1.
2.
3.
4.
Server 1和Server 2 ping www.baidu.com 没有问题,ping106.15.251.68不通
1.
interface Reth1.1200
ip address 116.x.x.194 255.255.255.192
nat server protocol icmp global 116.x.x.197 inside 10.x.x.151 rule 1 icmp counting
#
interface Reth1.1300
ip address 220.x.x.130 255.255.255.224
nat server protocol icmp global 220.x.x.133 inside 10.x.x.152 rule 1 icmp counting
2.
3.
l
l
display session table ipv4 source-ip 10.x.x.151 destination-ip 106.15.251.68 verbose
Initiator:
Source IP/port: 10.x.x.151/9714
Destination IP/port: 106.15.251.68/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Reth2.1021
Source security zone: APP
Responder:
Source IP/port: 106.15.251.68/9714
Destination IP/port: 10.x.x.151/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Reth1.1300
Source security zone: Internet
State: ICMP_REQUEST
Application: ICMP
Rule ID: 11
Rule name:xx
Start time: 2022-04-25 10:10:56 TTL: 59s
Initiator->Responder: 114 packets 9576 bytes
Responder->Initiator: 0 packets 0 bytes
4.
acl ad 3000
rule 0 permit ip source ip 10.x.x.151 0 destination 106.15.251.68 0
rule 5 permit ip source ip 106.15.251.68 0 destination 10.x.x.151 0
IP packet debugging switch is on ( ACL:3000 )
IP info debugging switch is on ( ACL:3000 )
NAT packet debugging switch is on(acl:3000)
开启之后,只有debugging ip packet 的回显,其他两个没有,也证实了的确是没有进行nat转换
Receiving, interface = Reth2.1021
version = 4, headlen = 20, tos = 16
pktlen = 401, pktid = 24650, offset = 0, ttl = 63, protocol = 17
checksum = 17497, s = 10.x.x.151, d = 106.15.251.68
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Reth2.1021.
Payload: UDP
source port = 7368, destination port = 5080
checksum = 0x9b26, length = 381.
Sending, interface = Reth1.1300
version = 4, headlen = 20, tos = 16
pktlen = 401, pktid = 24650, offset = 0, ttl = 62, protocol = 17
checksum = 17753, s = 10.x.x.151, d = 106.15.251.68
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Sending IP packet received from interface Reth2.1021 at interface Reth1.1300.
Payload: UDP
source port = 7368, destination port = 5080
checksum = 0x9b26, length = 381.
包是从reth2.1021接口接收的,这个没有问题。但这个包使用reth1.1300(联通)发出的,这个是有问题的,因为最初的需求就是. 151走电信,现在却发给了联通这条线,没有从预期接口发送,下一步就排查路由配置
===============display ip routing-table===============
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 116.x.x .193 Reth1.1200
220.x.x.129 Reth1.1300
可以看到这个是等价路由,这也就找到了问题的根本原因:
因为配置的等价路由,导致流量会随机分配给两个外网出口,分为两种情况:
当分配给reth1.1200后,会进行nat转换,可以成功访问外网
当分配给reth1.1300后,则直接进行转发,但源地址还是私网地址,会被对方服务器丢弃
使用acl匹配源地址,然后使用策略路由的方式指定出接口
acl ad 3999
rule 0 permit ip source ip 10.x.x.151 0
acl ad 3888
rule 0 permit ip source ip 10.x.x.152 0
policy-based-route aaa permit node 10
if-match acl 3999
apply next-hop 116.x.x.193(电信下一条地址)
#
policy-based-route aaa permit node 20
if-match acl 3888
apply next-hop 220.x.x.129(联通下一条地址)
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作