f1060防火墙配acl进行不同出口访问时策略路由调用下下行三层聚合口网络,麻烦请看看配置
- 0关注
- 0收藏,551浏览
问题描述:
f1060防火墙配acl进行不同出口访问时策略路由调用下下行三层聚合口网络所有网段直接不通了,麻烦请看看配置
组网及组网描述:
[NJJYJ-F1060]dis cu
#
version 7.1.064, Release 9333P24
#
sysname NJJYJ-F1060
#
context Admin id 1
#
telnet server enable
telnet server acl 3200
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
track 2 nqa entry admin test2 reaction 2
#
track 3 nqa entry admin test3 reaction 3
#
track 4 nqa entry admin test4 reaction 4
#
track 5 nqa entry admin test5 reaction 5
#
ip unreachables enable
ip ttl-expires enable
#
dns server 222.222.222.222
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
object-group service xianzhi
0 service tcp source eq 445 destination eq 445
#
policy-based-route 1 permit node 1
if-match acl 3101
apply next-hop 123.183.163.97
#
policy-based-route 1 permit node 2
if-match acl 3102
apply next-hop 222.223.120.129
#
policy-based-route 1 permit node 3
if-match acl 3103
apply next-hop 222.223.121.193
#
policy-based-route 1 permit node 4
if-match acl 3104
apply next-hop 222.223.122.1
#
policy-based-route 1 permit node 5
if-match acl 3106
apply next-hop 222.223.111.1
#
policy-based-route 1 permit node 6
#
policy-based-route 1 permit node 7
if-match acl 3107
apply next-hop 123.183.160.1
#
policy-based-route 2 permit node 1
if-match acl 3101
apply next-hop 123.183.163.97
#
policy-based-route 2 permit node 2
if-match acl 3102
apply next-hop 222.223.120.129
#
policy-based-route 2 permit node 3
if-match acl 3103
apply next-hop 222.223.121.193
#
policy-based-route 2 permit node 4
if-match acl 3104
apply next-hop 222.223.122.1
#
policy-based-route 2 permit node 5
if-match acl 3106
apply next-hop 222.223.111.1
#
policy-based-route 2 permit node 7
if-match acl 3107
apply next-hop 123.183.160.1
#
nqa entry admin test1
type icmp-echo
destination ip 123.183.160.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry admin test2
type icmp-echo
destination ip 123.183.163.97
frequency 100
reaction 2 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry admin test3
type icmp-echo
destination ip 222.223.120.129
frequency 100
reaction 3 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry admin test4
type icmp-echo
destination ip 222.223.121.193
frequency 100
reaction 4 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry admin test5
type icmp-echo
destination ip 222.223.122.1
frequency 100
reaction 5 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry imclinktopologypleaseignore ping
type icmp-echo
destination ip 10.74.0.14
frequency 270000
#
nqa schedule admin test1 start-time now lifetime forever
nqa schedule admin test2 start-time now lifetime forever
nqa schedule admin test3 start-time now lifetime forever
nqa schedule admin test4 start-time now lifetime forever
nqa schedule admin test5 start-time now lifetime forever
nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
#
interface Route-Aggregation1
link-aggregation mode dynamic
nat hairpin enable
#
interface Route-Aggregation10
description to--核心-G4/0/1_G4/0/3
ip address 10.74.0.2 255.255.255.240
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
port link-aggregation group 10
#
interface GigabitEthernet1/0/2
port link-mode route
port link-aggregation group 10
#
interface GigabitEthernet1/0/3
port link-mode route
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
ip address 123.183.160.52 255.255.255.192
nat outbound 3105
nat server protocol tcp global 116.131.137.66 3401 inside 10.74.4.50 3401 rule 内部服务器规则_38 disable description 营养餐1
nat server protocol tcp global 116.131.137.66 4986 inside 10.74.4.50 4986 rule 内部服务器规则_57 disable description 营养餐2
nat server protocol tcp global 116.131.137.66 8000 inside 10.74.4.100 8000 rule 内部服务器规则_10 disable description 明博2
nat server protocol tcp global 116.131.137.66 8010 inside 10.74.4.50 8010 rule 内部服务器规则_58 disable description 营养餐3
nat server protocol tcp global 116.131.137.66 8075 inside 10.74.4.50 8075 rule 内部服务器规则_59 disable description 营养餐4
nat server protocol tcp global 116.131.137.66 23389 inside 10.74.4.100 3389 rule 内部服务器规则_19 disable description 明博1
#
interface GigabitEthernet1/0/17
port link-mode route
ip address 123.183.163.101 255.255.255.224
nat outbound 3101
#
interface GigabitEthernet1/0/18
port link-mode route
ip address 222.223.120.136 255.255.255.192
nat outbound 3105
#
interface GigabitEthernet1/0/19
port link-mode route
ip address 222.223.111.10 255.255.255.128
nat outbound 3105
#
interface GigabitEthernet1/0/20
port link-mode route
ip address 222.223.121.195 255.255.255.192
nat outbound 3105
#
interface GigabitEthernet1/0/21
port link-mode route
shutdown
ip last-hop hold
nat outbound 3105
#
interface GigabitEthernet1/0/22
port link-mode route
ip address 222.223.122.7 255.255.255.224
nat outbound 3015
#
interface GigabitEthernet1/0/23
port link-mode route
description to-XingTaiShiJu
shutdown
#
object-policy ip Any-Any
