问题描述:
总部一台H3C MSR2600路由,之前一直是单宽带拨号接入外网。
内网有一台WEB服务器还有一台文件共享服务器。 各分店通过外网访问WEB服务器,用的是该服务器带内网穿透的花生壳动态域名服务。 例外一个动态域名作为MSR2600 配置给各分店连入总部的 L2TP的外网连接地址(该VPN用于连接内网的文件服务器)
当前总部新添加一根外网专线,想实现内网两个网段,主要部门跟服务器(VLAN1)走专线网络,其他部门(VLAN2)走宽带网络。同时两个网段于内网还需要互通。
VPN 和 WEB服务仍然使用动态域名接入(因为买了三年的服务)
配置了策略路由,一切都很正常,总部的两个VLAN走了不同的路由出外网。各分店的VPN也能正常接入总部,但是分店接入VPN后无法再访问VLAN1(192.168.1.0/24) 网段了,只能访问192.168.1.1网关。。。。。 感觉像是没有回来到192.168.1.0/24 的路由了。 有高手能够指点一下吗??
下面是配置
#
version 5.20, Release 2516P15
#
sysname H3C
#
l2tp enable
#
ip pool 3 10.3.3.1 10.3.3.50
#
domain default enable system
#
dns resolve
dns proxy enable
#
telnet server enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
ndp enable
#
ntdp enable
#
cluster enable
#
port-security enable
#
password-recovery enable
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.25
5
#
vlan 1
#
vlan 10
#
domain newsystem
authentication ppp local
authorization ppp none
accounting ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 3 10.3.3.1 10.3.3.50
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 2 10.9.9.100 10.9.9.199
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer xsd-vpn
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$l1KjDGQDJjPLWp3yxtIyRBgGX5eqAOnYcw==
id-type name
remote-name b
remote-address a dynamic
local-name a
nat traversal
#
ipsec transform-set lsd-vpn
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy-template 720896.1_t 1
connection-name lsd-vpn
ike-peer lsd-vpn
transform-set lsd-vpn
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy 720896 1 isakmp template 720896.1_t
#
dhcp server ip-pool vlan1 extended
network ip range 192.168.1.2 192.168.1.254
network mask 255.255.255.0
gateway-list 192.168.1.1
dns-list 192.168.1.1
#
dhcp server ip-pool vlan10 extended
network ip range 192.168.10.100 192.168.10.170
network mask 255.255.255.0
gateway-list 192.168.10.1
dns-list 221.228.255.1
#
policy-based-route aaa permit node 10
if-match acl 3001
policy-based-route aaa permit node 20
if-match acl 3000
apply ip-address next-hop 67.160.90.201
#
user-group system
group-attribute allow-guest
#
local-user 777
password cipher $c$3$bxxCJKbOD67KI+Cn7TqtsFn28PKjIIx9AWqRQw==
authorization-attribute level 2
service-type telnet
local-user ALEX
password cipher $c$3$61LfxPfIxuyvUJLtQMaWAXZhYvml9l7q9682WD8=
authorization-attribute level 3
service-type ppp
local-user CCYJ
password cipher $c$3$abIx8ppthovc8JIQYlXas/qB3/7+H+CZrvmM0S0=
authorization-attribute level 3
service-type ppp
local-user SZ
password cipher $c$3$1lCQrwT7T5WZQ3z29IYo5WfN49NowuczMW3DGw==
authorization-attribute level 3
service-type ppp
local-user Vuser3
password cipher $c$3$DfAcveTH7rZcJWbQwnWTQUvbFEfk9siH5l1w3/4=
authorization-attribute level 3
service-type ppp
local-user LSD-ZD
password cipher $c$3$i69f4MvMAGDWAwzFyrkxfoBXXFSSKB6xYsG7vM/8MxTqjvc=
authorization-attribute level 3
service-type ppp
local-user admin
password cipher $c$3$6WW92JYBZPfAZ9wVyEX1JGsH4ZyVxzURYnVE2Gc=
authorization-attribute level 3
service-type telnet
service-type web
local-user tongwei
password cipher $c$3$wJzVdBzWbWD059kURuDolnIYwQDAMncMlAGEhDI=
authorization-attribute level 3
service-type telnet
service-type web
local-user wangyan
