Cisco2911双线接入 策略路由web服务器双线访问

1.电信、联通都是10M光纤接入，固定IP：
电信：121.x.x.x
联通：58.x.x.x
2.域名在DNSPOD上做双线解析（电信为默认线路，）;
3.内网有一台web服务器需要发布到公网;
4.现在一台Cisco2911 K9路由器3个GB LAN口
5.内网只有一个网段192.168.0.0/24
实现结果：
1.内网用户能正常通过2个出口上网（负载或冗余）
2.外网用户访问web服务器：
一、联通用户访问走联通线路（收集了800多条联通的路由条目）;
二、电信和其他任何运营商线路都走电信线路.
下面是配置：
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$KEex$6XEpUd1oJbZAXjD7LXJok1
!
no aaa new-model
clock timezone GMT 8 0
!
no ipv6 cef
ip source-route
!
!
!
!
!
no ip domain lookup
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGLXXXXXXX
!
!
username XXXXX secret 5 $1$rqjo$xx8MyKYj186xrUeD4CUZ2.
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.0.X 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 121.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 58.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 30
ip nat translation icmp-timeout 30
ip nat pool pool-telecom 121.x.x.113 121.x.x.117 netmask 255.255.255.248 ip nat pool pool-unicom 58.x.x.2 58.x.x.5 netmask 255.255.255.248
ip nat source static tcp 192.168.0.254 8018 58.x.x.x 8018 extendable ip nat source static tcp 192.168.0.254 8018 121.x.x.x 8018 extendable
ip nat inside source route-map telecom pool pool-telecom overload
ip nat inside source route-map unicom pool pool-unicom overload ip nat inside source static tcp 192.168.0.247 21 58.x.x.x 21 extendable ip nat inside source static tcp 192.168.0.251 80 58.x.x.x 80 extendable
ip nat inside source static tcp 192.168.0.254 2020 58.x.x.x 2020 extendable ip nat inside source static tcp 192.168.0.254 8018 58.x.x.x 8018 extendable ip nat inside source static tcp 192.168.0.251 8019 58.x.x.x 8019 extendable ip nat inside source static tcp 192.168.0.246 8080 58.x.x.x 8080 extendable ip nat inside source static tcp 192.168.0.247 21 121.x.x.x 21 extendable ip nat inside source static tcp 192.168.0.251 80 121.x.x.x 80 extendable ip nat inside source static tcp 192.168.0.254 2020 121.x.x.x 2020 extendable ip nat inside source static tcp 192.168.0.254 8018 121.x.x.x 8018 extendable ip nat inside source static tcp 192.168.0.251 8019 121.x.x.x 8019 extendable ip nat inside source static tcp 192.168.0.246 8080 121.x.x.x 8080 extendable
ip route 0.0.0.0 0.0.0.0 121.x.x.118
ip route 0.0.0.0 0.0.0.0 58.x.x.1 50
ip route 1.24.0.0 255.248.0.0 58.x.x.1
ip route 1.56.0.0 255.248.0.0 58.x.x.1
ip route 1.188.0.0 255.252.0.0 58.x.x.1
ip route 14.204.0.0 255.254.0.0 58.x.x.1
..................800多路由条目..............
!
access-list 2001 permit ip 192.168.0.0 0.0.0.255 any
!
route-map unicom permit 10
match ip address 2001
match interface GigabitEthernet0/2
set ip next-hop 58.x.x.1
!
route-map telecom permit 10
match ip address 2001
match interface GigabitEthernet0/1
set ip next-hop 121.x.x.118
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
logging synchronous
login local
transport input all
!
scheduler allocate 20000 1000
end
Router#
现在结果：
1.内网用户可以正常上网，通过电信、联通都可以出去
2.电信用户、联通用户通过自己运营商的DNS服务器来解析我的网站，正常访问
3.遇到的问题：
一、其它非电信、非联通的运营商可能会用到联通的DNS服务器来解析我的网站，从而就解析到我的联通ip,造成的结果是，用户从联通接口进来，出去时就走电信线路了，造成不能
访问网站的情况。

