问题描述:
组网及组网描述:
如图,某局点出口组网:设备型号:F1000-AI-25 软件版本:Version 7.1.064, Release 8860P28
RBM+VRRP+NAT组网,联动VRRP主备切换正常,联通和移动的VRRP虚地址ping不通公网网关,NAT不能转换。
nat outbound接口地址可以转换,,,
FW1
nat address-group 1 移动
address X.200.76.212 X.X.76.212
vrrp vrid 112
#
nat address-group 2 联通
address X.56.36.196 X.X.36.196
vrrp vrid 113
#
interface GigabitEthernet1/0/12
port link-mode route description YiDong-internet
ip address X.200.76.210 255.255.255.0
vrrp vrid 112 virtual-ip X.200.76.212 active
nat outbound 3000 address-group 1
#
interface GigabitEthernet1/0/13
port link-mode route
description LianTong-internet
ip address X.56.36.194 255.255.255.224
vrrp vrid 113 virtual-ip X.56.36.196 active
nat outbound 3000 address-group 2
#
acl advanced 3000 description NAT-OUT
rule 1000 permit ip
#
ip route-static 0.0.0.0 0 X.56.36.193
ip route-static 0.0.0.0 0 X.200.76.1 preference 50
#
security-zone name Untrust
import interface GigabitEthernet1/0/12
import interface GigabitEthernet1/0/13
#
security-policy ip
rule 1 name any
action pass
#
# interface GigabitEthernet1/0/14
port link-mode route description RBM
port link-aggregation group 64
#
interface GigabitEthernet1/0/15
port link-mode route description RBM
port link-aggregation group 64
#
remote-backup group
data-channel interface Route-Aggregation64
configuration sync-check interval 12
delay-time 1
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
FW2
nat address-group 1 移动
address X.200.76.212 X.X.76.212
vrrp vrid 112
#
nat address-group 2 联通
address X.56.36.196 X.X.36.196
vrrp vrid 113
#
interface GigabitEthernet1/0/12
port link-mode route description YiDong-internet
ip address X.200.76.211 255.255.255.0
vrrp vrid 112 virtual-ip X.200.76.212 active
nat outbound 3000 address-group 1
#
interface GigabitEthernet1/0/13
port link-mode route
description LianTong-internet
ip address X.56.36.195 255.255.255.224
vrrp vrid 113 virtual-ip X.56.36.196 active
nat outbound 3000 address-group 2
#
acl advanced 3000 description NAT-OUT
rule 1000 permit ip
#
ip route-static 0.0.0.0 0 X.56.36.193
ip route-static 0.0.0.0 0 X.200.76.1 preference 50
#
security-zone name Untrust
import interface GigabitEthernet1/0/12
import interface GigabitEthernet1/0/13
#
security-policy ip
rule 1 name any
action pass
#
# interface GigabitEthernet1/0/14
port link-mode route description RBM
port link-aggregation group 64
#
interface GigabitEthernet1/0/15
port link-mode route description RBM
port link-aggregation group 64
#
remote-backup group
data-channel interface Route-Aggregation64
configuration sync-check interval 12
delay-time 1
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role se
#
- 2023-02-16提问
- 举报
-
(0)
没有看见安全策略,安全策略有放通vrrp虚地址所属域访问untrust吗?
- 2023-02-16回答
- 评论(1)
- 举报
-
(0)
VRRP对上的,直接全放通的,any
2台F1000-9370-AI,公网IP只有一个,FWA FWB物理接口采用随机同网段,虚IP为实际的公网IP地址,跟你一样的部署方法,一样的配置,出现问题也一模一样,请问楼主最后怎么处理的呢?
- 2024-03-28回答
- 评论(1)
- 举报
-
(0)
undo vrrp virtual-mac enable 关闭虚拟mac功能,但在90sp版本之后才实现。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明