password cipher $c$3$+61A8g5r11HxV3ejXUoLvhb1oRdr8PUx9Q4ywyGThkA=
authorization-attribute level 3
service-type ppp
local-user xiangsu
password cipher $c$3$V/VpsOUKAS0c3tNSUZVVRJ7GCH4CAO629vXw2w==
authorization-attribute level 3
service-type ppp
#
cwmp
undo cwmp enable
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
tcp mss 1024
#
interface Dialer10
nat outbound
link-protocol ppp
ppp chap user 051012705444
ppp chap password cipher $c$3$s+Lb7UDZ7oZQq1oVti80sq1hIWqOrIai1g==
ppp pap local-user 051012705444 password cipher $c$3$m4tLiwxl0y3NGoZ5nhMItErfOs
q3/jj6Sg==
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec no-nat-process enable
ipsec policy 720896
#
interface Virtual-Template0
ppp authentication-mode pap domain system
remote address pool 2
ip address 10.9.9.1 255.255.255.0
#
interface Virtual-Ethernet0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
tcp mss 1024
dhcp server apply ip-pool vlan1
ip policy-based-route aaa
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
dhcp server apply ip-pool vlan10
#
interface GigabitEthernet0/0
port link-mode route
nat outbound
nat server protocol tcp global 67.160.90.202 7777 inside 192.168.1.254 877
ip address 67.160.90.202 255.255.255.252
dns server 221.228.255.1
#
interface GigabitEthernet0/1
port link-mode route
nat outbound
pppoe-client dial-bundle-number 10
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
interface GigabitEthernet0/6
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/7
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/8
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/9
port link-mode bridge
port access vlan 10
#
ip route-static 0.0.0.0 0.0.0.0 Dialer10
ip route-static 0.0.0.0 0.0.0.0 67.160.90.201 preference 70
#
dhcp enable
#
dialer-rule 10 ip permit
#
nms primary monitor-interface GigabitEthernet0/0
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
<H3C>dis cu
组网及组网描述:
- 2021-07-06提问
- 举报
-
(0)
最佳答案
您好,请知:
将策略路由去掉看下是否能互通,如果能,那就是策略路由的策略匹配问题。
由于策略路由是有匹配的并执行动作的,因此需要写一个空节点,匹配要互通的网段。
参考配置如下:
[H3C]acl advanced 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]policy-based-route weijianing permit node 1
[H3C-pbr-weijianing-1]if-match acl 3001
[H3C-pbr-weijianing-1]quit
- 2021-07-06回答
- 评论(1)
- 举报
-
(0)
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。
需要写一个内网之间互访的acl,匹配空节点,放在之前策略路由前面。下面这个案例:
# 定义访问控制列表3001,用来匹配内网192.168.1.0/24网段去访问内网192.168.2.0/24网段的数据流。
[H3C]acl advanced 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[H3C-acl-adv-3001]quit
# 创建策略路由,名称为aaa,节点为10,匹配acl 3001的数据流,不设置apply动作(如果不设置动作,则匹配到的数据转发时根据路由表来进行转,且不再匹配下一节点,配置这个节点的作用是实现内网不同网段之间互访的流量不匹配策略路由,达到可以互访的目的。备注:默认情况下,网关在路由器上的不同网段是可以互相访问的)。
[H3C]policy-based-route aaa permit node 10
[H3C-pbr-aaa-10]if-match acl 3001
[H3C-pbr-aaa-10]quit
- 2021-07-06回答
- 评论(1)
- 举报
-
(0)
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。
您好,参考以下配置
[H3C]acl advanced 3001
[H3C-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[H3C-acl-adv-3001]quit
[H3C]policy-based-route aaa permit node 10
[H3C-pbr-aaa-10]if-match acl 3001
[H3C-pbr-aaa-10]quit
- 2021-07-06回答
- 评论(1)
- 举报
-
(0)
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
感谢您的解答,最近太忙,回复晚了,再次感谢!我会按照您给的思路再尝试一下。