该如何解决？
二、还有更坑爹的是：有的用户是电信线路，用的是联通dns解析; 有的是联通用户，用电信DNS解析。

这样解析出来的地址刚好是交叉的，也不能访问，（真遇到过这样的复杂的用户:小区物业电信、联通宽带叠加，不知道搞了什么策略，联通线路有时出口解析时用到电
信DNS解析的）
这又该如何解决？
纠结啊.....................
以上2个问题该如何解决，还忘各位高手鼎力相助，谢谢！！！！！！！
该问题已经解决！
详情请看12楼！！！！！
问题最终解决，下面是我的配置
web服务器添加双IP，双ip 80 端口分别映射到不同线路，然后用策略路由，指定双IP出去公网的数据到不同ip,即可！
下面是配置信息
Router#show runn
Currentconfiguration : 42687 bytes
!
! Noconfiguration change since last restart
!
version15.1
servicetimestamps debug datetime msec servicetimestamps log datetime msec
noservice password-encryption
!
hostnameRouter
!
boot-start-marker
boot-end-marker
!
!
enablesecret 5 $1$KEex$6XEpUd1oJbZAXjD7LXJok1
!
no aaanew-model
clocktimezone GMT 8 0
!
no ipv6cef
ipsource-route
ip cef
!
!
!
!
!
no ipdomain lookup
multilinkbundle-name authenticated
!
!
cryptopki token default removal timeout 0
!
!
licenseudi pid CISCO2911/K9 sn FGLXXXXXX
!
!
username XXXXsecret 5 $1$rqjo$xx8MyKYj186xrUeD4CUZ2. !
!
!
!
!
!
interfaceGigabitEthernet0/0
ip address 192.168.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR-WWW --------------------------------------------------------------------------------------a1
duplex auto
speed auto
!
interfaceGigabitEthernet0/1
ip address 121.x.x.116 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interfaceGigabitEthernet0/2
ip address 58.x.x.4 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ipforward-protocol nd
!
no iphttp server
no iphttp secure-server
!
ip nattranslation tcp-timeout 300
ip nattranslation udp-timeout 30
ip nattranslation syn-timeout 30
ip nattranslation icmp-timeout 30
ip nat pool pool-telecom 121.x.x.113 121.x.x.117 netmask255.255.255.248
ip nat pool pool-unicom 58.x.x.2 58.x.x.5 netmask 255.255.255.248 -----------------------------------------a2
ip nat inside source route-map telecom pool pool-telecom overload
ip nat inside source route-map unicom pool pool-unicom overload-------------------------------------------a3
ip nat inside sourcestatic tcp 192.168.0.250 80 58.x.x.4 80 extendable
ip nat inside source static tcp192.168.0.251 80 121.x.x.116 80 extendable------------------------------------------a4
ip route 0.0.0.0 0.0.0.0121.x.x.118
ip route 0.0.0.0 0.0.0.0 58.x.x.1 50--------------------------------------------------------------------------------------------a5
ip route1.24.0.0 255.248.0.0 58.x.x.1
ip route1.56.0.0 255.248.0.0 58.x.x.1
ip route1.188.0.0 255.252.0.0 58.x.x.1
ip route14.204.0.0 255.254.0.0 58.x.x.1
ip route27.8.0.0 255.248.0.0 58.x.x.1
ip route27.36.0.0 255.252.0.0 58.x.x.1
ip route27.40.0.0 255.248.0.0 58.x.x.1
ip route27.54.192.0 255.255.224.0 58.x.x.1
ip route27.98.224.0 255.255.224.0 58.x.x.1
ip route27.106.128.0 255.255.192.0 58.x.x.1
ip route27.112.8.0 255.255.252.0 58.x.x.1
ip route27.112.12.0 255.255.254.0 58.x.x.1
