双光纤同时接入使用,应该如何设置,非负载设置
- 0关注
- 1收藏,1974浏览
问题描述:
防火墙型号是SecPath F100-C-G,原来是1条光纤,后因业务发展又接入了1条光纤,原来的光纤绑定服务器及部分办公室使用,接入新光纤后,在公司外面访问服务器网站的时候发现经常掉线或无法访问的情况,请问是哪里没有设置的问题吗?
下附端口配置信息
10.10.10.1为固网IP
20.20.20.2是新接入的固网IP
192.168.4.200为内部服务器IP地址
组网及组网描述:
#
version 5.20, Release 5142P02
#
sysname FW
#
undo voice vlan mac-address 00e0-bb00-0000
#
interzone policy default by-priority
#
domain default enable system
#
ip host oa 192.168.4.200
#
telnet server enable
#
qos carl 1 source-ip-address range 192.168.1.100 to 192.168.1.199 per-address shared-bandwidth
qos carl 2 source-ip-address range 192.168.2.1 to 192.168.2.200 per-address shared-bandwidth
qos carl 3 source-ip-address range 192.168.3.1 to 192.168.3.200 per-address shared-bandwidth
qos carl 4 source-ip-address range 192.168.4.1 to 192.168.4.200 per-address shared-bandwidth
#
port-security enable
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
acl number 3000
rule 2 permit ip source 192.168.4.0 0.0.0.255
rule 3 permit ip source 192.168.3.0 0.0.0.255
rule 4 permit ip source 192.168.1.0 0.0.0.255
rule 5 permit ip source 192.168.2.0 0.0.0.255
rule 20 permit ip
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.200 0
rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 192.168.2.253 0
acl number 3002
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.200 0
acl number 3003
rule 0 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.4.200 0
rule 1 deny ip
acl number 3004
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 192.168.4.200 0
rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 192.168.2.253 0
acl number 3100
rule 2 permit ip source 192.168.4.0 0.0.0.255
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
dhcp server ip-pool 1
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.254
dns-list 202.97.224.68 202.97.224.69 219.159.32.132 8.8.8.8
#
dhcp server ip-pool 2
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.254
dns-list 202.97.224.68 202.97.224.69 219.159.32.132 8.8.8.8
#
dhcp server ip-pool 3
network 192.168.3.0 mask 255.255.255.0
gateway-list 192.168.3.254
dns-list 202.97.224.68 202.97.224.69 219.159.32.132 8.8.8.8
#
dhcp server ip-pool 4
network 192.168.4.0 mask 255.255.255.0
gateway-list 192.168.4.254
dns-list 202.97.224.68 202.97.224.69 219.159.32.132 8.8.8.8
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$xgzsM4PK8fIViKHvxhtovT8kv9SIw5evIe8w
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface1
#
interface GigabitEthernet0/0
port link-mode route
nat outbound 3003
nat server protocol tcp global 10.10.10.1 www inside 192.168.4.200 www
nat server protocol tcp global 10.10.10.1 8099 inside 192.168.4.200 8099
ip address 192.168.10.254 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
description 外网接口
nat outbound static
nat outbound 3100
nat outbound 3000
nat server protocol tcp global 10.10.10.1 7788 inside 192.168.4.200 7788
nat server protocol tcp global 10.10.10.1 1089 inside 192.168.4.5 1089
nat server protocol tcp global 10.10.10.1 8099 inside 192.168.4.200 8099
nat server protocol tcp global 10.10.10.1 9999 inside 192.168.4.200 9999
nat server protocol udp global 10.10.10.1 1089 inside 192.168.4.5 1089
nat server protocol tcp global 10.10.10.1 12315 inside 192.168.4.200 12315
nat server protocol tcp global 10.10.10.1 5222 inside 192.168.4.200 5222
nat server protocol tcp global 10.10.10.1 5280 inside 192.168.4.200 5280
nat server protocol tcp global 10.10.10.1 7777 inside 192.168.4.200 7777
nat server protocol tcp global 10.10.10.1 12314 inside 192.168.4.200 12314
nat server protocol tcp global 10.10.10.1 12345 inside 192.168.4.200 12345
nat server protocol tcp global 10.10.10.1 1433 inside 192.168.4.200 1433
nat server protocol tcp global 10.10.10.1 800 inside 192.168.4.200 800
nat server protocol tcp global 10.10.10.1 3389 inside 192.168.4.200 3389
nat server protocol tcp global 10.10.10.1 8888 inside 192.168.2.251 8888
nat server protocol tcp global 10.10.10.1 8843 inside 192.168.2.251 8843
nat server protocol tcp global 10.10.10.1 12300 inside 192.168.3.200 12300
nat server protocol tcp global 10.10.10.1 6802 inside 192.168.3.200 6802
ip address 10.10.10.1 255.255.255.248
#
interface GigabitEthernet0/2
port link-mode route
nat server protocol tcp global 10.10.10.1 www inside 192.168.4.200 www
nat server protocol tcp global 10.10.10.1 8099 inside 192.168.4.200 8099
ip address 192.168.11.254 255.255.255.0
#
interface GigabitEthernet0/3
port link-mode route
nat outbound 3004
nat server protocol tcp global 10.10.10.1 www inside 192.168.4.200 www
