f1060防火墙策略路由不生效问题，怀疑为安全策略不通

防火墙15口新增外网dhcp地址的出口，做acl策略路由后，发现走别的链路，排查发现到策略配置中的网段到防火墙15口接口ip不通，怀疑为配置问题，请帮助分析以下配置，是否有问题。

[NJJYJ-F1060]dis cu 

#

 version 7.1.064, Release 9360P27

#

 sysname NJJYJ-F1060

#

context Admin id 1

#

 telnet server enable

 telnet server acl 3200

#

 irf mac-address persistent timer

 irf auto-update enable

 irf auto-merge enable

 undo irf link-delay

 irf member 1 priority 1

#

 security-policy disable

#

 dns server 222.222.222.222

#

 password-recovery enable

#

vlan 1

#              

policy-based-route 1 permit node 1

 if-match acl 3101

 apply next-hop 123.183.163.97

 apply output-interface GigabitEthernet1/0/17

#

policy-based-route 1 permit node 2

 if-match acl 3102

 apply next-hop 222.223.120.129

 apply output-interface GigabitEthernet1/0/18

#

policy-based-route 1 permit node 3

 if-match acl 3103

 apply next-hop 222.223.121.193

 apply output-interface GigabitEthernet1/0/20

#

policy-based-route 1 permit node 4

 if-match acl 3104

 apply next-hop 222.223.122.1

 apply output-interface GigabitEthernet1/0/22

#

policy-based-route 1 permit node 5

 if-match acl 3106

 apply next-hop 222.223.111.1

 apply output-interface GigabitEthernet1/0/19

#

policy-based-route 1 permit node 6

 if-match acl 3107

 apply next-hop 123.183.160.1

 apply output-interface GigabitEthernet1/0/16

#

policy-based-route 1 permit node 7

 if-match acl 3108

 apply output-interface GigabitEthernet1/0/15

#

controller Cellular1/0/0

#

controller Cellular1/0/1

#

interface Bridge-Aggregation10

#

interface Route-Aggregation10

 description to--鏍稿績-G4/0/1_G4/0/3

 ip address 10.74.0.2 255.255.255.240

 ip policy-based-route 1

#

interface NULL0

#

interface GigabitEthernet1/0/0

 port link-mode route

 ip address 192.199.0.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip policy-based-route 1

 port link-aggregation group 10

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip policy-based-route 1

 port link-aggregation group 10

#

interface GigabitEthernet1/0/3

 port link-mode route

#

interface GigabitEthernet1/0/4

 port link-mode route

#

interface GigabitEthernet1/0/5

 port link-mode route

#

interface GigabitEthernet1/0/6

 port link-mode route

#

interface GigabitEthernet1/0/7

 port link-mode route

#

interface GigabitEthernet1/0/8

 port link-mode route

#

interface GigabitEthernet1/0/9

 port link-mode route

#

interface GigabitEthernet1/0/10

 port link-mode route

#

interface GigabitEthernet1/0/11

 port link-mode route

#

interface GigabitEthernet1/0/12

 port link-mode route

#

interface GigabitEthernet1/0/13

 port link-mode route

#

interface GigabitEthernet1/0/14

 port link-mode route

 ip address dhcp-alloc

 nat outbound 3108

#

interface GigabitEthernet1/0/15

 port link-mode route

 ip address dhcp-alloc

 nat outbound 3105

#

interface GigabitEthernet1/0/16

 port link-mode route

 ip address 123.183.160.52 255.255.255.192

 nat outbound 3105

 nat server protocol tcp global 116.131.137.66 3401 inside 10.74.4.50 3401 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁38 disable description 钀ュ吇椁

 

 nat server protocol tcp global 116.131.137.66 4986 inside 10.74.4.50 4986 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁57 disable description 钀ュ吇椁

 

 nat server protocol tcp global 116.131.137.66 8000 inside 10.74.4.100 8000 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁10 disable description 鏄庡崥2

 nat server protocol tcp global 116.131.137.66 8010 inside 10.74.4.50 8010 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁58 disable description 钀ュ吇椁

 

 nat server protocol tcp global 116.131.137.66 8075 inside 10.74.4.50 8075 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁59 disable description 钀ュ吇椁

