• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

ip回流有路由器配置信息,无法找到原因

2021-07-17提问
  • 0关注
  • 1收藏,1928浏览
粉丝:0人 关注:1人

问题描述:

Ginterface GigabitEthernet0/1  公网地址

 ip address 100.100.100.100 255.255.255.0

interface GigabitEthernet0/5 内网口

ip address 10.10.20.1 255.255.255.0 

如:内网地址172.10.11.7在浏览器上放问100.100.100.100:8089无法访问,在异地网络环境正常,

路由器配置在附件

在内网口和外网口都配置了nat hairpin enable还是不行,找不到原因

路由器型号产品型号: MSR3620 

 Boot ROM版本: 1.10 硬件版本: 2.0 软件版本: 7.1.064 Release 0605P13




组网及组网描述:

[AKEMI_5600(外网边界路由器)]dis cur

#

 version 7.1.064, Release 0605P13

#

 sysname AKEMI_5600(外网边界路由器)

#

 telnet server enable

#

 security-zone intra-zone default permit

#

 ip pool aaa 100.19.0.2 100.19.0.20

 ip pool aaa gateway 100.19.0.1

#

 ip unreachables enable

 ip ttl-expires enable

#

 ip load-sharing mode per-flow src-ip global

#

 dhcp enable

 dhcp server always-broadcast

#

 dns proxy enable

#

 lldp global enable

#              

 password-recovery enable

#

vlan 1

#

dhcp server ip-pool GigabitEthernet0/3

#

policy-based-route guding permit node 1

 if-match acl 3001

 apply next-hop 100.100.100.100 direct

#

policy-based-route guding permit node 3

 if-match acl 3003

 apply next-hop 172.10.2.1 direct

#

policy-based-route guding permit node 4

 if-match acl 3004

#

policy-based-route guding permit node 5

 apply next-hop 100.100.100.100 direct

#

policy-based-route quanwang permit node 2

 if-match acl 3001

#              

policy-based-route quanwang permit node 4

 if-match acl 3004

 apply next-hop 10.10.100.1 direct

#

controller Cellular0/0

#

interface Virtual-Template0

#

interface Virtual-Template1

 ppp authentication-mode chap domain system

 remote address pool aaa

#

interface NULL0

#

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 10.10.101.2 255.255.255.0

#

interface GigabitEthernet0/1

 port link-mode route

 combo enable copper

 ip address 100.100.100.100 255.255.255.0

 ip last-hop hold

nat hairpin enable

 nat outbound

 nat server protocol tcp global 100.100.100.100 180 inside 172.10.11.7 80

 nat server protocol tcp global 100.100.100.100 500 inside 172.10.11.250 500

 nat server protocol tcp global 100.100.100.100 888 inside 172.10.11.114 888

 nat server protocol tcp global 100.100.100.100 1018 inside 172.10.11.7 1018

 nat server protocol tcp global 100.100.100.100 1188 inside 172.10.11.48 1188

 nat server protocol tcp global 100.100.100.100 1194 inside 172.10.12.9 8081

 nat server protocol tcp global 100.100.100.100 1195 inside 172.10.12.9 8081

 nat server protocol tcp global 100.100.100.100 1196 inside 172.10.12.9 8081

 nat server protocol tcp global 100.100.100.100 1701 inside 172.10.11.250 1701

 nat server protocol tcp global 100.100.100.100 1723 inside 172.10.11.250 1723

 nat server protocol tcp global 100.100.100.100 5000 inside 172.10.10.100 5000

 nat server protocol tcp global 100.100.100.100 5366 inside 172.10.11.114 5366

 nat server protocol tcp global 100.100.100.100 6650 inside 10.10.80.250 22

 nat server protocol tcp global 100.100.100.100 6651 inside 10.10.80.251 22

 nat server protocol tcp global 100.100.100.100 6652 inside 10.10.80.252 22

 nat server protocol tcp global 100.100.100.100 6653 inside 10.10.80.253 22

 nat server protocol tcp global 100.100.100.100 6690 inside 172.10.10.100 6690

 nat server protocol tcp global 100.100.100.100 8060 inside 10.10.80.253 80

 nat server protocol tcp global 100.100.100.100 8081 inside 172.10.12.9 8081

 nat server protocol tcp global 100.100.100.100 8089 inside 172.10.11.48 8089

 nat server protocol tcp global 100.100.100.100 8099 inside 172.10.11.16 8099

 nat server protocol tcp global 100.100.100.100 8189 inside 172.10.11.7 8189

