一台内网网站的服务器,通过在防火墙的电信外网口做Nat Server,内网172的网段和192.168.200网段走电信出口,192.168.38.0/24网段通过策略路由走网通出口,防火墙上配置了nat dns-map,目前遇到的问题是走电信出口的网段机器可以正常访问内网网站的域名(Ping域名时返回的是服务器的内网IP地址),走网通出口的网段机器无法访问内网网站域名(Ping域名时返回的是服务器的公网IP地址),怎样解决此问题? 以下是主要的拓扑图和配置 <WLZX-U200-A>dis cu # version 5.20, Release 5116P02 # sysname WLZX-U200-A # clock timezone GMT add 08:00:00 # undo voice vlan mac-address 00e0-bb00-0000 # domain default enable system # router id 172.20.1.1 # telnet server enable # acl number 2000 rule 10 permit source 172.20.202.0 0.0.0.255 rule 20 permit source 192.168.200.0 0.0.0.255 acl number 2001 rule 10 permit source 192.168.38.0 0.0.0.255 # acl number 3001 rule 10 permit ip source 192.168.38.0 0.0.0.255 destination 192.168.200.168 0 rule 20 permit ip source 192.168.38.0 0.0.0.255 destination 61.190.*.19 0 # vlan 1 # radius scheme system # domain system access-limit disable state active idle-cut disable self-service-url disable # pki domain default crl check disable # user-group system # interface LoopBack0 ip address 172.20.202.9 255.255.255.255 # interface GigabitEthernet0/0 port link-mode route # interface GigabitEthernet0/1 port link-mode route ip address 172.20.203.1 255.255.255.252 ip policy-based-route 1 # interface GigabitEthernet0/2 port link-mode route ip address 172.20.203.254 255.255.255.252 ip policy-based-route 1 # interface GigabitEthernet0/4 port link-mode route nat outbound 2001 ip address 218.104.*.210 255.255.255.248 # interface GigabitEthernet0/5 port link-mode route nat outbound 2000 nat server protocol tcp global 61.190.*.19 www inside 192.168.200.168 www ip address 61.190.*.18 255.255.255.240 # ospf 1 default-route-advertise always area 0.0.0.0 network 172.20.203.0 0.0.0.3 network 172.20.203.252 0.0.0.3 network 172.20.1.1 0.0.0.0 # policy-based-route 1 permit node 5 if-match acl 3001 policy-based-route 1 permit node 10 if-match acl 2001 apply ip-address next-hop 218.104.*.209 # ip route-static 0.0.0.0 0.0.0.0 61.190.*.17 ip route-static 0.0.0.0 0.0.0.0 218.104.*.209 preference 100 # nat dns-map domain www. protocol tcp ip 61.190.*.19 port www # load xml-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme # return |
|