按照(zhào)配置用(yòng)例在根系統中配&π♦置的(de)nat outbound上(shàng)網∏γ,內(nèi)網用(yòng)戶可(kě)以正常上(shàn₩$g)網.
類似配置遷移到(dào)vpn-instance中,內 ™♣(nèi)網用(yòng)戶就(jiù)無法上(shàng)網了(le).★€
無論修改acl是(shì)否帶vpn-instan≤$$>ce屬性,內(nèi)網用(yòng)戶都(dōu)是(shì)隻能(nén$₹φ✘g)ping到(dào)設備內(nèi)網口/外(wài)網口,無法ping到"✔≤(dào)設備外(wài)網口對(duì)端↕ 地(dì)址.
1.nat instance 中引用(yòng)的(de)acl需☆®€♠要(yào)綁定vpn-instance屬性
2.在策略應用(yòng)traffic classi€®δ>fier中引用(yòng)的(de)acl不(bù)能(n★≥éng)帶vpn-instance屬性
按照(zhào)要(yào)求重新配置了(le)acl在不(bù)同的(de÷$)地(dì)方引用(yòng).
關鍵配置如(rú)下(xià):
nat instance ndianxin
vpn-nat enable
add slot 4 master
nat address-group vdx x.x.x.136 x.x ©".x.143 vpn-instance dianxin
nat outbound 3101 address-gro☆→★up vdx
#
acl number 3001
rule 110 permit ip source 10.23φ<₩±.0.0 0.0.255.255
rule 120 permit ip source 10.59.0.0∏&α 0.0.255.255
rule 130 permit ip source 192. α168.0.0 0.0.255.255
#
acl number 3101
rule 110 permit ip vpn×♥-instance dianxin source 10.23.0≤→•.0 0.0.255.255
rule 120 permit ip vpn-instanc→δ∑♦e dianxin source 192.1&∞&€68.0.0 0.0.255.255
#
traffic classifier c1 opera☆✔↓tor or
if-match acl 3001
traffic behavior b1
nat bind instance ndianxin
traffic policy p1
share-mode
classifier c1 behavior b1
無