 

 nat server protocol tcp global 116.131.137.66 23389 inside 10.74.4.100 3389 rule 鍐呴儴鏈嶅姟鍣ㄨ鍒檁19 disable description 鏄庡崥1

#              

interface GigabitEthernet1/0/17

 port link-mode route

 ip address 123.183.163.101 255.255.255.224

 nat outbound 3105

#

interface GigabitEthernet1/0/18

 port link-mode route

 ip address 222.223.120.136 255.255.255.192

 nat outbound 3105

#

interface GigabitEthernet1/0/19

 port link-mode route

 ip address 222.223.111.10 255.255.255.128

 nat outbound 3105

#

interface GigabitEthernet1/0/20

 port link-mode route

 ip address 222.223.121.195 255.255.255.192

 nat outbound 3105

#

interface GigabitEthernet1/0/21

 port link-mode route

 ip last-hop hold

 nat outbound 3105

#

interface GigabitEthernet1/0/22

 port link-mode route

 ip address 222.223.122.7 255.255.255.224

 nat outbound 3105

#

interface GigabitEthernet1/0/23

 port link-mode route

 description to-XingTaiShiJu

 shutdown

 nat outbound 3015

#

object-policy ip Any-Any

 rule 0 pass

#

object-policy ip Any-Untrust

 rule 0 pass

#

object-policy ip Local-Untrust

 rule 0 pass

#

object-policy ip Untrust-Any

 rule 0 pass

#

object-policy ip Untrust-Local

 rule 0 pass

#

object-policy ip Untrust-Trust

 rule 0 pass

#

security-zone name Local

#

security-zone name Trust

 import interface GigabitEthernet1/0/1

 import interface GigabitEthernet1/0/2

 import interface GigabitEthernet1/0/3

 import interface Route-Aggregation10

#

security-zone name DMZ

#

security-zone name Untrust

 import interface GigabitEthernet1/0/14

 import interface GigabitEthernet1/0/15

 import interface GigabitEthernet1/0/16

 import interface GigabitEthernet1/0/17

 import interface GigabitEthernet1/0/18

 import interface GigabitEthernet1/0/19

 import interface GigabitEthernet1/0/20

 import interface GigabitEthernet1/0/21

 import interface GigabitEthernet1/0/22

 import interface GigabitEthernet1/0/23

#

security-zone name Management

 import interface GigabitEthernet1/0/0

#

zone-pair security source Any destination Untrust

 object-policy apply ip Any-Any

#

zone-pair security source Local destination Trust

 packet-filter 2000

#

zone-pair security source Local destination Untrust

 packet-filter 2000

#

zone-pair security source Management destination Local

 packet-filter 2000

#

zone-pair security source Trust destination Local

 packet-filter 2000

#

zone-pair security source Trust destination Trust

 packet-filter 2000

#

zone-pair security source Trust destination Untrust

 packet-filter 2000

#

zone-pair security source Untrust destination Any

 object-policy apply ip Untrust-Any

#

zone-pair security source Untrust destination Local

 packet-filter 2000

#

zone-pair security source Untrust destination Trust

 packet-filter 2000

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#

line class console

 authentication-mode scheme

 user-role network-admin

#

line class vty

 user-role network-operator

#

line aux 0

 user-role network-admin

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line vty 0 4

 authentication-mode scheme

 user-role network-admin

#

line vty 5 63

 authentication-mode scheme

 user-role network-admin

 user-role network-operator

#

 ip route-static 0.0.0.0 0 123.183.163.97 preference 90

 ip route-static 0.0.0.0 0 222.223.120.129 preference 70

 ip route-static 0.0.0.0 0 222.223.121.193 preference 75

 ip route-static 0.0.0.0 0 222.223.122.1 preference 80

 ip route-static 0.0.0.0 0 222.223.111.1 preference 85

 ip route-static 0.0.0.0 0 123.183.160.1

 ip route-static 0.0.0.0 0 GigabitEthernet1/0/15 dhcp preference 95

 ip route-static 10.0.0.0 8 10.74.0.1

 ip route-static 10.72.0.0 13 10.74.0.1

#

 snmp-agent

 snmp-agent local-engineid 800063A2803897D6AFCBC100000001

 snmp-agent community read xtjyj-r

 snmp-agent community write xtjyj-w

 snmp-agent sys-info version all 

 snmp-agent target-host trap address udp-domain 10.10.10.12 params securityname xtjyj-r v2c

