USG2200與USG2100建立IPSEC隧道(dào)後,內(nèi)網一個(gè)IP地址無法與遠端網段通(tōng)信
2014/11/10 13:50:44點擊:
問題描述
USG2200與USG2100對接IPSEC VPN已經成功,USG2200下連192.168.13.0/24網段與USG2100下連192.168.103.0/24網段已經可(kě)以互訪,但(dàn)是USG2200下連IP為192.168.13.11的PC無法訪問遠端的設備,遠端設備主動訪問192.168.13.11可(kě)以成功訪問
處理(lǐ)過程
處理(lǐ)過程
使用192.168.13.11 ping USG2100接口IP 192.168.103.1,在USG2200上(shàng)查看會(huì)話(huà)表信息如下:
[USG2200]display firewall session table verbose source inside 192.168.13.11
Current Total Sessions : 1
icmp VPN:public --> public
Zone: trust--> untrust TTL: 00:00:20 Left: 00:00:18
Interface: GigabitEthernet0/0/0 NextHop: 192.168.103.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:1 bytes:60
192.168.13.11:43827[58.56.90.30:43827]-->192.168.103.1:2048
源IP地址出網時(shí)被轉換成了公網口IP,檢查nat配置發現域間(jiān)nat配置沒有(yǒu)問題
nat-policy interzone trust untrust outbound
policy 2
action no-nat
policy source 192.168.13.0 mask 24
policy source 192.168.12.0 mask 24
policy destination 192.168.100.0 mask 24
policy destination 192.168.101.0 mask 24
policy destination 192.168.102.0 mask 24
policy destination 192.168.103.0 mask 24
policy 1
action source-nat
policy source 192.168.10.0 mask 24
policy source 192.168.12.0 mask 24
policy source 192.168.13.0 mask 24
policy source 192.168.1.0 mask 24
easy-ip GigabitEthernet0/0/0
但(dàn)是客戶在設備上(shàng)配置了一條nat server命令
nat server 11 protocol tcp global 58.56.90.30 3389 inside 192.168.13.11 3389
導緻192.168.13.11去訪問遠端IP時(shí),匹配反向server-map表,直接将源IP地址轉換成58.56.90.30
修改nat server命令後問題解決
[USG2200]display firewall session table verbose source inside 192.168.13.11
Current Total Sessions : 1
icmp VPN:public --> public
Zone: trust--> untrust TTL: 00:00:20 Left: 00:00:18
Interface: GigabitEthernet0/0/0 NextHop: 192.168.103.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:1 bytes:60
192.168.13.11:43827[58.56.90.30:43827]-->192.168.103.1:2048
源IP地址出網時(shí)被轉換成了公網口IP,檢查nat配置發現域間(jiān)nat配置沒有(yǒu)問題
nat-policy interzone trust untrust outbound
policy 2
action no-nat
policy source 192.168.13.0 mask 24
policy source 192.168.12.0 mask 24
policy destination 192.168.100.0 mask 24
policy destination 192.168.101.0 mask 24
policy destination 192.168.102.0 mask 24
policy destination 192.168.103.0 mask 24
policy 1
action source-nat
policy source 192.168.10.0 mask 24
policy source 192.168.12.0 mask 24
policy source 192.168.13.0 mask 24
policy source 192.168.1.0 mask 24
easy-ip GigabitEthernet0/0/0
但(dàn)是客戶在設備上(shàng)配置了一條nat server命令
nat server 11 protocol tcp global 58.56.90.30 3389 inside 192.168.13.11 3389
導緻192.168.13.11去訪問遠端IP時(shí),匹配反向server-map表,直接将源IP地址轉換成58.56.90.30
修改nat server命令後問題解決
根因
nat server後面沒有(yǒu)配置no-reverse參數(shù),就表示正反向server map都創建,且server map的優先級高(gāo)于域間(jiān)的NAT策略,因此該內(nèi)網IP報文經過域間(jiān)的是時(shí)候會(huì)命中反向server map表
解決方案
修改nat server命令為不創建反向server-map表
修改配置如下:
nat server 11 protocol tcp global 58.56.90.30 3389 inside 192.168.13.11 3389 no-reverse
修改配置如下:
nat server 11 protocol tcp global 58.56.90.30 3389 inside 192.168.13.11 3389 no-reverse
建議與總結
IPSEC VPN建立成功後兩邊用戶無法互訪需要注意以下幾點:
1.兩邊用戶數(shù)據是否在感興趣流裏面(security acl)
2.域間(jiān)策略是否放開(kāi),一般IPSEC VPN互訪的數(shù)據是從外網區(qū)域進來(lái)的,需要放開(kāi)外網區(qū)域到內(nèi)網區(qū)域之間(jiān)的域間(jiān)策略
3.NAT配置問題,走IPSEC VPN的數(shù)據不需要做(zuò)nat,但(dàn)是nat處理(lǐ)過程是在将數(shù)據放入隧道(dào)之前,所以需要修改配置讓走隧道(dào)的數(shù)據不做(zuò)nat,除了域間(jiān)nat,還(hái)需要關注nat server的反向server-map表,具體(tǐ)可(kě)以通(tōng)過查看會(huì)話(huà)表來(lái)看數(shù)據是否被轉換了
1.兩邊用戶數(shù)據是否在感興趣流裏面(security acl)
2.域間(jiān)策略是否放開(kāi),一般IPSEC VPN互訪的數(shù)據是從外網區(qū)域進來(lái)的,需要放開(kāi)外網區(qū)域到內(nèi)網區(qū)域之間(jiān)的域間(jiān)策略
3.NAT配置問題,走IPSEC VPN的數(shù)據不需要做(zuò)nat,但(dàn)是nat處理(lǐ)過程是在将數(shù)據放入隧道(dào)之前,所以需要修改配置讓走隧道(dào)的數(shù)據不做(zuò)nat,除了域間(jiān)nat,還(hái)需要關注nat server的反向server-map表,具體(tǐ)可(kě)以通(tōng)過查看會(huì)話(huà)表來(lái)看數(shù)據是否被轉換了
- 上(shàng)一篇:S6700交換機堆疊配置後堆疊不成功 2014/11/10
- 下一篇:沒有(yǒu)串口線時(shí)如何通(tōng)過網線Telnet到AP? 2014/11/10