最佳答案
首先要排查,防火墙的安全策略有没有将感兴趣流放通。
然后,是否在防火墙的出口配置了nat ,而ipsec的感兴趣流不能参与做 nat 流程。要在nat 引用的 acl 中deny 掉 感兴趣流。
最后在防火墙上查一下感兴趣流的路由,检查会话的下一跳接口是否路由中的下一跳接口匹配。
(0)
[FW] dis
[FW]display cu
[FW]display current-configuration
#
version 5.20, Release 3181P11
#
sysname FW
#
clock timezone Beijing add 08:00:00
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
ike local-name humblit_bj
#
interzone policy default by-priority
#
nat address-group 1
#
domain default enable system
#
dns server 202.106.196.115
dns server 202.106.0.20
#
telnet server enable
#
web https-authorization mode auto
#
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg pptp
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
time-range worktime 00:00 to 24:00 daily
#
acl number 2000
rule 0 permit
acl number 2001
rule 0 permit
#
acl number 3000
rule 5 permit ip source 10.0.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
acl number 3001
rule 5 deny ip source 10.0.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 1000 permit ip
#
acl accelerate number 3000
acl accelerate number 3001
#
vlan 1
#
domain humblit
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 192.16.2.2 192.16.2.254
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm aes-cbc 128
dh group5
authentication-algorithm md5
#
ike peer 1
#
ike peer humblit
proposal 1
pre-shared-key cipher $c$3$+RZzNwm7MMyfhiD3o6lWFKkkZzU1RZgCivry
remote-name humblit_cs
local-address 114.253.31.66
#
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy-template map_temp 1
security acl 3000
ike-peer humblit
transform-set 1
sa duration traffic-based 1843200
sa duration time-based 3600
reverse-route
#
ipsec policy map1 10000 isakmp template map_temp
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$0E+9Sq5V9utrwUvQunhVrK65kHCFDnld
authorization-attribute level 3
service-type telnet
service-type web
local-user changsha
password cipher $c$3$ogMNU6D39Ib0ku7WsfnFySZuwy6nrBRrQuH0
authorization-attribute level 2
service-type ppp
local-user itadmin
password cipher $c$3$ch72DSurzQBWtvXHcu9XWwutuG7VNiSX+r3X
authorization-attribute level 2
service-type ppp
local-user lijixiang
password cipher $c$3$2IslouZCaBVLkVhnjeU0hO4HxMxCGXUiHbGx
authorization-attribute level 2
service-type ppp
local-user lixueduo
password cipher $c$3$E3SPmc3shwv+B3I9CWoY0+AlZLlWs64W9MkN
authorization-attribute level 2
service-type ssh telnet terminal
service-type ppp
service-type dvpn
service-type web
local-user pengkun
password cipher $c$3$W9rLtirUfIvok/FE2jCoJSJTNpTHWvIlY6RO
authorization-attribute level 2
service-type ppp
local-user wenjunjia
password cipher $c$3$/penegJit7xmOkTk763Z29YI/RB4pW/gD4Ht
authorization-attribute level 2
service-type ssh telnet terminal
service-type ftp
service-type ppp
service-type dvpn
service-type web
local-user wutianxi
password cipher $c$3$efIsisWaWFn7hGp7nicyfVPxSIMoJsWnoG1b
authorization-attribute level 2
service-type ssh telnet terminal
service-type ftp
service-type ppp
service-type dvpn
service-type web
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain humblit
remote address pool 1
ip address 192.16.2.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet2/0
port link-mode route
nat outbound 3001
ip address 114.253.31.66 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet2/1
port link-mode route
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet2/2
port link-mode route
#
interface GigabitEthernet2/3
port link-mode route
#
vd Root id 1
