H3C SecPath F1000-AI-35 雙WAN出口，內網設備無法訪問對外映射的應用服務

客戶出口一條專線、一條寬帶。內網劃分為vlan 100有線、G0/0/15端口無線、vlan 200服務器3個區域，服務器區域通過專線策略路由上網，並有部分服務對外映射。有線通過寬帶策略路由走寬帶上網。無線接在G0/0/15端口下，做私有網段，通過源NAT到地址10.0.0.1，使用寬帶策略路由上網。目前的問題是無線區域的內網終端，可以ping通專線地址，無法訪問在專線地址上做目的映射的端口服務。在專線地址服務的內網SVI端口 vlan 200上做nat hairpin也沒什麼用。安全策略也配置了any to any。

interface Vlan-interface100

 ip address 172.16.10.254 255.255.255.0

 dhcp server apply ip-pool pool-work

 ip policy-based-route to-kuandai

#

interface Vlan-interface200

 ip address 172.16.20.254 255.255.255.0

 nat hairpin enable

 manage ping inbound

 manage ping outbound

 dhcp server apply ip-pool pool-work-2

 ip policy-based-route to-zhuanxian

interface GigabitEthernet1/0/15

 port link-mode route

 description GuideLan Interface

 ip address 10.0.0.1 255.255.255.252

 undo dhcp select server

 ip policy-based-route to-kuandai

nat global-policy

 rule name GlobalPolicyRule_8

  service 8090

  source-zone zhuanxian

  destination-ip host 58.214.22.202

  action dnat ip-address 172.16.20.6 local-port 8090

  counting enable

 rule name GlobalPolicyRule_11

  source-zone zhuanxian

  destination-ip host 58.214.22.202

  action dnat ip-address 172.16.20.2 local-port 4433

  counting enable

 rule name GlobalPolicyRule_1

  description GuideNat

  source-zone wireless

  destination-zone kuandai

  action snat easy-ip

 rule name GlobalPolicyRule_5

  description GuideNat

  source-zone Trust

  destination-zone kuandai

  action snat easy-ip

 rule name GlobalPolicyRule_6

  source-zone video

  destination-zone zhuanxian

  action snat easy-ip

 rule name 1

  source-zone Trust

  source-zone video

  source-zone wireless

  destination-zone DMZ

  destination-zone kuandai

  destination-zone zhuanxian

  action snat easy-ip