取消
显示结果 
搜索替代 
您的意思是: 
cancel
2425
查看次数
10
有帮助
5
回复

附件为故障配置

terrellguo
Level 1
Level 1
哪位帮看看配置是什么问题
5 条回复5

junnyang
Cisco Employee
Cisco Employee
ip access-list extended GKX-1
deny ip any any <<<<<<<<<<<<<<<<<<<<<<<<<
remark 10 deny traffic between internal networks form being NATed
deny ip 172.16.0.0 0.0.15.255 10.0.0.0 0.255.255.255
remark 20 deny traffic between internal networks form being NATed
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
remark 30 deny traffic between internal networks form being NATed
deny ip 172.16.0.0 0.0.15.255 192.168.0.0 0.0.255.255
remark 40 deny CORP VPN user to any form being NATed
deny ip 172.16.3.0 0.0.0.255 any
remark 50 deny All CNCorp_Hosts to WindowsAD by policy route
deny ip 172.16.0.0 0.0.15.255 172.20.0.0 0.0.15.255
remark 60 deny All CNCorp_Hosts to WindowsAD2 by policy route
deny ip 172.16.0.0 0.0.15.255 172.20.16.0 0.0.15.255
remark 70 deny traffic between DMZ networks form being NATed
deny ip 172.16.0.0 0.0.15.255 172.16.16.0 0.0.0.255
remark 80 deny Corpgitlab to any form being Policy NATed
deny ip host 172.16.0.191 any
deny ip host 172.16.0.31 any
remark 100 deny Mailer to any form being Policy NATed
deny ip host 172.16.0.55 any
remark 10000 permit All CNCorp_Hosts to any
permit ip 172.16.0.0 0.0.15.255 any
remark 10001 permit All CNCorpGuest_Hosts to any
permit ip 172.16.18.0 0.0.0.255 any
remark 90 deny Redmine to any form being Policy NATed
deny ip host 172.16.0.47 any

terrellguo
Level 1
Level 1
junnyang 发表于 2019-8-21 17:39
ip access-list extended GKX-1
deny ip any any

谢谢回复,客户已经回退了,客户工程师说:严重怀疑pbr和nat联动的策略变了,升级系统后。多条外线场景下,策略路由无法正确联动相应的nat

junnyang
Cisco Employee
Cisco Employee
shanxitelecom 发表于 2019-8-22 10:09
谢谢回复,客户已经回退了,客户工程师说:严重怀疑pbr和nat联动的策略变了,升级系统后。多条外线场景下 ...

配置问题,你可以参考我之前分享的双出口NAT配置.
http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=986441

terrellguo
Level 1
Level 1
junnyang 发表于 2019-8-22 13:09
配置问题,你可以参考我之前分享的双出口NAT配置.
http://bbs.csc-china.com.cn/forum.php?mod=viewthr ...

还有问题基本找到了,Fuji的IOS版本竟然把关闭ZBF的命令给取消了,导致之前的platform inspect disable-all命令刷不进去,所以防火墙打开了,之前的配置没删(因为直接关了墙,配置不生效了就没管)。关键是他们Fuji版本的手册里仍然写着platform inspect disable-all可以关闭ZBF,结果Fuji里根本没这条命令。他们研发是怎么想的?帮我问问

terrellguo
Level 1
Level 1
shanxitelecom 发表于 2019-8-23 11:20
还有问题基本找到了,Fuji的IOS版本竟然把关闭ZBF的命令给取消了,导致之前的platform inspect disable-a ...

麻烦这些问题怎样处理,多谢
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接