FW主要配置如下,RAGG2.10为外网接口,RAGG1.10为内网接口。
#
interface Route-Aggregation2.10
ip address 100.158.1.1 255.255.255.0
nat outbound ---出口NAT配置
vlan-type dot1q vid 10
#
interface Route-Aggregation1.10
ip address 10.158.1.1 255.255.255.0
vlan-type dot1q vid 10
#
原理解析:
PORT报文在经过FW时进行ALG处理,防火墙 ALG模块对地址进行转换。
*Jan 12 09:39:09:487 2024 F5080D_1 SESSION/7/ALG: -Chassis=1-Slot=2;
Tuple5(EVENT): 10.158.1.10/36948-->100.158.1.10/21(TCP(6))
Received packet, ALG Type: FTP_PORT.
*Jan 12 09:39:09:487 2024 F5080D_1 NAT/7/ALG: -Chassis=1-Slot=2;
PACKET: (Route-Aggregation2.10) ALG payload was translated according to configuration:
10.158.1.10/36978(VPN: 0) ---> 100.158.1.1/1028(VPN: 0) ---客户端私网地址+端口被转换为公网地址+端口
*Jan 12 09:39:09:487 2024 F5080D_1 SESSION/7/RELATION: -Chassis=1-Slot=2;
Tuple(EVENT): 100.158.1.10/0 -->100.158.1.1/1028(TCP(6))
Relation entry was created for module calling ---防火墙建立关联表
*Jan 12 09:39:09:487 2024 F5080D_1 SESSION/7/RELATION: -Chassis=1-Slot=2;
Tuple(EVENT): 100.158.1.10/0 -->100.158.1.1/1028(TCP(6))
Relation entry was backuped for fill info
*Jan 12 09:39:09:523 2024 F5080D_1 SESSION/7/RELATION: -Chassis=1-Slot=2;
Tuple(EVENT): 100.158.1.10/0 -->100.158.1.1/1028(TCP(6))
Relation entry was backuped for delete
*Jan 12 09:39:09:523 2024 F5080D_1 SESSION/7/RELATION: -Chassis=1-Slot=2;
Tuple(EVENT): 100.158.1.10/0 -->100.158.1.1/1028(TCP(6))
Relation entry was deleted for time out
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作