h3c secpath f100-c-g2映射端口失败

映射后仍然无法访问视频，求解。

很简单的组网，三层交换机，下挂大华监控平台，要求映射到公网上，在公网访问大华的即时图像。

dis cu # version 7.1.064, Release 9510P11 # sysname ys-firewall # context Admin id 1 # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # password-recovery enable # vlan 1 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 192.168.0.1 255.255.255.0 # ---- More ---- interface GigabitEthernet1/0/1 port link-mode route combo enable fiber # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route description to-ysswitch ip address 192.168.10.2 255.255.255.252 # interface GigabitEthernet1/0/5 port link-mode route description wan ip address x.x.x.x 255.255.255.252 nat outbound 2000 nat server protocol tcp global x.x.x.x 9000 inside 192.168.1.2 9000 nat server protocol tcp global x.x.x.x 8080 inside 192.168.1.2 80 …… # ---- More ---- interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/4 # ---- More ---- security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/5 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # zone-pair security source Local destination Trust packet-filter 3000 # zone-pair security source Trust destination Local packet-filter 3000 # zone-pair security source Trust destination Untrust packet-filter 3000 # zone-pair security source Untrust destination Trust packet-filter 3000 # scheduler logfile size 16 # ---- More ---- line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 123.235.2.85 ip route-static 192.168.1.0 24 192.168.10.1 # ---- More ---- undo info-center enable # ssh server enable sftp server enable # acl basic 2000 rule 0 permit source 192.168.1.2 0 # acl advanced 3000 rule 0 permit ip # acl advanced 3001 rule 0 permit tcp destination 192.168.1.2 0 destination-port eq 9000 # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role ---- More ---- # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 ---- More ---- description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage ---- More ---- password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip https enable # return [ys-firewall]