 snmp-agent target-host trap address udp-domain 10.74.2.253 params securityname xtjyj-r

 snmp-agent trap queue-size 500

 snmp-agent trap life 600

#

performance-management

#

 ssh server enable

 ssh server port 20002

#

acl basic 2000

 step 1

 rule 0 permit

#

acl advanced 3101

 rule 0 permit ip source 10.72.0.0 0.0.127.255

#

acl advanced 3102

 rule 0 permit ip source 10.72.128.0 0.0.127.255

 rule 5 permit ip source 10.72.128.0 0.0.63.255

 rule 10 permit ip source 10.72.192.0 0.0.63.255

#

acl advanced 3103

 rule 0 permit ip source 10.73.0.0 0.0.63.255

 rule 5 permit ip source 10.73.0.0 0.0.0.255

 rule 10 permit ip source 10.73.1.0 0.0.0.255

 rule 15 permit ip source 10.73.2.0 0.0.0.255

 rule 20 permit ip source 10.73.3.0 0.0.0.255

 rule 25 permit ip source 10.73.4.0 0.0.0.255

 rule 30 permit ip source 10.73.5.0 0.0.0.255

#

acl advanced 3104

 rule 0 permit ip source 10.73.64.0 0.0.63.255

 rule 3 permit ip source 10.73.82.0 0.0.0.255

 rule 4 permit ip source 10.73.83.0 0.0.0.255

#

acl advanced 3105

 rule 0 permit ip source 10.74.0.0 0.0.255.255

 rule 1000 permit ip

#

acl advanced 3106

 rule 0 permit ip source 10.73.128.0 0.0.127.255

 rule 5 permit ip source 10.73.129.0 0.0.0.255

 rule 10 permit ip source 10.73.130.0 0.0.0.255

#

acl advanced 3107

 rule 0 permit ip source 10.74.0.0 0.0.255.255

 rule 5 permit ip source 10.74.4.0 0.0.0.255

 rule 15 permit ip source 10.74.0.0 0.0.127.255

#

acl advanced 3108

 rule 0 permit ip source 10.73.156.0 0.0.1.255

 rule 5 permit ip source 10.73.158.0 0.0.1.255

 rule 10 permit ip source 10.73.160.0 0.0.1.255

#              

acl advanced 3200

 rule 0 permit ip source 10.74.2.0 0.0.0.255

 rule 5 permit ip source 10.74.4.0 0.0.0.255

#

domain system

#

 aaa session-limit ftp 16

 aaa session-limit telnet 16

 aaa session-limit ssh 16

 domain default enable system

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#              

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

#

local-user admin class manage

 password hash $h$6$1l27yY025noQoTqp$lfp1Nz6SshIW0jTE4+TnqtCIrNT1WhSOaj+c0eLEF4fV7+wXQyDs6KuLeqK/OlhvAlXDEhW6sAM/KlgMNH70HA==

 service-type ssh telnet terminal http https

 authorization-attribute user-role level-3

 authorization-attribute user-role level-15

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

local-user dianxin class manage

 password hash $h$6$yDjI+WB5MoJ/bjly$eN/QunAOhkrykUjjKz0g2pWbFZZwKKLAciqn13cOhIlAH7+XhUo+Rtj1KjqSV5YlCCmvC+7YByVTdB6dCUv59w==

 service-type ssh terminal https

 authorization-attribute user-role level-15

 authorization-attribute user-role network-operator

#

 ipsec logging negotiation enable

#

 ip http enable

 ip https enable

#

security-policy ip

 rule 0 name any

  parent-group any

  action pass

  counting enable

 group name any from any to any description 1

#

return

[NJJYJ-F1060]                                                                   

                                                                                

                                                                                

     

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]dis int brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP      Description                

