB2+upd/5
access-limit 5
service-type ppp
authorization-attribute user-role network-operator
#
security-enhanced level 1
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name LNS1
#
l2tp enable
#
ip http enable
web new-style
#
url-filter category custom severity 65535
#
wlan ap-group default-group
vlan 1
#
cloud-management server domain oasis.h3c.com
#
return
(0)
通过策略路由实现。多出口地址的宽带通过nat地址池方式。参考下面
Router A分别与Router B和Router C直连(保证Router B和Router C之间路由完全不可达)。通过策略路由控制从Router A的以太网接口GigabitEthernet1/0/1接收的报文:
· 源地址为192.168.10.2的报文以4.1.1.2/24作为下一跳IP地址;
· 其它源地址的报文以5.1.1.2/24作为下一跳IP地址。
图1-4 基于报文源地址的转发策略路由的配置举例组网图
(1) 配置IP地址和单播路由协议,确保Router B和Host A/Host B,Router C和Host A/Host B之间路由可达,具体配置过程略。
(2) 配置Router A
# 定义访问控制列表ACL 2000,用来匹配源地址为192.168.10.2的报文。
[RouterA] acl basic 2000
[RouterA-acl-ipv4-basic-2000] rule 10 permit source 192.168.10.2 0
[RouterA-acl-ipv4-basic-2000] quit
# 定义0号节点,指定所有源地址为192.168.10.2的报文的下一跳为4.1.1.2。
[RouterA] policy-based-route aaa permit node 0
[RouterA-pbr-aaa-0] if-match acl 2000
[RouterA-pbr-aaa-0] apply next-hop 4.1.1.2
[RouterA-pbr-aaa-0] quit
[RouterA] policy-based-route aaa permit node 1
[RouterA-pbr-aaa-1] apply next-hop 5.1.1.2
[RouterA-pbr-aaa-1] quit
# 在以太网接口GigabitEthernet1/0/1上应用转发策略路由,处理此接口接收的报文。
[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] ip policy-based-route aaa
[RouterA-GigabitEthernet1/0/1] quit
从Host A上ping Router B,结果成功。
从Host B上ping Router B,结果失败。
从Host A上ping Router C,结果失败。
从Host B上ping Router C,结果成功。
以上结果可证明:从Router A的以太网接口GigabitEthernet1/0/1接收的源地址为192.168.10.2的报文的下一跳为4.1.1.2,所以Host A能ping通Router B,源地址为192.168.10.3的下一跳5.1.1.2,所以Host B能ping通Router C,由此表明策略路由设置成功。
(0)
谢谢,如果外网断网自动转其他线路怎么配呢?
自动走默认路由的,默认会跳转的,没匹配策略路由就走缺省路由
内网IP192.168.8.141配了电信拨号,但是那台主机获取外网IP时,一会获取电信外网IP一会又获取到联通的外网IP acl basic 2000 rule 10 permit source 192.168.8.141 0 quit policy-based-route aaa permit node 0 if-match acl 2000 apply output-interface Dialer 0 quit
您好,请知:
可以配置一对一映射来实现相应的转换,以下是配置案例:
内部网络用户10.110.10.8/24使用外网地址202.38.1.100访问Internet。
图2-3 静态地址转换典型配置组网图
# 按照组网图配置各接口的IP地址,具体配置过程略。
# 配置内网IP地址10.110.10.8到外网地址202.38.1.100之间的一对一静态地址转换映射。
<Router> system-view
[Router] nat static outbound 10.110.10.8 202.38.1.100
# 使配置的静态地址转换在接口GigabitEthernet1/0/2上生效。
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] nat static enable
# 以上配置完成后,内网主机可以访问外网服务器。通过查看如下显示信息,可以验证以上配置成功。
[Router] display nat static
Totally 1 outbound static NAT mappings.
IP-to-IP:
Local IP : 10.110.10.8
Global IP : 202.38.1.100
Config status: Active
Interfaces enabled with static NAT:
Totally 1 interfaces enabled with static NAT.
Interface: GigabitEthernet1/0/2
Config status: Active
# 通过以下显示命令,可以看到Host访问某外网服务器时生成NAT会话信息。
[Router] display nat session verbose
Slot 0:
Total sessions found: 0
Slot 2:
Initiator:
Source IP/port: 10.110.10.8/42496
Destination IP/port: 202.38.1.111/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Responder:
Source IP/port: 202.38.1.111/42496
Destination IP/port: 202.38.1.100/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
State: ICMP_REPLY
Application: INVALID
Rule ID: -/-/-
Rule name:
Start time: 2012-08-16 09:30:49 TTL: 27s
Initiator->Responder: 5 packets 420 bytes
Responder->Initiator: 5 packets 420 bytes
Total sessions found: 1
实现特定网段走特定出口,可以配置策略路由来实现。
Router A分别与Router B和Router C直连(保证Router B和Router C之间路由完全不可达)。通过策略路由控制从Router A的以太网接口GigabitEthernet1/0/1接收的报文:
· 源地址为192.168.10.2的报文以4.1.1.2/24作为下一跳IP地址;
· 其它源地址的报文以5.1.1.2/24作为下一跳IP地址。
图1-4 基于报文源地址的转发策略路由的配置举例组网图
(1) 配置IP地址和单播路由协议,确保Router B和Host A/Host B,Router C和Host A/Host B之间路由可达,具体配置过程略。
(2) 配置Router A
# 定义访问控制列表ACL 2000,用来匹配源地址为192.168.10.2的报文。
[RouterA] acl basic 2000
[RouterA-acl-ipv4-basic-2000] rule 10 permit source 192.168.10.2 0
[RouterA-acl-ipv4-basic-2000] quit
# 定义0号节点,指定所有源地址为192.168.10.2的报文的下一跳为4.1.1.2。
[RouterA] policy-based-route aaa permit node 0
[RouterA-pbr-aaa-0] if-match acl 2000
[RouterA-pbr-aaa-0] apply next-hop 4.1.1.2
[RouterA-pbr-aaa-0] quit
[RouterA] policy-based-route aaa permit node 1
[RouterA-pbr-aaa-1] apply next-hop 5.1.1.2
[RouterA-pbr-aaa-1] quit
# 在以太网接口GigabitEthernet1/0/1上应用转发策略路由,处理此接口接收的报文。
[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] ip policy-based-route aaa
[RouterA-GigabitEthernet1/0/1] quit
从Host A上ping Router B,结果成功。
从Host B上ping Router B,结果失败。
从Host A上ping Router C,结果失败。
从Host B上ping Router C,结果成功。
以上结果可证明:从Router A的以太网接口GigabitEthernet1/0/1接收的源地址为192.168.10.2的报文的下一跳为4.1.1.2,所以Host A能ping通Router B,源地址为192.168.10.3的下一跳5.1.1.2,所以Host B能ping通Router C,由此表明策略路由设置成功。
(0)
一对一映射配置过了,配置之后内网对应的主机不能访问web,但可以登录微信,把配置删掉内网主机网络才正常。
一对一映射配置过了,配置之后内网对应的主机不能访问web,但可以登录微信,把配置删掉内网主机网络才正常。
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
内网IP192.168.8.141配了电信拨号,但是那台主机获取外网IP时,一会获取电信外网IP一会又获取到联通的外网IP acl basic 2000 rule 10 permit source 192.168.8.141 0 quit policy-based-route aaa permit node 0 if-match acl 2000 apply output-interface Dialer 0 quit