问题描述:
如题,昨天内网端口G0/1设置PBR后,想把192.168.0.0 0.0.255.255走115.1.1.1专线。172.168.0.0 0.0.255.255走110.1.1.1专线。现在G0/0和G0/1端口映射的端口全部失效。小白一枚,麻烦大神根据指正下,也请标注下命令行的注释
组网及组网描述:
<MSR3640>dis cu
#
version 7.1.049, Release 0106P21
#
sysname MSR3640
#
clock protocol none
#
telnet server enable
#
ip pool vpn_ip 10.10.0.2 10.10.0.254
#
ip unreachables enable
ip ttl-expires enable
#
password-recovery enable
#
vlan 1
#
vlan 10
#
dhcp server ip-pool h3c
#
dhcp server ip-pool vpn
#
policy-based-route wan permit node 8 #VPN走这条线
if-match acl 3002
#
policy-based-route wan permit node 10 #172.168.0.0 0.0.255.255全部走联通
if-match acl 3001
apply next-hop 101.1.1.1(联通)
#
policy-based-route wan permit node 20 #192.168.0.0 0.0.255.255走电信(服务器网段是192.168.30.0 0.0.0.255)
if-match acl 3000
apply next-hop 115.1.1.1(电信)
#
nqa entry admin test
type icmp-echo
destination ip 115.1.1.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Virtual-Template9
ppp authentication-mode pap
ppp ipcp dns 192.168.3.3 192.168.3.7
remote address pool vpn_ip
ip address 10.10.0.1 255.255.255.0
#
interface Virtual-Ethernet0
#
interface NULL0
#
interface GigabitEthernet0/0 (电信)
port link-mode route
combo enable copper
ip address 115.1.1.1 255.255.255.248
nat outbound 3000
nat server protocol tcp global 115.1.1.1 22 inside 192.168.30.249 23531
nat server protocol tcp global 115.1.1.1 80 inside 192.168.30.15 80
nat server protocol tcp global 115.1.1.1 88 inside 192.168.30.15 80
nat server protocol tcp global 115.1.1.1 443 inside 192.168.30.15 443
nat server protocol tcp global 115.1.1.1 1935 inside 192.168.30.242 1935
nat server protocol tcp global 115.1.1.1 5080 inside 192.168.30.242 5080
nat server protocol tcp global 115.1.1.1 5222 inside 192.168.3.6 5222
nat server protocol tcp global 115.1.1.1 5280 inside 192.168.3.6 5280
attack-defense apply policy 1
ipsec apply policy t1
#
interface GigabitEthernet0/1 #内网端口调用PBR
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
nat hairpin enable
ip policy-based-route wan
#
interface GigabitEthernet0/2 (联通)
port link-mode route
ip address 101.1.1.1 255.255.255.248
nat outbound 3001
nat server protocol tcp global 101.1.1.1 22 inside 192.168.30.249 23531
nat server protocol tcp global 101.1.1.1 80 inside 192.168.30.15 80
nat server protocol tcp global 101.1.1.1 443 inside 192.168.30.15 443
nat server protocol tcp global 101.1.1.1 5222 inside 192.168.3.6 5222
nat server protocol tcp global 101.1.1.1 5280 inside 192.168.3.6 5280
nat server protocol tcp global 101.1.1.1 7777 inside 192.168.3.6 7777
nat server protocol tcp global 101.1.1.1 8000 inside 192.168.3.6 8000
nat server protocol tcp global 101.1.1.1 8008 inside 192.168.30.222 8008
nat server protocol tcp global 101.1.1.1 8081 inside 192.168.30.210 8080
nat server protocol tcp global 101.1.1.1 8443 inside 192.168.30.210 8443
nat server protocol tcp global 101.1.1.1 8881 inside 192.168.30.202 8080
nat server protocol tcp global 101.1.1.1 9000 inside 192.168.3.6 9000
nat server protocol tcp global 101.1.1.1 10053 inside 192.168.30.205 80
nat server protocol udp global 1101.1.1.1 3478 inside 192.168.30.210 3478
nat server protocol tcp global current-interface 888 inside 192.168.30.225 80
nat server protocol tcp global current-interface 8880 inside 192.168.30.225 8088
nat server protocol tcp global current-interface 9443 inside 192.168.30.15 9443
ipsec apply policy yptc
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-operator
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 101.1.1.1 preference 80
ip route-static 0.0.0.0 0 115.1.1.1 track 1
#
snmp-agent
snmp-agent local-engineid 800063A2803C8C40C31AE700
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info contact 1617411680.6367345
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.30.8 udp-port 161 params securityname public v2c
#
ssh server enable
ssh server authentication-retries 1
ssh server authentication-timeout 10
#
arp static 192.168.30.234 3496-724d-8a98
#
acl number 3000
rule 5 deny ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 6 permit ip source 192.168.0.0 0.0.255.255
rule 10 permit ip source 192.168.30.0 0.0.0.255
rule 11 permit tcp source 192.168.30.0 0.0.0.255
rule 12 permit tcp source 192.168.30.249 0 destination 192.168.100.1 0
rule 50 permit ip source 10.10.0.0 0.0.0.255
rule 51 permit tcp source 10.10.0.0 0.0.0.255
rule 1001 permit tcp source 192.168.0.0 0.0.255.255
#
acl number 3001
rule 4 deny ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 6 permit tcp source 172.168.0.0 0.0.255.255
rule 7 permit ip source 172.168.0.0 0.0.255.255
rule 10 permit ip source 10.10.0.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 11 permit tcp source 10.10.0.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
#
acl number 3002
rule 10 permit ip destination 10.10.0.0 0.0.255.255
- 2022-07-05提问
- 举报
-
(0)
您好,看配置没问题呀
- 2022-07-05回答
- 评论(1)
- 举报
-
(0)
但是实际运用后数据库的这些全部挂掉了,会不会是ACL那边有问题?
可能是存在敏感业务,对数据的来回路径不合法导致(设备上存在PBR引流)
- 2022-07-05回答
- 评论(1)
- 举报
-
(0)
什么意思?能否说的详细点?
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
我是在内网口应用的,G0/1,您可以在看下
3001 把 rule 4 删除试试