#
zone name Management id 0
priority 100
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface GigabitEthernet2/1
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface GigabitEthernet2/0
import interface Virtual-Template1
switchto vd Root
object network subnet 10.0.0.0/0.0.255.255
subnet 10.0.0.0 0.0.255.255
object network subnet 10.1.1.0/0.0.0.255
subnet 10.1.1.0 0.0.0.255
object network subnet 10.1.1.1/0.0.0.255
subnet 10.1.1.0 0.0.0.255
object network subnet 10.10.10.0/0.0.0.255
subnet 10.10.10.0 0.0.0.255
object network subnet 114.253.31.66/0.0.0.255
subnet 114.253.31.66 0.0.0.255
object network subnet 172.16.0.0/0.0.255.255
subnet 172.16.0.0 0.0.255.255
object network subnet 172.16.11.0/0.0.0.255
subnet 172.16.11.0 0.0.0.255
object network subnet humblit_bj
subnet 10.10.10.0 0.0.0.255
object network subnet humblit_bj01
subnet 10.0.0.0 0.0.255.255
object network subnet humblit_cs
subnet 10.1.1.0 0.0.0.255
object network subnet humblit_cs01
subnet 172.16.0.0 0.0.255.255
object network subnet humblit_cs02
subnet 10.100.0.0 0.0.255.255
object network host untrust
host address 114.253.31.66
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
interzone source Management destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule accelerate
interzone source Local destination Trust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
interzone source Local destination Untrust
rule 0 permit logging
source-ip any_address
destination-ip any_address
service any_service
rule enable
rule 1 permit
source-ip 10.0.0.0/0.0.255.255
destination-ip 172.16.0.0/0.0.255.255
service any_service
rule enable
interzone source Trust destination Local
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
rule accelerate
interzone source Trust destination Untrust
rule 1 permit
source-ip any_address
destination-ip humblit_cs
destination-ip humblit_cs01
destination-ip humblit_cs02
service any_service
rule accelerate
interzone source Untrust destination Local
rule 0 permit logging
source-ip 172.16.0.0/0.0.255.255
destination-ip 10.0.0.0/0.0.255.255
service any_service
rule enable
interzone source Untrust destination Trust
rule 0 permit logging
source-ip 172.16.0.0/0.0.255.255
destination-ip 10.0.0.0/0.0.255.255
service any_service
rule enable
rule accelerate
#
ip route-static 0.0.0.0 0.0.0.0 114.253.31.65
ip route-static 10.0.1.0 255.255.255.0 10.10.10.2
ip route-static 10.0.2.0 255.255.255.0 10.10.10.2
ip route-static 10.0.3.0 255.255.255.0 10.10.10.2
ip route-static 10.0.4.0 255.255.255.0 10.10.10.2
ip route-static 10.0.5.0 255.255.255.0 10.10.10.2
ip route-static 10.0.6.0 255.255.255.0 10.10.10.2
ip route-static 10.0.7.0 255.255.255.0 10.10.10.2
ip route-static 10.0.8.0 255.255.255.0 10.10.10.2
ip route-static 10.0.9.0 255.255.255.0 10.10.10.2
ip route-static 10.0.10.0 255.255.255.0 10.10.10.2
ip route-static 10.0.11.0 255.255.255.0 10.10.10.2
ip route-static 10.0.12.0 255.255.255.0 10.10.10.2
ip route-static 10.0.13.0 255.255.255.0 10.10.10.2
ip route-static 10.0.14.0 255.255.255.0 10.10.10.2
ip route-static 172.16.0.0 255.255.0.0 114.253.31.65
ip route-static 176.16.6.0 255.255.255.0 10.10.10.2
#
ssh server enable
#
nat static 10.10.10.1 114.253.31.66
#
ip https enable
#
load xml-configuration
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
(0)
感兴趣流有没有被匹配上 ,对端的明细路由指了吗?
(0)
明细路由做指向了, 包括还做了反向路由注入 。没有效果
明细路由做指向了, 包括还做了反向路由注入 。没有效果
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
看看安全策略有没有把接收的 包拦掉