最近本来想升级下防火墙的,所以就用了H3C的F1000-S,结果失败的很呢。

 不是很复杂的应用,双网口一个电信,一个网通,没有做策略路由,写了2个简单的路由,赋予了不同的值。

 映射了网站服务器,邮件服务器,VOIP服务器,公司内部的***数据。

 结果内部无法访问网站的域名,直接跳转到H3CF1000-S上面了。
 结果内部的VOIP服务器无法与另外一台进行组网,都是一个网段的,也出现这个问题,郁闷死了我。

想不明白,为何要这样做NAT呢?

小小的例子:

acl number 3000

 rule 0 permit tcp

 rule 1 permit udp

 rule 2 permit icmp

 rule 3 permit ip

 rule 4 permit igmp

acl number 3001

 rule 1 permit ip source 172.16.12.0 0.0.0.255

 rule 2 permit ip source 172.16.20.0 0.0.0.255

 rule 3 permit ip source 172.16.6.0 0.0.0.255

 rule 4 permit ip source 172.16.2.0 0.0.0.255

 rule 5 permit ip source 172.16.3.0 0.0.0.255

 rule 6 permit ip source 172.16.4.0 0.0.0.255

 rule 7 permit ip source 192.168.10.0 0.0.0.255

 rule 8 permit ip source 192.168.1.0 0.0.0.255

 rule 9 permit ip

acl number 3012

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.100 0

 rule 1 permit ip source 172.16.12.0 0.0.0.255 destination 192.168.1.100 0

 rule 2 permit ip source 172.16.2.0 0.0.0.255 destination 192.168.1.100 0

 rule 3 permit ip source 172.16.3.0 0.0.0.255 destination 192.168.1.100 0

 rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 192.168.1.100 0

 rule 5 permit ip source 172.16.6.0 0.0.0.255 destination 192.168.1.100 0

acl number 3013

 rule 0 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.8.2 0

 

 

#

 

#

interface Aux0

 async mode flow

#

interface GigabitEthernet0/0

 description wangtong

 ip address 

 firewall packet-filter 3000 inbound

 firewall packet-filter 3000 outbound

 nat outbound 3001

 nat server protocol udp global 221.11.5.39 6065 inside 192.168.1.201 6065

 nat server protocol udp global 221.11.5.39 6064 inside 192.168.1.203 6064

 nat server protocol udp global 221.11.5.39 6066 inside 192.168.1.202 6066

 nat server protocol udp global 221.11.5.39 1002 inside 192.168.20.3 3810

 nat server protocol udp global 221.11.5.39 9001 inside 172.16.20.1 9001

 nat server protocol tcp global 221.11.5.39 www inside 192.168.1.100 8888

 nat server protocol tcp global 221.11.5.39 pop3 inside 192.168.10.1 pop3

 nat server protocol udp global 221.11.5.39 14113 inside 192.168.8.2 4113

 nat server protocol udp global 221.11.5.39 13833 inside 192.168.8.2 3833

 nat server protocol tcp global 221.11.5.39 smtp inside 192.168.10.1 smtp

#

interface GigabitEthernet0/1

 description dianxin

 ip address

 firewall packet-filter 3000 inbound

 firewall packet-filter 3000 outbound

 nat outbound 3001

#

interface GigabitEthernet1/0

 ip address 192.168.1.254 255.255.255.0

 nat outbound 3013

 nat outbound 3012

 nat server protocol tcp global * www inside 192.168.1.100 8888

 nat server protocol udp global * 14113 inside 192.168.8.2 4113

 nat server protocol udp global *  13833 inside 192.168.8.2 3833

 

firewall zone trust

 add interface GigabitEthernet1/0

 add interface GigabitEthernet1/1

 set priority 85

#

firewall zone untrust

 add interface GigabitEthernet0/0

 add interface GigabitEthernet0/1

 set priority 5

#

不解,为何要这样子做呢!