组网如图:
现场需要实现1.1.1.1通过访问10.0.0.1的6023端口转换成1.1.1.1访问10.0.0.1的23端口,即只转地址不转端口
问题现象
访问不通
问题排查
Debug发现命中黑洞路由被丢弃
解决方案
在FW的外网口g1/0/1与内网口g1/0/2分别绑定vpn实例,并且在g1/0/1配置跨VPN实例的nat,这样黑洞路由就可以由VPN加以隔离
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 1.1.1.2 255.255.255.0
nat server protocol tcp global 10.0.0.1 6023 vpn-instance vpn1 inside 10.0.0.1 23 vpn-instance vpn2 rule ServerRule_1
[fw]int GigabitEthernet 1/0/2
[fw-GigabitEthernet1/0/2]di thi
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip binding vpn-instance vpn2
ip address 10.0.0.2 255.255.255.0
安全策略记得放,为了简约全放通(nat server先转地址,再匹配策略,所以只用放通vpn2即可)
Security-policy ip
rule 2 name 2
action pass
vrf vpn2
跨VPN路由记得要写(只用写VPN2到VPN1的路由即可,正向因为先转地址,再匹配路由,所以直接会从VPN1过渡到VPN2,从而从VPN2的路由表中查路由)
ip route-static vpn-instance vpn2 1.1.1.0 24 vpn-instance vpn1 1.1.1.1
配置完成之后,在RT1上测试,可以通过10.0.0.1的6023端口登录到RT2
<rt1>telnet 10.0.0.1 6023
Trying 10.0.0.1 ...
Press CTRL+K to abort
Connected to 10.0.0.1 ...
******************************************************************************
* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<rt2>
[fw]display session table ipv4 verbose
Slot 1:
Initiator:
Source IP/port: 1.1.1.1/1370
Destination IP/port: 10.0.0.1/6023
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn1/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Untrust
Responder:
Source IP/port: 10.0.0.1/23
Destination IP/port: 1.1.1.1/1370
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn2/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Trust
State: TCP_ESTABLISHED
Application: XWINDOWS
Rule ID: 2
Rule name: 2
Start time: 2022-09-03 08:23:08 TTL: 1191s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作