GE1/0/0              DOWN DOWN     192.199.0.1     

GE1/0/1              UP   UP       --              

GE1/0/2              UP   UP       --              

GE1/0/3              DOWN DOWN     --              

GE1/0/4              DOWN DOWN     --              

GE1/0/5              DOWN DOWN     --              

GE1/0/6              DOWN DOWN     --              

GE1/0/7              DOWN DOWN     --              

GE1/0/8              DOWN DOWN     --              

GE1/0/9              DOWN DOWN     --              

GE1/0/10             DOWN DOWN     --              

GE1/0/11             DOWN DOWN     --              

GE1/0/12             DOWN DOWN     --              

GE1/0/13             DOWN DOWN     --              

GE1/0/14             DOWN DOWN     --              

GE1/0/15             UP   UP       192.168.1.2     

GE1/0/16             UP   UP       123.183.160.52  

GE1/0/17             UP   UP       123.183.163.101 

GE1/0/18             UP   UP       222.223.120.136 

GE1/0/19             DOWN DOWN     222.223.111.10  

GE1/0/20             UP   UP       222.223.121.195 

GE1/0/21             DOWN DOWN     --              

GE1/0/22             UP   UP       222.223.122.7   

GE1/0/23             ADM  DOWN     --              to-XingTaiShiJu

InLoop0              UP   UP(s)    --              

NULL0                UP   UP(s)    --              

REG0                 UP   --       --              

RAGG10               UP   UP       10.74.0.2       to--鏍稿績-G4/0/1_G4/0/3

 

Brief information on interfaces in bridge mode:

Link: ADM - administratively down; Stby - standby

Speed: (a) - auto

Duplex: (a)/A - auto; H - half; F - full

Type: A - access; T - trunk; H - hybrid

Interface            Link Speed     Duplex Type PVID Description                

BAGG10               DOWN auto      A      A    1    

 

[NJJYJ-F1060]                                

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]ping -a 10.72.0.2 192.168.1.2

Ping 192.168.1.2 (192.168.1.2) from 10.72.0.2: 56 data bytes, press CTRL+C to break

Request time out

Request time out

Request time out

Request time out

 

--- Ping statistics for 192.168.1.2 ---

5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

[NJJYJ-F1060]%May  9 14:26:34:881 2024 NJJYJ-F1060 PING/6/PING_STATISTICS: -COntext=1; Ping statistics for 192.168.1.2: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

ping -a 10.74.0.2 192.168.1.2

Ping 192.168.1.2 (192.168.1.2) from 10.74.0.2: 56 data bytes, press CTRL+C to break

56 bytes from 192.168.1.2: icmp_seq=0 ttl=255 time=0.206 ms

56 bytes from 192.168.1.2: icmp_seq=1 ttl=255 time=0.178 ms

56 bytes from 192.168.1.2: icmp_seq=2 ttl=255 time=0.176 ms

56 bytes from 192.168.1.2: icmp_seq=3 ttl=255 time=0.177 ms

56 bytes from 192.168.1.2: icmp_seq=4 ttl=255 time=0.250 ms

 

--- Ping statistics for 192.168.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.176/0.197/0.250/0.029 ms

[NJJYJ-F1060]%May  9 14:26:42:030 2024 NJJYJ-F1060 PING/6/PING_STATISTICS: -COntext=1; Ping statistics for 192.168.1.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.176/0.197/0.250/0.029 ms.

 

[NJJYJ-F1060]ping -a 10.74.0.2 10.73.157.254

Ping 10.73.157.254 (10.73.157.254) from 10.74.0.2: 56 data bytes, press CTRL+C to break

56 bytes from 10.73.157.254: icmp_seq=0 ttl=255 time=1.089 ms

56 bytes from 10.73.157.254: icmp_seq=1 ttl=255 time=1.028 ms

56 bytes from 10.73.157.254: icmp_seq=2 ttl=255 time=1.150 ms

56 bytes from 10.73.157.254: icmp_seq=3 ttl=255 time=0.934 ms

56 bytes from 10.73.157.254: icmp_seq=4 ttl=255 time=2.384 ms

 

--- Ping statistics for 10.73.157.254 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.934/1.317/2.384/0.538 ms

[NJJYJ-F1060]%May  9 14:26:51:698 2024 NJJYJ-F1060 PING/6/PING_STATISTICS: -COntext=1; Ping statistics for 10.73.157.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.934/1.317/2.384/0.538 ms.

 

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]

[NJJYJ-F1060]