nat server protocol tcp global 10.10.10.1 8099 inside 192.168.4.200 8099
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/4
port link-mode route
nat outbound 3000
nat server protocol tcp global 20.20.20.2 7788 inside 192.168.4.200 7788
nat server protocol tcp global 20.20.20.2 1089 inside 192.168.4.5 1089
nat server protocol udp global 20.20.20.2 1089 inside 192.168.4.5 1089
nat server protocol tcp global 20.20.20.2 8099 inside 192.168.4.200 8099
nat server protocol tcp global 20.20.20.2 9999 inside 192.168.4.200 9999
nat server protocol tcp global 20.20.20.2 12315 inside 192.168.4.200 12315
nat server protocol tcp global 20.20.20.2 5222 inside 192.168.4.200 5222
nat server protocol tcp global 20.20.20.2 5280 inside 192.168.4.200 5280
nat server protocol tcp global 20.20.20.2 7777 inside 192.168.4.200 7777
nat server protocol tcp global 20.20.20.2 12314 inside 192.168.4.200 12314
nat server protocol tcp global 20.20.20.2 12345 inside 192.168.4.200 12345
nat server protocol tcp global 20.20.20.2 1433 inside 192.168.4.200 1433
nat server protocol tcp global 20.20.20.2 800 inside 192.168.4.200 800
nat server protocol tcp global 20.20.20.2 3389 inside 192.168.4.200 3389
nat server protocol tcp global 20.20.20.2 8888 inside 192.168.4.251 8888
nat server protocol tcp global 20.20.20.2 8843 inside 192.168.4.251 8843
nat server protocol tcp global 20.20.20.2 12300 inside 192.168.3.200 12300
nat server protocol tcp global 20.20.20.2 6802 inside 192.168.3.200 6802
ip address 20.20.20.2 255.255.255.0
#
vd Root id 1
#
zone name Management id 0
priority 100
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet0/0
import interface GigabitEthernet0/3
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface GigabitEthernet0/1
import interface GigabitEthernet0/2
import interface GigabitEthernet0/4
switchto vd Root
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
interzone source Local destination Trust
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Local destination Untrust
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Trust destination Untrust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Untrust destination Trust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Any destination Trust
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/4 20.20.20.1
ip route-static 192.168.1.0 255.255.255.0 1.1.1.2
ip route-static 192.168.2.0 255.255.255.0 1.1.1.2
ip route-static 192.168.3.0 255.255.255.0 1.1.1.2
ip route-static 192.168.4.0 255.255.255.0 1.1.1.2
#
dhcp server forbidden-ip 192.168.1.1 192.168.1.99
dhcp server forbidden-ip 192.168.1.200 192.168.1.254
dhcp server forbidden-ip 192.168.2.254
dhcp server forbidden-ip 192.168.3.254
dhcp server forbidden-ip 192.168.4.254
dhcp server forbidden-ip 192.168.4.1 192.168.4.10
#
dhcp enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
- 2019-08-12提问
- 举报
-
(0)
最佳答案
做一下策略路由试试看
基于报文源地址的转发策略路由配置举例
1. 组网需求
通过策略路由控制从Router A的以太网接口GigabitEthernet2/0/1接收的报文:
· 源地址为192.168.10.2的报文以4.1.1.2/24作为下一跳IP地址;
· 其它源地址的报文以5.1.1.2/24作为下一跳IP地址。
2. 组网图
3. 配置步骤
# 配置接口GigabitEthernet2/0/2和GigabitEthernet2/0/3的IP地址。
[RouterA] interface gigabitethernet 2/0/2
[RouterA-GigabitEthernet2/0/2] ip address 4.1.1.1 24
[RouterA-GigabitEthernet2/0/2] quit
[RouterA] interface gigabitethernet 2/0/3
[RouterA-GigabitEthernet2/0/3] ip address 5.1.1.1 24
[RouterA-GigabitEthernet2/0/3] quit
# 定义访问控制列表ACL 2000,用来匹配源地址为192.168.10.2的报文。
[RouterA-acl-ipv4-basic-2000] rule 10 permit source 192.168.10.2 0
[RouterA-acl-ipv4-basic-2000] quit
# 定义0号节点,指定所有源地址为192.168.10.2的报文的下一跳为4.1.1.2。
[RouterA] policy-based-route aaa permit node 0
[RouterA-pbr-aaa-0] if-match acl 2000
[RouterA-pbr-aaa-0] apply next-hop 4.1.1.2
[RouterA-pbr-aaa-0] quit
[RouterA] policy-based-route aaa permit node 1
[RouterA-pbr-aaa-1] apply next-hop 5.1.1.2
[RouterA-pbr-aaa-1] quit
# 在以太网接口GigabitEthernet2/0/1上应用转发策略路由,处理此接口接收的报文。
[RouterA] interface gigabitethernet 2/0/1
[RouterA-GigabitEthernet2/0/1] ip address 192.168.10.1 24
[RouterA-GigabitEthernet2/0/1] ip policy-based-route aaa
[RouterA-GigabitEthernet2/0/1] quit
# 配置GigabitEthernet接口的IP地址。
[RouterB] interface gigabitethernet 2/0/2
[RouterB-GigabitEthernet2/0/2] ip address 4.1.1.2 24
[RouterB-GigabitEthernet2/0/2] quit
# 配置到网段192.168.10.0/24的静态路由。
[RouterB] ip route-static 192.168.10.0 24 4.1.1.1
# 配置GigabitEthernet接口的IP地址。
[RouterC] interface gigabitethernet 2/0/3
[RouterC-GigabitEthernet2/0/3] ip address 5.1.1.2 24
[RouterC-GigabitEthernet2/0/3] quit
# 配置到网段192.168.10.0/24的静态路由。
- 2019-08-12回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论