 nat server protocol tcp global 100.100.100.100 8899 inside 110.110.0.176 8899

 nat server protocol tcp global 100.100.100.100 9995 inside 172.10.11.49 9995

 nat server protocol tcp global 100.100.100.100 9996 inside 172.10.11.49 9996

 nat server protocol tcp global 100.100.100.100 9997 inside 172.10.11.49 9997

 nat server protocol tcp global 100.100.100.100 11443 inside 10.10.20.2 11443

 nat server protocol tcp global 100.100.100.100 12000 inside 172.10.11.7 12000

 nat server protocol tcp global 100.100.100.100 14333 inside 172.10.11.7 1433

 nat server protocol tcp global 100.100.100.100 43345 inside 172.10.11.7 3306

 nat server protocol tcp global 100.100.100.100 43346 inside 172.10.11.7 6379

 nat server protocol tcp global 100.100.100.100 54433 inside 172.10.11.34 54433

 nat server protocol tcp global 100.100.100.100 61499 inside 172.10.11.49 1433

 nat server protocol tcp global 100.100.100.100 8081 inside 172.10.12.9 8081

 nat server protocol udp global 100.100.100.100 4500 inside 172.10.11.250 4500

 nat server protocol udp global 100.100.100.100 54433 inside 172.10.11.34 54433

 nat static enable

#

interface GigabitEthernet0/2

 port link-mode route

 combo enable copper

 ip address 172.10.2.3 255.255.255.0

 nat outbound

#              

interface GigabitEthernet0/3

 port link-mode route

 combo enable copper

 ip address 10.10.100.2 255.255.255.0

 nat outbound

#

interface GigabitEthernet0/4

 port link-mode route

#

interface GigabitEthernet0/5

 port link-mode route

 ip address 10.10.20.1 255.255.255.0

 packet-filter name GigabitEthernet0/5 inbound

 nat hairpin enable

 ip policy-based-route guding

#

security-zone name Local

#

security-zone name Trust

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name Management

#

 scheduler logfile size 16

#

line class console

 user-role network-admin

#

line class tty

 user-role network-operator

#

line class vty

 user-role network-operator

#

line con 0

 user-role network-admin

#

line vty 0 4

 authentication-mode scheme

 user-role network-admin

 user-role network-operator

#

line vty 5 63  

 authentication-mode scheme

 user-role network-operator

#

 ip route-static 0.0.0.0 0 100.100.100.1

 ip route-static 0.0.0.0 0 172.10.2.1 preference 100

 ip route-static 0.0.0.0 0 10.10.100.1

 ip route-static 0.0.0.0 0 10.10.101.1 preference 100

 ip route-static 10.10.80.240 28 10.10.20.2

 ip route-static 110.110.0.0 24 10.10.20.2

 ip route-static 172.10.10.0 24 10.10.20.2

 ip route-static 172.10.11.0 24 10.10.20.2

 ip route-static 172.10.12.0 24 10.10.20.2

 ip route-static 172.10.13.0 24 10.10.20.2

 ip route-static 172.10.15.0 24 10.10.20.2

 ip route-static 172.10.20.0 22 10.10.20.2

 ip route-static 172.10.100.0 24 10.10.20.2

#

 undo info-center enable

#

acl advanced 3001

 rule 0 permit ip source 172.10.11.0 0.0.0.255

 rule 5 permit ip source 172.10.12.0 0.0.0.255

 rule 10 permit ip source 172.10.10.100 0

 rule 15 permit ip source 172.10.13.0 0.0.0.255

 rule 20 permit ip source 110.110.0.0 0.0.0.255

 rule 25 permit ip source 10.10.80.240 0.0.0.14

#

acl advanced 3003

 rule 5 permit ip source 172.10.10.0 0.0.0.255

#

acl advanced 3004

 rule 0 permit ip source 172.10.20.0 0.0.0.255

 rule 5 permit ip source 172.10.21.0 0.0.0.255

 rule 10 permit ip source 172.10.22.0 0.0.0.255

 rule 15 permit ip source 172.10.23.0 0.0.0.255

#

acl advanced 3005

 rule 0 permit ip source 110.110.0.0 0.0.0.255

#

acl advanced name GigabitEthernet0/5

 rule 5 deny ip source 172.10.11.57 0

 rule 5 comment 1

 rule 10 deny ip source 172.10.11.56 0

 rule 10 comment 2

 rule 15 deny ip source 172.10.11.42 0

 rule 15 comment 2

 rule 20 deny ip source 172.10.11.97 0