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Untrust-Any
rule 0 pass
#
object-policy ip Untrust-Local
rule 0 pass
#
object-policy ip Untrust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
import interface Route-Aggregation1
import interface Route-Aggregation10
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/16
import interface GigabitEthernet1/0/17
import interface GigabitEthernet1/0/18
import interface GigabitEthernet1/0/19
import interface GigabitEthernet1/0/20
import interface GigabitEthernet1/0/21
import interface GigabitEthernet1/0/22
import interface GigabitEthernet1/0/23
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
zone-pair security source Any destination Any
#
zone-pair security source Local destination Trust
packet-filter 2000
#
zone-pair security source Local destination Untrust
packet-filter 2000
#
zone-pair security source Management destination Local
packet-filter 2000
#
zone-pair security source Trust destination Local
packet-filter 2000
#
zone-pair security source Trust destination Trust
packet-filter 2000
#
zone-pair security source Trust destination Untrust
packet-filter 2000
#
zone-pair security source Untrust destination Any
object-policy apply ip Untrust-Any
#
zone-pair security source Untrust destination Local
packet-filter 2000
#
zone-pair security source Untrust destination Trust
packet-filter 2000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
authentication-mode scheme
user-role network-admin
user-role network-operator
#
ip route-static 0.0.0.0 0 123.183.163.97 preference 70
ip route-static 0.0.0.0 0 222.223.120.129 preference 75
ip route-static 0.0.0.0 0 222.223.121.193 preference 80
ip route-static 0.0.0.0 0 222.223.122.1 preference 85
ip route-static 0.0.0.0 0 222.223.111.1 preference 90
ip route-static 0.0.0.0 0 123.183.160.1
ip route-static 10.0.0.0 8 10.74.0.1
ip route-static 10.72.0.0 13 10.74.0.1
#
snmp-agent
snmp-agent local-engineid 800063A2803897D6AFCBC100000001
snmp-agent community read xtjyj-r
snmp-agent community write xtjyj-w
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.10.10.12 params securityname xtjyj-r v2c
snmp-agent target-host trap address udp-domain 10.74.2.253 params securityname xtjyj-r
snmp-agent trap queue-size 500
snmp-agent trap life 600
#
ssh server enable
ssh server port 20002
#
acl basic 2000
rule 0 permit
#
acl advanced 3000
rule 1 permit ip source 10.72.0.0 0.0.255.255
#
acl advanced 3001
rule 1 permit ip source 10.72.0.0 0.0.63.255
#
acl advanced 3002
rule 1 permit ip source 10.72.64.0 0.0.63.255
#
acl advanced 3003
rule 1 permit ip source 10.72.128.0 0.0.63.255
#
acl advanced 3004
rule 1 permit ip source 10.72.192.0 0.0.63.255
#
acl advanced 3013
#
acl advanced 3015
#
acl advanced 3101
rule 0 permit ip source 10.72.0.0 0.0.127.255
rule 1000 deny ip
#
acl advanced 3102
rule 0 permit ip source 10.72.128.0 0.0.127.255
rule 1000 deny ip
#
acl advanced 3103
rule 0 permit ip source 10.73.0.0 0.0.63.255
rule 1000 deny ip
#
acl advanced 3104
rule 0 permit ip source 10.73.64.0 0.0.63.255
rule 1000 deny ip
#
acl advanced 3105
rule 0 permit ip source 10.74.0.0 0.0.255.255
rule 1000 permit ip
#
acl advanced 3106
rule 0 permit ip source 10.73.128.0 0.0.127.255
rule 1000 deny ip
#
acl advanced 3107
rule 0 permit ip source 10.74.0.0 0.0.255.255
rule 1000 deny ip
#
acl advanced 3200
rule 0 permit ip source 10.74.2.0 0.0.0.255
rule 5 permit ip source 10.74.4.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$1l27yY025noQoTqp$lfp1Nz6SshIW0jTE4+TnqtCIrNT1WhSOaj+c0eLEF4fV7+wXQyDs6KuLeqK/OlhvAlXDEhW6sAM/KlgMNH70HA==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user dianxin class manage
password hash $h$6$yDjI+WB5MoJ/bjly$eN/QunAOhkrykUjjKz0g2pWbFZZwKKLAciqn13cOhIlAH7+XhUo+Rtj1KjqSV5YlCCmvC+7YByVTdB6dCUv59w==
service-type ssh terminal https
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
public-key peer 127.0.0.1
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100C2010A0C357A540E
FF59B71C090CF104DCA97710851DF9F835453089FB28F86018D70096FE97BD6F2FC2B6507C
D823365783DB3CCCD7E3EE350543DBFD6CF599FDDB2ED1ACEDB81E6DCCD620136823F6C227
93FD3F44715D524BECB7ADC07BCD4A7D2BB0611B779E61EA130438367D9F9A47C15E27F9F8
6C8E80E1DD3B6FFAAB0203010001
public-key-code end
peer-public-key end
#
session statistics enable
#
ipsec logging negotiation enable
#
ike logging negotiation enable
#
ip http enable
ip https enable
webui log enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance class 1 type link-generic
match 1 acl 3101
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
forward all
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-aa
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
service enable
bandwidth interface statistics enable
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
return
[NJJYJ-F1060]
- 2023-11-27提问
- 举报
-
(0)
最佳答案
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论