SecPath F100-C-G 丢包 外网访问内部丢包内部访问外网没问题

 # version 5.20, Release 5142 # sysname XYQ # super password level 3 cipher $c$3$dwGyNbIjTWDtTEmGJOj9vKqNIEpM6Yyp # l2tp enable # undo voice vlan mac-address 00e0-bb00-0000 # ip local policy-based-route 123 # interzone policy default by-priority # nat address-group 1 222.37.3.27 222.37.3.27 # domain default enable system # telnet server enable # qos carl 1 source-ip-address range 10.10.10.1 to 10.10.10.221 per-address qos carl 3 source-ip-address range 10.10.10.1 to 10.10.10.221 per-address qos carl 5 source-ip-address range 10.10.10.1 to 10.10.10.221 # port-security enable # undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg pptp undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp # session synchronization enable # password-recovery enable # acl number 2000 rule 0 permit source 10.10.10.0 0.0.0.255 acl number 2001 rule 0 permit acl number 2222 rule 0 permit source 171.118.61.0 0.0.0.255 # acl number 3000 rule 10 permit ip destination 59.41.185.244 0 rule 50 permit ip source 10.10.10.236 0 rule 70 permit ip source 10.10.10.10 0 rule 123 permit ip source 10.10.10.123 0 rule 211 permit ip source 10.10.10.223 0 acl number 3001 rule 633 permit ip source 10.10.10.184 0 # vlan 1 # domain system authentication ppp local authorization ppp local accounting ppp none access-limit disable state active idle-cut disable self-service-url disable ip pool 1 10.0.0.2 10.0.0.100 # pki domain default crl check disable # policy-based-route 1 permit node 1 if-match acl 2000 apply ip-address next-hop 10.10.10.254 # policy-based-route 2 permit node 2 if-match acl 2222 # policy-based-route 3 permit node 3 if-match acl 3000 apply ip-address next-hop 211.103.255.129 apply ip-address next-hop 101.39.226.191 # policy-based-route 6 permit node 65533 if-match acl 3001 apply ip-address next-hop 211.103.255.129 apply ip-address next-hop 101.39.226.191 # user-group system group-attribute allow-guest # local-user XYQVPN password cipher $c$3$wmNhUyEJ6wqHeySa5K8zvKAcyCoxav4nwqZDUw== service-type ppp local-user admin password cipher $c$3$mLQbviKX7o8B56sXvSa9bmJfk2HZJBZItw== authorization-attribute level 3 service-type telnet service-type web # cwmp undo cwmp enable # l2tp-group 1 undo tunnel authentication allow l2tp virtual-template 0 tunnel name LNS # interface Virtual-Template0 ppp authentication-mode chap domain system ppp ipcp remote-address forced remote address pool 1 ip address 10.0.0.1 255.255.255.0 qos car inbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard qos car outbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard # interface NULL0 # interface GigabitEthernet0/0 port link-mode route # interface GigabitEthernet0/1 port link-mode route ip address 10.10.10.254 255.255.255.0 qos car inbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard qos car outbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard # interface GigabitEthernet0/2 port link-mode route nat outbound static nat outbound 2001 nat outbound 2000 nat server 5 protocol tcp global current-interface 84 inside 10.10.10.236 84 nat server 6 protocol tcp global current-interface 5366 inside 10.10.10.236 5366 nat server 3 protocol tcp global current-interface 443 inside 10.10.10.223 433 nat server 1 protocol tcp global current-interface 88 inside 10.10.10.223 88 nat server 4 protocol tcp global current-interface 3389 inside 10.10.10.223 3389 nat server protocol tcp global 101.39.226.191 3500 inside 10.10.10.123 3500 nat server protocol tcp global 101.39.226.191 3700 inside 10.10.10.123 3700 nat server protocol tcp global 101.39.226.191 1433 inside 10.10.10.223 1433 nat server protocol tcp global 101.39.226.191 1009 inside 10.10.10.223 1009 nat server 2 protocol tcp global current-interface 211 inside 10.10.10.223 211 ip address 101.39.226.191 255.255.255.128 qos car inbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard qos car outbound carl 5 cir 2000 cbs 125000 ebs 0 green pass red discard ip policy-based-route 1 # interface GigabitEthernet0/3 port link-mode route nat outbound 2001 ip address 101.247.183.87 255.255.255.0 ip policy-based-route 1 # interface GigabitEthernet0/4 port link-mode route nat outbound 2222 nat server protocol tcp global 2000 inside 10.10.10.221 www ip address 211.103.255.184 255.255.255.192 # ospf 1 import-route static # rip 1 undo summary network 0.0.0.0 # vd Root id 1 # zone name Management id 0 priority 100 import interface GigabitEthernet0/0 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 import interface GigabitEthernet0/1 import interface GigabitEthernet0/2 import interface GigabitEthernet0/3 import interface Virtual-Template0 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 import interface GigabitEthernet0/4 switchto vd Root zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 tcp-proxy enable ip virtual-reassembly interzone source Management destination Management rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable interzone source Untrust destination Trust rule 0 permit source-ip any_address destination-ip any_address service any_service rule enable # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/3 101.247.183.1 preference 50 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/4 101.39.226.129 ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/2 101.39.226.129 ip route-static 10.10.10.0 255.255.255.0 GigabitEthernet0/4 211.103.255.35 ip route-static 10.10.10.0 255.255.255.0 GigabitEthernet0/4 101.39.226.129 ip route-static 59.41.185.0 255.255.255.0 GigabitEthernet0/2 101.39.226.129 ip route-static 118.194.40.0 255.255.255.0 GigabitEthernet0/2 101.39.226.129 ip route-static 120.92.44.0 255.255.255.0 GigabitEthernet0/2 101.39.226.129 ip route-static 124.127.181.0 255.255.255.0 GigabitEthernet0/2 101.39.226.129 preference 50 # snmp-agent snmp-agent local-engineid 800063A20370BAEF656827 snmp-agent community read XYQ snmp-agent sys-info version all # nat static 3101 10.10.10.236 101.39.226.191 nat dns-map domain ***.*** protocol tcp ip 211.103.255.184 port 98 # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme # return