FAQ-Eudemon8000E-X3 V300R001C01SPC700重定向上外网对内网互访流量放行失效

发布时间:  2016-07-19 浏览次数:  151 下载次数:  0
问题描述
Eudemon8000E-X3  V300R001C01SPC700重定向上外网 对内网互访流量不做重定向配置放行失效
关键配置内容如下:
nat server 383 protocol icmp global 112.*.*.* inside 10.11.3.55 no-reverse
#
acl number 2001                    // 需要做重定向上外网的内网网段
rule 1055 permit source 10.11.2.0 0.0.0.255
rule 1066 permit source 10.11.3.0 0.0.0.255
#
acl number 3008                                       //对设备本身的访问和内网互访的流量
rule 5 permit ip destination 172.16.0.0 0.0.255.255
rule 10 permit ip destination 10.0.0.0 0.255.255.255
rule 15 permit ip destination 118.121.27.0 0.0.0.31
rule 20 permit ip destination 112.54.93.0 0.0.0.127
rule 25 permit ip destination 124.161.245.0 0.0.0.255
#
traffic classifier class2 operator or
if-match acl 2001
#
traffic classifier 3008 operator or
if-match acl 3008
#
traffic behavior behavior2  //对上外的流程做重定向操作
redirect ip-nexthop 172.16.4.13 interface GigabitEthernet2/2/6
#
traffic behavior 3008  // //对设备本身的访问和内网互访的流量不做重定向
action permi
#
traffic policy policy1    //流策略中将不做重定向的CB对放在最前
share-mode
classifier 3008 behavior 3008  
classifier class2 behavior behavior2
#
interface GigabitEthernet2/0/3
undo shutdown
ip address 10.10.0.25 255.255.255.252
traffic-policy policy1 inbound
#
内网访问服务器会话表信息:

icmp VPN: public --> public

Zone: trust --> untrust Slot: 1 CPU: 3 TTL: 00:00:20 Left: 00:00:16

Interface: GigabitEthernet2/2/6 Nexthop: 172.16.4.13

<--packets: 0 bytes: 0 -->packets: 152 bytes: 9120

10.11.3.252:9[124.*.*.*:9] --> 112.*.*.*:2048[10.11.3.55:2048]

由以上会话表信息可以确认应该到内网的服务器的流量被重定向到公网出口 不做重定向需求没有实现
解决方案

CB对的配置不一样,3008的用于流控,在接口板上生效。策略路由的CB对是在业务板生效的。流量先上接口板执行CB对3008放行流量,所有流量再到业务板上匹配一次重定向的CB对,CB对3008 匹配的流量又重新匹配了一次重定向的CB对 被重定向到公网出口

 

解决方案:

acl number 3008

 rule 5  deny  ip destination 172.16.0.0 0.0.255.255

 rule 10 deny  ip destination 10.0.0.0 0.255.255.255

 rule 15 deny  ip destination 118.121.27.0 0.0.0.31

 rule 20 deny  ip destination 112.54.93.0 0.0.0.127

 rule 25 deny  ip destination 124.161.245.0 0.0.0.255

#

traffic behavior 3008

redirect ip-nexthop 172.16.4.13 interface GigabitEthernet2/2/6

#

traffic classifier 3008 operator or

if-match acl 3008

#

traffic policy policy1

share-mode

classifier 3008 behavior 3008

classifier class2 behavior behavior2

#

END