• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙出口策略路由不生效,请各位帮忙看看是什么地方不行

2022-06-17提问
  • 0关注
  • 1收藏,1508浏览
粉丝:1人 关注:0人

问题描述:


这是防火墙一口与核心相接的口  已经匹配了neiwang的路由策略

-----------------------


这是防火墙13口的专线

----------------------


这是匹配我现在电脑网段的ACL

--------------------------


这是我做测试用的一个节点,其他节点我没配置ACL,就是配置了这一个,应该没关系吧。


查看匹配这个段的流量是有的,但是没生效


走的还是默认路由的专线

--------------------


只有这一条默认路由,我现在就是不想走这条默认路由,走其他专线,但是失败了,请问我有哪里漏配或者是配置错了吗

组网及组网描述:


5 个回答
已采纳
粉丝:97人 关注:1人

负载均衡优先

ok了 谢谢

zhiliao_SI5CzD 发表时间:2022-06-17 更多>>

那我应该要如何把策略的优先级调高呢 或者把负载均衡关闭

zhiliao_SI5CzD 发表时间:2022-06-17

只能把负载均衡禁用

IT钟点工 发表时间:2022-06-17

ok了 谢谢

zhiliao_SI5CzD 发表时间:2022-06-17
粉丝:160人 关注:1人

你的node5不是跟你这个一样的吗

会话清空一下,或者重启下设备

叫我靓仔 发表时间:2022-06-17 更多>>

你好 我把20删掉了 保留了5 还是一样走的默认路由专线

zhiliao_SI5CzD 发表时间:2022-06-17

会话清空一下,或者重启下设备

叫我靓仔 发表时间:2022-06-17
知了小白
粉丝: 关注:

贴全配置吧

你好已经贴了 请帮忙看看

zhiliao_SI5CzD 发表时间:2022-06-17 更多>>

你好已经贴了 请帮忙看看

zhiliao_SI5CzD 发表时间:2022-06-17
粉丝:1人 关注:0人

#
version 7.1.064, Release 8860P18
#
sysname FW
#
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1 name 会议预约
port-range 1080 1080
#
nat alg h323
nat alg ils
nat alg mgcp
nat alg nbt
nat alg rsh
nat alg sccp
nat alg sctp
nat alg sip
nat alg sqlnet
nat alg tftp
nat alg xdmcp
#
dns server 8.8.8.8
dns server 114.114.114.114
ip host ***.*** 192.168.12.2
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 700
#
object-group ip address dahuafk
0 network host address 192.168.1.240
#
object-group ip address dahua鏈嶅姟鍣?
0 network host address 192.168.1.240
#
object-group ip address fkxt
0 network host address 192.168.12.2
#
object-group ip address KF_CRM
0 network host address 192.168.1.244
#
object-group ip address 会议预约系统
0 network host address 192.168.12.2
#
object-group ip address 内网
0 network subnet 172.16.100.0 255.255.255.0
#
object-group service 1080
0 service tcp destination eq 1080
#
object-group service 1080dk
#
object-group service 8080
description 8080
0 service tcp destination eq 8080
#
object-group service 8100
0 service tcp destination eq 8100
#
object-group service 8314绔彛
0 service tcp destination eq 8314
#
object-group service 8910绔彛
0 service tcp destination eq 8910
#
object-group service 9100
0 service tcp destination eq 9100
#
object-group service 会议预约
description 会议预约系统
0 service tcp destination eq 1080
#
policy-based-route neiwang permit node 5
if-match acl 3000
apply next-hop 120.234.173.49
#
policy-based-route neiwang permit node 10
if-match acl 3002
apply next-hop 183.24.99.73
#
policy-based-route neiwang permit node 30
if-match acl 3001
apply next-hop 183.62.30.121
#
policy-based-route neiwang permit node 100
#
nqa template icmp 1
#
interface NULL0
#
interface Vlan-interface700
#
interface GigabitEthernet1/0/0
port link-mode route
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.10.10.1 255.255.255.0
manage https inbound
manage ping inbound
manage ssh inbound
manage telnet inbound
ip policy-based-route neiwang
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
description yidong1000M
bandwidth 1000000
speed 1000
ip address 120.234.173.50 255.255.255.248
gateway 120.234.173.49
#
interface GigabitEthernet1/0/14
port link-mode route
description dianxin
bandwidth 50000
mtu 1492
ip address 183.62.30.122 255.255.255.248
ip address 183.62.30.123 255.255.255.248 sub
ip address 183.62.30.124 255.255.255.248 sub
tcp mss 1022
nat server protocol tcp global 183.62.30.122 1080 inside 192.168.12.2 1080 rule ServerRule_2
nat server protocol tcp global 183.62.30.122 9100 inside 192.168.1.244 9100 rule ServerRule_1
#
interface GigabitEthernet1/0/15
port link-mode route
description GuideWan Interface
bandwidth 100000
ip address 183.24.99.75 255.255.255.248
dns server 202.96.128.86
dns server 202.96.128.166
nat outbound
nat server protocol tcp global 183.24.99.74 1080 inside 192.168.12.2 1080 rule ServerRule_3
nat server protocol tcp global 183.24.99.74 8314 inside 192.168.1.240 443 rule ServerRule_5
nat server protocol tcp global 183.24.99.75 1080 inside 192.168.12.2 1080 rule ServerRule_4
gateway 183.24.99.73
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/24
port link-mode route
#
interface GigabitEthernet1/0/25
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface M-GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/26
port link-mode route
#
interface Ten-GigabitEthernet1/0/27
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface Vlan-interface700
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/13
import interface GigabitEthernet1/0/14
import interface GigabitEthernet1/0/15
#
security-zone name Management
import interface M-GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role level-15
user-role network-admin
#
line vty 5 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 183.24.99.73
ip route-static 172.16.0.0 16 10.10.10.2
ip route-static 192.168.0.0 16 10.10.10.2
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
performance-management
#
ssh server enable
ssh server authentication-retries 5
#
acl advanced 3000
rule 0 permit ip source 192.168.12.0 0.0.0.255
rule 5 deny ip
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$hTAQM9XSiLWjqxcm$5RiqvDVLlTVtKuRC4QifIFVGtgcMtkbpspnRYO6RiwjfaO1qy+wooRZ7SBHnzt82k446Ic/hfQCyhaGJPO561A==
service-type ssh terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
public-key peer 127.0.0.1
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100B8D57F1F30F907D2
D34EBB8171E6483CC55F5BF1121D0952A337D747D9FFF5AB2DF0F534B5AB8C88186BD1CF6C
EC4A9D30429A68E489BD15DCC459C4E030008E3C68D187D3C69BACE875771312BBDB699F10
3509D266DF919E2FD87D80868D6326429212BF009A658D0D55579400B4F57110212313410A
53411C024969BCB0730203010001
public-key-code end
peer-public-key end
#
public-key peer 172.16.100.5
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100C75BDDEA9148BB63
C4D7843F9AF34C25B15DBC6CE465A8E854301865AAF83E6103CC43B2E25468E5882B86B1B4
86D654001DBF80CE67DD133FDA3C45879B3B9411EAE3A3D5107B22C0A6778A9BC1042FAD33
1EB3E17874ECB6F34EAE21C8363FD6B774BD9870E2FE65E364398EECB5FEBF3CA6FBE23FB0
34B7F577BCD813AF550203010001
public-key-code end
peer-public-key end
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
session statistics enable
session synchronization enable
#
ipsec logging negotiation enable
#
nat global-policy
rule name GlobalPolicyRule_1
description GuideNat
source-zone Trust
destination-zone Untrust
action snat easy-ip
#
ike logging negotiation enable
#
ip https enable
#
blacklist global enable
#
app-profile 0_IPv4
ips apply policy default mode protect
data-filter apply policy default
file-filter apply policy default
anti-virus apply policy default mode protect
waf apply policy default mode protect
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect block-source parameter-profile waf_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect capture parameter-profile waf_capture_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
inspect redirect parameter-profile waf_redirect_default_parameter
#
loadbalance link-group 电信
predictor hash address source
fail-action reschedule
transparent enable
probe 1
success-criteria at-least 1
link dianxin
success-criteria at-least 1
probe 1
link guidewan
success-criteria at-least 1
probe 1
#
loadbalance class 1 type link-generic match-any
match 1 source ip address 0.0.0.0 0
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
forward all
#
loadbalance action ob$action$#for#1 type link-generic
link-group 电信
fallback-action continue
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
class 1 action ob$action$#for#1
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
bandwidth interface statistics enable
service enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
loadbalance alg h323
loadbalance alg ils
loadbalance alg mgcp
loadbalance alg nbt
loadbalance alg rsh
loadbalance alg sccp
loadbalance alg sip
loadbalance alg sqlnet
loadbalance alg tftp
loadbalance alg xdmcp
#
loadbalance link dianxin
router ip 183.62.30.121
success-criteria at-least 1
#
loadbalance link guidewan
router ip 183.24.99.73
success-criteria at-least 1
#
traffic-policy
profile name chinatelnet
bandwidth downstream guaranteed 30000
bandwidth downstream maximum 150000
bandwidth upstream guaranteed 30000
bandwidth upstream maximum 150000
bandwidth average enable
per-ip bandwidth-threshold-detect enable
per-ip bandwidth-threshold max-value 50000
per-ip bandwidth-threshold min-value 10000
per-ip bandwidth-threshold-learn enable
per-ip bandwidth-threshold-learn duration 60
per-ip bandwidth-threshold-learn tolerance max-value 100
per-ip bandwidth-threshold-learn tolerance min-value 100
#
scd learning
source-ip 会议预约系统
auto-learn enable period one-hour
#
security-policy ip
rule 0 name 1
action pass
profile 0_IPv4
rule 1 name GuideSecPolicy
action pass
source-zone Trust
destination-zone Untrust
destination-zone DMZ
rule 4 name secpolicy6
action pass
source-zone Untrust
destination-zone Local
destination-ip-range 183.24.99.74 183.24.99.78
destination-ip-range 183.62.30.122 183.62.30.125
rule 10 name dkys
action pass
source-zone Untrust
destination-zone Trust
destination-ip KF_CRM
service 9100
rule 11 name huiyiyuyue
action pass
source-zone Untrust
destination-zone Trust
destination-ip 会议预约系统
service 1080
rule 12 name fkxt
action pass
counting enable
source-zone Untrust
destination-zone Trust
destination-ip fkxt
service 1080dk
service 1080
rule 13 name dahuafk
action pass
source-zone Untrust
destination-zone Trust
destination-ip dahuafk
service 8314绔彛
#
anti-virus signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
cloud-management server domain opstunnel-seccloud.h3c.com
#

return 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


粉丝:6人 关注:0人

你是做的策略路由吧,你应该是用错接口了,策略路由需要用在内网接口处,而不是出接口


编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明