按照配置用例在根系統(tǒng)中配置的nat outbound上網(wǎng),內(nèi)網(wǎng)用戶可以正常上網(wǎng).
類似配置遷移到vpn-instance中,內(nèi)網(wǎng)用戶就無法上網(wǎng)了.
無論修改acl是否帶vpn-instance屬性,內(nèi)網(wǎng)用戶都是只能ping到設(shè)備內(nèi)網(wǎng)口/外網(wǎng)口,無法ping到設(shè)備外網(wǎng)口對端地址.
1.nat instance 中引用的acl需要綁定vpn-instance屬性
2.在策略應(yīng)用traffic classifier中引用的acl不能帶vpn-instance屬性
按照要求重新配置了acl在不同的地方引用.
關(guān)鍵配置如下:
nat instance ndianxin
vpn-nat enable
add slot 4 master
nat address-group vdx x.x.x.136 x.x.x.143 vpn-instance dianxin
nat outbound 3101 address-group vdx
#
acl number 3001
rule 110 permit ip source 10.23.0.0 0.0.255.255
rule 120 permit ip source 10.59.0.0 0.0.255.255
rule 130 permit ip source 192.168.0.0 0.0.255.255
#
acl number 3101
rule 110 permit ip vpn-instance dianxin source 10.23.0.0 0.0.255.255
rule 120 permit ip vpn-instance dianxin source 192.168.0.0 0.0.255.255
#
traffic classifier c1 operator or
if-match acl 3001
traffic behavior b1
nat bind instance ndianxin
traffic policy p1
share-mode
classifier c1 behavior b1
無