MSR830 VLAN内windows可以正常访问,centos访问不正常
- 0关注
- 1收藏,1162浏览
问题描述:
远端使用的路由器是MSR830 默认的VLAN1的ip是192.168.20.0/24,划分了VLAN4 IP是192.168.10.0/24 两个vlan没有做隔离
本地是通过VPN连入MSR830 VPN ipsec 中acl配置的是
acl number 3001
rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.168.9.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
现在的情况是,
通过VPN访问:
1. 10段内的windows机器可以正常访问,正常RDP远程都可以
2. 10段内的linux机器,使用centos1810版本可以通过SSH连接上去,但是如果碰到需要刷新界面的,或者快速刷屏的情况就会卡主。使用centos1503版本直接就连不上,一直在等待,但是都是可以ping通的
3. 把同一台linux机器放入到20网段则是正常的
在20网段内访问:
在这里访问10网段的机器是正常的,windows linux都正常
组网及组网描述:
MSR830的配置附件已经上传了,麻烦老师们指导一下。谢谢
- 2019-06-08提问
- 举报
-
(0)
最佳答案
好像不支持附件的上传,部分配置如下,一行行手工换行好累啊。。。
# version 5.20, Release 2516P19
#
acl number 3000
rule 0 deny ip source 192.168.20.0 0.0.0.255
rule 5 permit ip
acl number 3001
rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.168.9.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
acl number 3002
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.168.30.0 0.0.0.255
acl number 3040
rule 0 permit ip destination 192.168.10.0 0.0.0.255
rule 5 deny ip
acl number 3050
rule 0 deny ip destination 192.168.4.0 0.0.0.255
rule 5 deny ip destination 192.168.20.0 0.0.0.255
#
vlan 1
#
vlan 2 to 4
#
ike peer company_ipsec
proposal 1 pre-shared-key cipher $c$3$nN9PgqUKLxYibey1leCpN8CV3vSE6xuTwjs540ZS
remote-address 83.36.171.102
local-address 39.129.4.172
nat traversal dpd company_ipsec ipsec transform-set company_ipsec encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des
#
ipsec policy 1048577 1 isakmp
connection-name company_ipsec
security acl 3001
pfs dh-group2 ike-peer company_ipsec transform-set company_ipsec sa duration traffic-based 1843200 sa duration time-based 28800
#
dhcp server ip-pool vlan1 extended
network ip range 192.168.20.1 192.168.20.119
network mask 255.255.255.0
gateway-list 192.168.20.1
dns-list 192.168.20.1
#
dhcp server ip-pool vlan2 extended
network ip range 192.168.5.1 192.168.5.254
network mask 255.255.255.0
gateway-list 192.168.5.1
dns-list 192.168.5.1
#
dhcp server ip-pool vlan3 extended
network ip range 192.168.4.1 192.168.4.254
network mask 255.255.255.0
gateway-list 192.168.4.1
dns-list 192.168.4.1
#
dhcp server ip-pool vlan4 extended
network ip range 192.168.10.1 192.168.10.254
network mask 255.255.255.0
gateway-list 192.168.10.1
dns-list 192.168.10.1
attack-defense policy 86 interface GigabitEthernet0/1
signature-detect action drop-packet signature-detect fraggle enable signature-detect land enable signature-detect winnuke enable signature-detect tcp-flag enable signature-detect icmp-unreachable enable signature-detect icmp-redirect enable signature-detect tracert enable signature-detect smurf enable signature-detect source-route enable signature-detect route-record enable signature-detect large-icmp enable defense scan enable defense scan add-to-blacklist defense syn-flood enable defense syn-flood action drop-packet defense udp-flood enable defense udp-flood action drop-packet defense icmp-flood enable defense icmp-flood action drop-packet
#
interface Vlan-interface1
ip address 192.168.20.1 255.255.255.0
tcp mss 1024
dhcp server apply ip-pool vlan1
ip flow-ordering internal
#
interface Vlan-interface2
ip address 192.168.5.1 255.255.255.0
dhcp server apply ip-pool vlan2
mac-address 9ce8-95fb-a876
firewall packet-filter 3050 inbound
#
interface Vlan-interface3
ip address 192.168.4.1 255.255.255.0
dhcp server apply ip-pool vlan3
mac-address 9ce8-95fb-a877
firewall packet-filter 3040 inbound
# interface Vlan-interface4
ip address 192.168.10.1 255.255.255.0
dhcp server apply ip-pool vlan4
#
interface GigabitEthernet0/1
port link-mode route
nat outbound 3000
ip address 39.129.4.172 255.255.255.128
ipsec no-nat-process enable ipsec policy 1048577 attack-defense apply policy 86 dns server 211.139.29.150 dns server 211.139.29.170 ip flow-ordering external
#
interface GigabitEthernet0/5
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet0/6
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/7
port link-mode bridge
port access vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/1 139.189.2.165
ip route-static 10.0.0.0 255.0.0.0 GigabitEthernet0/0 10.23.228.1
preference 1
return
- 2019-06-08回答
- 评论(5)
- 举报
-
(0)
从贴的配置来看,感觉像是出口IPSEC策略的感兴趣流中没有拒绝到10段的流量 # acl number 3000 rule 0 deny ip source 192.168.20.0 0.0.0.255 rule 5 permit ip acl number 3001 rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.168.9.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 rule 15 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.9.0 0.0.0.255 至DENY了20段的流量,具体看下是否可以deny掉10段的感兴趣流进行测试
附件应该是可以上传的吧?再试试?
acl 3000只是为了不允许20段的ip访问外网而已,你意思这里要加上10段?还是说是acl3001里面的10段不起作用?如果是不起作用的话为啥又可以ping通且windows能正常连接,就是ssh连不上
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
大神,麻烦帮忙看看,我提交了个回答,配置传不上来,只能一行行的手工换行了