小弟的防火墙是SSG5，e0/0是外网，ADSL线路，运行PPPoE，IP动态的，依据网路上各种参考书设置的VIP服务，均不能工作，已经苦恼了1个星期了，各位大大帮忙分析下。以下是配置文件的部分内容：

set clock dst-off
set clock ntp
set clock timezone 8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "OpenPort 7001" protocol tcp src-port 0-65535 dst-port 7001-7001
set service "OpenPort 7001" + udp src-port 0-65535 dst-port 7001-7001
set service "OpenPort 8100" protocol tcp src-port 0-65535 dst-port 8100-8100
set service "OpenPort 8100" + udp src-port 0-65535 dst-port 8100-8100
set service "OpenPort 9168" protocol tcp src-port 0-65535 dst-port 9168-9168
set service "OpenPort 9168" + udp src-port 0-65535 dst-port 9168-9168
set service "OPenPort 8088" protocol tcp src-port 0-65535 dst-port 8088-8088
set service "OPenPort 8088" + udp src-port 0-65535 dst-port 8088-8088
set service "OpenPort 20080" protocol tcp src-port 0-65535 dst-port 20080-20080
set service "OpenPort 20080" + udp src-port 0-65535 dst-port 20080-20080
set service "Open port 8001" protocol tcp src-port 0-65535 dst-port 8001-8001
set service "Open port 8001" + udp src-port 0-65535 dst-port 8001-8001
set service "Open port 81" protocol tcp src-port 0-65535 dst-port 81-81
set service "Open port 81" + udp src-port 0-65535 dst-port 81-81
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "******"
set admin password "*******"
set admin port 8080
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 219.133.107.75/32
set interface ethernet0/0 route
set interface bgroup0 ip 169.33.1.5/16
set interface bgroup0 nat
set interface ethernet0/0 proxy dns
set interface bgroup0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface ethernet0/0 vip interface-ip 80 "HTTP" 169.33.10.2
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 202.96.134.133 src-interface ethernet0/0
set dns host dns2 202.96.128.166 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns proxy
set dns proxy enable
set dns server-select domain nhk.com primary-server 169.31.1.208
set dns ddns
set dns ddns enable
set address
set address
set address
set address "Untrust"
set address "Untrust"
set group address


set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 24 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "ANY" nat dst ip 169.33.10.2 permit
set policy id 24
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny
set policy id 2
exit

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 17 from "Trust" to "Trust"  "Any" "Any" "ANY" permit
set policy id 17
exit
set policy id 23 name "Open port 81" from "Untrust" to "Global"  "Any" "Any" "ANY" nat src dst ip 169.33.10.2 permit
set policy id 23
exit
set pppoe name "nhzadsl"
set pppoe name "nhzadsl" username "*****@163.gd" password "********"
set pppoe name "nhzadsl" idle 0
set pppoe name "nhzadsl" interface ethernet0/0
set pppoe name "nhzadsl" auto-connect 5
set pppoe name "nhzadsl" clear-on-disconnect
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5




关闭e0/0上的nat一样不能用

你ADSL拨号,获取的是动态公网IP,怎么能做VIP呢!

引用:

原帖由 conquer 于 2008-1-3 09:21 发表
你ADSL拨号,获取的是动态公网IP,怎么能做VIP呢!

same as the interface

设置的是same as the interface，但是测试端口一直不能打开。

难道还不如我家那个200块大洋的宽带路由器？

汗``对于这些个, 看都看不懂的说

是  因为没  有路由吧

这里还是初学者多啊. 一些个大虾们都没怎么看到

le!#sia sh}:oq% (:lkao>/