F-1000-S-AI+内网口用了这条命令，就不能用公网固定IP访部了？

       大家好！防火墙型号是F-1000-S-AI，GigabitEthernet0/1是移动线路接入(固定IP是183.230.38.67 )，GigabitEthernet0/2是内网接核心交换机口，GigabitEthernet0/3是电信线路接入(固定IP是183.64.79.178)。

问题：GigabitEthernet0/2内网口增加了这条命令（policy-based-route internet ），内部映射的NAT地址，acl number 2002和acl number 2003里的IP就不能用公网固定IP访问了。如下面两条NAT，就只能用内部IP地址访问（http://10.0.0.66：9090），不能用电信和移动的公网固定IP访问，http://183.64.79.178：9090 和http://183.230.38.67：9090

内网口GigabitEthernet0/2   NAT地址如：nat server protocol tcp global 183.64.79.178 9090 inside 10.0.0.66 9090
                                                                 nat server protocol tcp global 183.230.38.67 9090 inside 10.0.0.66 9090
只要取消了，内网口的undo policy-based-route internet 这条命令，acl number 2002和acl number 2003里的IP就可以访问了。

F-1000-S-AI 防火墙的配置如下：

[F-1000]dis cu
#
 version 5.20, Release 3732
#
 sysname F-1000
#
 undo voice vlan mac-address 00e0-bb00-0000
#
 domain default enable system
#
 telnet server enable
#
 undo alg dns
 undo alg rtsp
 undo alg h323
 undo alg sip
 undo alg sqlnet
 undo alg pptp
 undo alg ils
 undo alg nbt
 undo alg msn
 undo alg qq
 undo alg tftp
 undo alg sccp
 undo alg gtp
#
session synchronization enable
#
 undo password-recovery enable
#
 blacklist enable
#
 time-range moring 08:15 to 12:00 working-day Sat
 time-range workingx 13:30 to 17:45 working-day Sat
#
acl number 2000
 rule 0 permit source 192.168.8.44 0
 rule 134 permit
acl number 2002
  rule 5 permit source 192.168.50.31 0
acl number 2003
acl number 2005
 description deny wan
#
vlan 1
#
vlan 1000
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
pki domain default
  crl check disable
#
policy-based-route test1 permit node 2
 if-match acl 2002
 apply ip-precedence network
 apply output-interface GigabitEthernet0/3
 apply ip-address next-hop 183.64.79.177
 apply default output-interface GigabitEthernet0/1
 apply ip-address default next-hop 183.230.38.1
#
policy-based-route internet permit node 1
 if-match acl 2002
 apply ip-address next-hop 183.64.79.177
policy-based-route internet permit node 5
 if-match acl 2003
 apply ip-address next-hop 183.230.38.1
#
user-group system
 group-attribute allow-guest
#
local-user aaa
 password cipher $c$3$JCtHM2AN23Mw2pj++IaE39Ij/iJB4nOnciFgmMRw
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type web
#
interface NULL0
#
interface LoopBack0
#
interface Vlan-interface1000
 ip address 172.168.10.254 255.255.255.0
#
interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/1
 port link-mode route
 description TO-yidongchukou
 nat outbound 2005
 nat outbound 2000
 nat server protocol tcp global 183.230.38.67 443 inside 10.0.0.77 443
 nat server protocol tcp global 183.230.38.67 4430 inside 10.0.0.77 4430
 nat server protocol tcp global 183.230.38.67 8080 inside 10.0.0.99 8080
 nat server 1 protocol udp global current-interface 500 inside 10.0.0.222 500
 nat server 2 protocol udp global current-interface 4500 inside 10.0.0.222 4500
 nat server 3 protocol tcp global current-interface 10443 inside 10.0.0.222 443
 nat server 4 protocol tcp global current-interface 2222 inside 10.0.0.222 2222
 nat server protocol tcp global 183.230.38.67 9090 inside 10.0.0.66 9090
 nat server protocol tcp global 183.230.38.67 9080 inside 10.0.0.66 9080
 nat server protocol tcp global 183.230.38.67 60080 inside 10.0.0.67 www
 ip address 183.230.38.67 255.255.255.0
#
interface GigabitEthernet0/2
 port link-mode route
 description TO-S7506e
 nat outbound
 nat server protocol tcp global 183.64.79.178 9090 inside 10.0.0.66 9090
 nat server protocol tcp global 183.230.38.67 9090 inside 10.0.0.66 9090
 ip address 100.100.100.2 255.255.255.0
 ip policy-based-route internet
#
interface GigabitEthernet0/3
 port link-mode route
 description TO-dianxinchukou
 nat outbound 2005
 nat outbound 2000
 nat server protocol tcp global 183.64.79.178 4430 inside 10.0.0.77 4430
 nat server protocol tcp global 183.64.79.178 8080 inside 10.0.0.99 8080
 nat server protocol tcp global 183.64.79.178 443 inside 10.0.0.77 443
 nat server protocol tcp global 183.64.79.178 5000 inside 10.0.0.99 8080