ip route27.115.0.0 255.255.128.0 58.x.x.1
ip route27.131.220.0 255.255.252.0 58.x.x.1
ip route27.192.0.0 255.224.0.0 58.x.x.1
ip route36.32.0.0 255.252.0.0 58.x.x.1
ip route36.248.0.0 255.252.0.0 58.x.x.1
ip route42.48.0.0 255.254.0.0 58.x.x.1
ip route42.51.0.0 255.255.0.0 58.x.x.1
ip route42.62.0.0 255.255.224.0 58.x.x.1
ip route42.62.32.0 255.255.248.0 58.x.x.1
ip route42.63.0.0 255.255.0.0 58.x.x.1
ip route42.84.0.0 255.252.0.0 58.x.x.1
ip route42.157.0.0 255.255.248.0 58.x.x.1
ip route 42.157.8.0255.255.252.0 58.x.x.1
ip route42.224.0.0 255.240.0.0 58.x.x.1
ip route58.16.0.0 255.248.0.0 58.x.x.1
ip route58.24.0.0 255.254.0.0 58.x.x.1
ip route58.68.128.0 255.255.240.0 58.x.x.1
ip route58.68.144.0 255.255.248.0 58.x.x.1
ip route58.68.179.0 255.255.255.0 58.x.x.1
ip route58.68.180.0 255.255.255.0 58.x.x.1
......................800[/url]多条联通网段--------------------------------------------------------------a6
ip route223.203.208.0 255.255.240.0 58.x.x.1
ip route223.255.0.0 255.255.128.0 58.x.x.1
!
ip access-list extended CNC-250
permit ip host192.168.0.250 any
ip access-list extended TEL-251
permit ip host192.168.0.251 any----------------------------------------------------------------------------a7
!
access-list 2001 permit ip 192.168.0.0 0.0.0.255 any----------------------------------------------------a8
!
route-map unicom permit 10[/url]
matchip address 2001
matchinterface GigabitEthernet0/2
set ipnext-hop 58.x.x.1
!
route-map telecom permit 10
matchip address 2001
matchinterface GigabitEthernet0/1
set ipnext-hop 121.x.x.118-----------------------------------------------------------------------------------------------a9
!
route-map PBR-WWW permit 10[/url]
match ip addressTEL-251
match interfaceGigabitEthernet0/1
set ip next-hop121.x.x.118
!
route-map PBR-WWW permit 20
match ip addressCNC-250
match interfaceGigabitEthernet0/2
set ip next-hop58.x.x.1--------------------------------------------------------------------------------------------a10
!
!
!
control-plane
!
line con0
logging synchronous
line aux0
line vty0 4
logging synchronous
login local
transport input all
!
schedulerallocate 20000 1000
end
[hr]
a1:内网接口上应用策略路由，使从外网进来访问访问WEB的数据能从正确的线路无误的返回，避免用户进来的数据从不正确的端口返回，造成用户不能正常访问网站的情况
a2:]建立电信、联通做NAT转换用的地址池
a3:双线Nat做转换是用Route-map来匹配，overload不可少，这点详情请问度娘。

a4:]此处的2个内网ip是web服务器的单网卡设置的双地址，使用电信联通用户访问不同IP，这样才能做路由策略，使不同ip的数据到不同的外外网接口，用户才能正常访问网站。

a5:这里添加了2条默认静态路由，电信没有加Metric值，做为默认线路，联通的加了Metric50，做为备份用。

a6:网上收集到的846条联通路由网段，使内网用户可以通过联通路上网，做到分流。

a7:这个个ACL用于route-map PBR-WWW来匹配使用，重定向这2个IP的数据流向。

a8:此ACL指定允许做NAT转换的内网IP地址
a9:用于NAT地址转换，指定可以在不同线路做nat转换
a10:PBR-WWW这个route-map
指定192.168.0.250的数据从联通端口出去;
指定192.168.0.251的数据从电信端口出去;
也就可以使用户进来访问WEB服务器时，数据从哪个端口进来再从哪个端口出去，在也是个难点，如果你没有，为web服务器提供2个IP,也就很难实现这一功能，
希望能帮到有需要的道友！！！！！！！！！！！！！！！！！！！！！
项目更详细说明看附件！。