juniper srx240多出口的问题

aichuan

大家好，我这里遇到一个关于多出口的问题，由于是juniper小白，很多问题不明白原因，所以在这里请教大神们，先谢谢了。
   网络是这样的：
     1、我这里ISP接入共三条线路，两条PPPOE和一条固定IP专线，分别接到srx 240的0、1、2口上，路由设置里也有三条线路的出口路由；
     2、NAT里做了端口映射，映射到内网一个服务器专用VLAN下的各个不同服务器；
     3、上网正常，SRX 240自动选择了一条PP0.1的线路，之前会自动切换线路，现在好像没自动切了；外部PING正在使用的PP0.1的IP可以PING通；其它两个IP就PING不通；
    现在问题是：
    1、做了端口映射，外部访问固定IP进不来，也PING不通固定IP地址；
    2、内部可以PING通外网的固定IP；

配置如下：
admin# show |display set
set version 12.3X48-D35.7
set groups jweb-security-logging system syslog file count any any
set groups jweb-security-logging system syslog file count archive files 1
set groups jweb-security-logging system syslog file count structured-data
set system root-authentication encrypted-password "$1$Vfw/AVOj$oQDApG9djPEAdyAfpXOd1/"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user admin uid 2001
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$YpjgeOA8$hm.zc9rAVnxxOUbXEwRjW2"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface ge-0/0/4.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services web-management https interface ge-0/0/4.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system services dhcp propagate-ppp-settings pp0.0
set system services dhcp propagate-ppp-settings pp0.1
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file count any any
set system syslog file count archive files 1
set system syslog file count structured-data
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode event
set security address-book cd-inside address cdoffice 10.28.0.0/16
set security address-book cd-inside attach zone trust
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool 1723 address 10.28.4.29/32
set security nat destination pool 1723 address port 1723
set security nat destination pool 1194 address 10.28.4.73/32
set security nat destination pool 1194 address port 1194
set security nat destination pool 8281 address 10.28.4.34/32
set security nat destination pool 8281 address port 8281
set security nat destination pool 1884 address 10.28.4.42/32
set security nat destination pool 1884 address port 1884
set security nat destination pool 22 address 10.28.4.29/32
set security nat destination pool 22 address port 22
set security nat destination pool 18281 address 10.28.4.40/32
set security nat destination pool 18281 address port 8281
set security nat destination pool 32222 address 10.28.4.29/32
set security nat destination pool 32222 address port 22
set security nat destination pool 1883 address 10.28.4.34/32
set security nat destination pool 1883 address port 1883
set security nat destination pool 10000 address 10.28.4.45/32
set security nat destination pool 10000 address port 1883
set security nat destination rule-set nat001 from zone untrust
set security nat destination rule-set nat001 rule 32222 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 32222 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 32222 match destination-port 32222
set security nat destination rule-set nat001 rule 32222 then destination-nat pool 32222
set security nat destination rule-set nat001 rule 1883 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1883 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1883 match destination-port 1883
set security nat destination rule-set nat001 rule 1883 then destination-nat pool 1883
set security nat destination rule-set nat001 rule 1723 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1723 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1723 match destination-port 1723
set security nat destination rule-set nat001 rule 1723 then destination-nat pool 1723
set security nat destination rule-set nat001 rule 1194 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1194 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1194 match destination-port 1194
set security nat destination rule-set nat001 rule 1194 then destination-nat pool 1194
set security nat destination rule-set nat001 rule 8281 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 8281 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 8281 match destination-port 8281
set security nat destination rule-set nat001 rule 8281 then destination-nat pool 8281
set security nat destination rule-set nat001 rule 1884 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1884 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 1884 match destination-port 1884
set security nat destination rule-set nat001 rule 1884 then destination-nat pool 1884
set security nat destination rule-set nat001 rule 18281 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 18281 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 18281 match destination-port 18281
set security nat destination rule-set nat001 rule 18281 then destination-nat pool 18281
set security nat destination rule-set nat001 rule 22 match source-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 22 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 22 match destination-port 22
set security nat destination rule-set nat001 rule 22 then destination-nat pool 22
set security nat destination rule-set nat001 rule 10000 match destination-address 0.0.0.0/0
set security nat destination rule-set nat001 rule 10000 match destination-port 10000
set security nat destination rule-set nat001 rule 10000 then destination-nat pool 10000
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/4.0
set security zones security-zone trust interfaces ge-0/0/8.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces pp0.0
set security zones security-zone untrust interfaces pp0.1
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/2 unit 0 family inet address 111.208.125.45/24
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family inet address 10.28.1.2/16
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/8 unit 0 family inet address 10.28.1.200/16
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces pp0 unit 0 apply-macro 01234567890
set interfaces pp0 unit 0 ppp-options pap local-name 01234567890
set interfaces pp0 unit 0 ppp-options pap no-rfc2486
set interfaces pp0 unit 0 ppp-options pap local-password "$9$c5mSKMWLx7dbrls2g4Z1"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces pp0 unit 1 apply-macro 1234567945
set interfaces pp0 unit 1 ppp-options pap local-name 1234567945
set interfaces pp0 unit 1 ppp-options pap no-rfc2486
set interfaces pp0 unit 1 ppp-options pap local-password "$9$SmyyvW8X7NVwleYg4oG1"
set interfaces pp0 unit 1 ppp-options pap passive
set interfaces pp0 unit 1 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 1 family inet negotiate-address
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces vlan unit 1 family inet
set snmp description firewall02
set snmp location cdoffice
set snmp contact "cd@beec12344.com"
set snmp engine-id local my123
set snmp community public authorization read-only
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 0.0.0.0/0 next-hop pp0.1
set routing-options static route 0.0.0.0/0 next-hop 101.207.125.1
set protocols stp
set policy-options policy-statement Rout_1 term Rout_P1 from interface 10.28.4.0
set policy-options policy-statement Rout_1 term Rout_P1 to interface 111.208.125.1
set policy-options policy-statement Rout_1 term Rout_P1 then accept
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

[edit]

aichuan

有没大神？

aichuan

已经解决了，

liker5092

aichuan 发表于 2017-2-15 09:26
已经解决了，

怎么解决的？？？

aichuan

用FBF策略路由