 nat server protocol tcp global 183.64.79.178 9090 inside 10.0.0.66 9090
 nat server protocol tcp global 183.64.79.178 9080 inside 10.0.0.66 9080
 ip address 183.64.79.178 255.255.255.248
#
interface GigabitEthernet0/4
 port link-mode route
#
interface GigabitEthernet0/5
 port link-mode route
#
interface GigabitEthernet0/6
 port link-mode route
#
interface GigabitEthernet0/7
 port link-mode route
#
interface GigabitEthernet0/8
 port link-mode route
#
interface GigabitEthernet0/9
 port link-mode route
#
interface GigabitEthernet0/10
 port link-mode route
#
interface GigabitEthernet0/11
 port link-mode route
#
nqa entry admin test1
 type icmp-echo
  destination ip 183.230.38.1
  frequency 100
  history-record enable
  next-hop 183.230.38.1
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type
 trigger-only
#
vd Root id 1
#
zone name Management id 0
 priority 100
zone name Local id 1
 priority 100
zone name Trust id 2
 priority 85
 import interface GigabitEthernet0/2
 import interface Vlan-interface1000
zone name DMZ id 3
 priority 50
zone name Untrust id 4
 priority 5
 import interface GigabitEthernet0/1
 import interface GigabitEthernet0/3
switchto vd Root
 object network subnet 192.168.14.90/255.255.255.0
  subnet 192.168.14.90 255.255.255.0
 zone name Management id 0
 ip virtual-reassembly
 zone name Local id 1
 ip virtual-reassembly
 zone name Trust id 2
 ip virtual-reassembly
 zone name DMZ id 3
 ip virtual-reassembly
 zone name Untrust id 4
 ip virtual-reassembly
 interzone source Management destination Management
 interzone source Local destination Trust
  rule 0 permit
   source-ip any_address
   destination-ip any_address
   service any_service
   rule enable
 interzone source Trust destination Local
  rule 0 permit
   source-ip any_address
   destination-ip any_address
   service any_service
   rule enable
 interzone source Trust destination Trust
 interzone source Trust destination Untrust
  rule 0 permit
   source-ip any_address
   destination-ip any_address
   service any_service
   rule enable
 interzone source Untrust destination Trust
  rule 0 permit
   source-ip any_address
   destination-ip any_address
   service any_service
   rule enable
#
 ip ip-prefix test index 10 permit 192.168.19.0 24
#
 ip route-static 0.0.0.0 0.0.0.0 183.230.38.1 track 1
 ip route-static 0.0.0.0 0.0.0.0 183.64.79.177 preference 70
 ip route-static 0.0.0.0 0.0.0.0 172.168.10.1
 ip route-static 10.0.0.0 255.255.255.0 100.100.100.1
 ip route-static 10.80.254.0 255.255.255.0 100.100.100.1
 ip route-static 10.80.255.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.2.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.3.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.4.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.5.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.6.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.7.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.8.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.9.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.10.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.11.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.12.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.13.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.14.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.15.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.16.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.17.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.18.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.19.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.20.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.21.0 255.255.255.0 100.100.100.1
 ip route-static 192.168.50.0 255.255.255.0 100.100.100.1
#
 track 1 nqa entry admin test1 reaction 1
#
 nqa schedule admin test1 start-time now lifetime forever
#
 ssh server enable
#
 ip https port 4321
#
 load xml-configuration
#
 load tr069-configuration
#
user-interface con 0
 authentication-mode scheme
user-interface vty 0 4
 authentication-mode scheme
 user privilege level 3
 protocol inbound ssh
#
return