 rule 20 comment 4

 rule 30 deny ip source 172.10.11.107 0

 rule 30 comment 5

 rule 35 deny ip source 172.10.11.98 0

 rule 35 comment

 rule 40 deny ip source 172.10.11.102 0

 rule 40 comment

 rule 45 deny ip source 172.10.11.46 0

 rule 45 comment

 rule 50 deny ip source 172.10.11.53 0

 rule 50 comment

 rule 55 deny ip source 172.10.11.63 0

 rule 55 comment

 rule 60 deny ip source 172.10.11.150 0

 rule 60 comment

 rule 65 deny ip source 172.10.11.151 0

 rule 65 comment

 rule 70 deny ip source 172.10.11.86 0

 rule 70 comment

 rule 75 deny ip source 172.10.11.249 0

 rule 75 comment

 rule 80 deny ip source 172.10.11.60 0

 rule 80 comment

 rule 85 deny ip source 172.10.11.66 0

 rule 85 comment

 rule 90 deny ip source 172.10.11.103 0

 rule 90 comment

 rule 95 deny ip source 172.10.11.105 0

 rule 95 comment

 rule 100 deny ip source 172.10.11.106 0

 rule 100 comment

 rule 115 deny ip source 172.10.11.3 0

 rule 115 comment

 rule 120 deny ip source 172.10.11.84 0

 rule 120 comment

 rule 125 deny ip source 172.10.11.41 0

 rule 125 comment

 rule 130 deny ip source 172.10.11.108 0

 rule 130 comment

 rule 135 deny ip source 172.10.11.71 0

 rule 135 comment

 rule 140 deny ip source 172.10.11.74 0

 rule 140 comment

 rule 145 deny ip source 172.10.11.90 0

 rule 145 comment

 rule 155 deny ip source 172.10.12.6 0

 rule 155 comment

 rule 170 deny ip source 172.10.11.65 0

 rule 170 comment

 rule 205 deny ip source 172.10.11.36 0

 rule 205 comment

#

acl advanced name g0/05

#

acl advanced name g0/5

#

domain system

 authentication ppp local

#

 domain default enable system

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#              

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

#

local-user admin class manage

 password hash $h$6$3SchHC3Z+Mv7B3KD$qxGKSGA43NlfcQnmUVnK3XlxNT0dAAkzU42F3o3ULygQ1Rg+CRNPNzPaL2wc9k+Rb8m3TLtb/5K8Gjr5rDPqhQ==

 service-type telnet http https

 authorization-attribute user-role level-15

 authorization-attribute user-role network-admin

#              

local-user h3c class manage

 password hash $h$6$wgFVi1CyKLfEsWzA$1T+d2ClFy0wfB4VomkTm+vk0OnXHlmDPqvpTqokB8C81NJeZpF92t5PEm1ZBUP3w58AT79yxDV9LTEtcakzBnQ==

 service-type telnet

 authorization-attribute user-role level-15

 authorization-attribute user-role network-operator

#

local-user system class network

 password cipher $c$3$B6NS3CGkRdav6z3W9v9jclwBauzVS/tIoA==

 service-type ppp

 authorization-attribute user-role network-operator

#

l2tp-group 1 mode lns

 allow l2tp virtual-template 1

 undo tunnel authentication

 tunnel name LNS

#

 l2tp enable

#

 ip http enable

 ip https enable

#

wlan global-configuration

 control-address disable

#

wlan ap-group default-group

#

 cloud-management server domain oasis.h3c.com

最佳答案

粉丝:138人 关注:6人

您好,请知:

外网口需要配置为nat outbound,以下是参考命令:

int gi 1/0/1

nat outbound

quit

其次需配置默认路由指向到公网。


interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.100.100.100 255.255.255.0 ip last-hop hold nat hairpin enable nat outbound,,配置了

皮皮不吃虾 发表时间:2021-07-17 更多>>

interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.100.100.100 255.255.255.0 ip last-hop hold nat hairpin enable nat outbound,,配置了

皮皮不吃虾 发表时间:2021-07-17
1 个回答
yyu 五段
粉丝:4人 关注:0人

您好:

截出来的外网接口配置,没有nat outbound的配置,建议添加;并且增加指向公网网关的缺省路由

interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.100.100.100 255.255.255.0 ip last-hop hold nat hairpin enable nat outbound

皮皮不吃虾 发表时间:2021-07-17 更多>>

interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.100.100.100 255.255.255.0 ip last-hop hold nat hairpin enable nat outbound

皮皮不吃虾 发表时间:2021-07-17

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明