acl引起的问题
- 0关注
- 1收藏,1644浏览
问题描述:
现在的问题是在acl 3030对192.168.0.12做了deny在acl 3080对该地址进行放行。haipin是对整个网段192.168.0.0做的,现在这个haipin对地址192.168.0.12就不起作用了。是不是要对该地址192.168.0.12单独做haipin或者其他方案。谢谢
policy-based-route pbr_internet permit node 20
if-match acl 3020
apply next-hop 202.202.202.202
#
policy-based-route pbr_internet permit node 70
if-match acl 3080
apply next-hop 183.183.183.183
#
nqa entry admin test
type icmp-echo
destination ip 202.202.202.202
frequency 100
next-hop ip 202.202.202.202
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
#
interface GigabitEthernet1/0/6
port link-mode route
description link to 40M special line
ip address 202.202.202.200 255.255.255.224
tcp mss 1024
interface GigabitEthernet1/0/7
port link-mode route
description link to 10M special line
ip address 183.183.183.200 255.255.255.224
nat outbound 3080
nat server protocol tcp global 183.183.183.200 9999 inside 192.168.0.12 80
#
object-policy ip local_to_trust
rule 0 pass
#
object-policy ip local_to_untrust
rule 0 pass
#
object-policy ip trust_to_local
rule 0 pass
#
object-policy ip trust_to_untrust
rule 0 pass
#
object-policy ip untrust-trust
#
object-policy ip untrust_to_trust
rule 0 pass destination-ip add_server service service_port logging counting
#
security-zone name Local
#
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/6
import interface GigabitEthernet1/0/7
zone-pair security source Any destination Any
#
zone-pair security source Local destination Trust
object-policy apply ip local_to_trust
#
zone-pair security source Local destination Untrust
object-policy apply ip local_to_untrust
#
zone-pair security source Trust destination Local
object-policy apply ip trust_to_local
#
zone-pair security source Trust destination Untrust
object-policy apply ip trust_to_untrust
#
zone-pair security source Untrust destination Trust
object-policy apply ip untrust_to_trust
#
scheduler logfile size 16
#
ip route-static 0.0.0.0 0 202.202.202.202 track 1
ip route-static 0.0.0.0 0 183.183.183.183
ip route-static 10.10.0.0 16 10.10.10.1
ip route-static 10.10.110.0 24 10.10.10.1
ip route-static 192.168.0.0 16 10.10.10.1
ip route-static 192.168.52.0 24 10.10.10.3
ip route-static 192.168.53.0 24 10.10.10.3
#
undo info-center enable
#
acl advanced 3000
rule 10 deny ip source 192.168.9.111 0
rule 20 permit ip
#
acl advanced 3030
rule 20 deny ip source 192.168.0.12 0
rule 30 permit ip source 192.168.0.0 0.0.0.255
acl advanced 3080
rule 10 permit ip source 192.168.0.12 0
interface Vlan-interface10
nat hairpin enable
ip policy-based-route pbr_internet
interface Vlan-interface10
nat hairpin enable
ip policy-based-route pbr_internet
- 2019-10-22提问
- 举报
-
(0)
最佳答案
hairpin需要流量出方向能命中对应的接口,然后对应的接口上同时存在nat server ,nat outbound
- 2019-10-22回答
- 评论(3)
- 举报
-
(0)
nat server和nat outbound已经做了啊
是不是out outbound做的不对啊
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
你看看终端的会话,是不是acl里的deny没用,导致流量还是从另外一个口出去了,把两个策略路由子句的顺序换一下试试