按照配置用例在根系统中配置的nat outbound上网,内网用户可以正常上网.
类似配置迁移到vpn-instance中,内网用户就无法上网了.
无论修改acl是否带vpn-instance属性,内网用户都是只能ping到设备内网口/外网口,无法ping到设备外网口对端地址.
1.nat instance 中引用的acl需要绑定vpn-instance属性
2.在策略应用traffic classifier中引用的acl不能带vpn-instance属性
按照要求重新配置了acl在不同的地方引用.
关键配置如下:
nat instance ndianxin
vpn-nat enable
add slot 4 master
nat address-group vdx x.x.x.136 x.x.x.143 vpn-instance dianxin
nat outbound 3101 address-group vdx
#
acl number 3001
rule 110 permit ip source 10.23.0.0 0.0.255.255
rule 120 permit ip source 10.59.0.0 0.0.255.255
rule 130 permit ip source 192.168.0.0 0.0.255.255
#
acl number 3101
rule 110 permit ip vpn-instance dianxin source 10.23.0.0 0.0.255.255
rule 120 permit ip vpn-instance dianxin source 192.168.0.0 0.0.255.255
#
traffic classifier c1 operator or
if-match acl 3001
traffic behavior b1
nat bind instance ndianxin
traffic policy p1
share-mode
classifier c1 behavior b1
无