FD00::xxxx:xx:132:23:2/64 pc1----------FD00::xxxx:xx:132:23:1/64 reth2 fw reth1 2408:xxxx:xxx:1003::3/64--------- pc2 2408:xxxx:xxx:1003::2
pc1pingpc2触发nat66表象构建但是业务不通
fw上reth1下面配置nat66
#
nat66 prefix source FD00:x:x:5023:: 64 2408:xxxx:xxx:1003:: 64
ipv6 address 2408:xxxx:xxx:1003::3/64
#
ipv6 route-static :: 0 2408:xxxx:xxx:1003::2
#
初步看路由转换配置无异常
按照防火墙常规定位过程先查看会话,发现是有记录的,状态处理仅到了ICMPV6_REQUEST,初步怀疑pc2没有回包
[H3C]dis nat66 ses ver
Slot 1:
Initiator:
Source IP/port: FD00::xxxx:xx:132:23:2/1
Destination IP/port: 2408:xxxx:xxx:1003::2/32768
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: Reth2
Source security zone: Trust
Responder:
Source IP/port: 2408:xxxx:xxx:1003::2/1
Destination IP/port: 2408:xxxx:xxx:1003:xxxx:xxx:23:2/33024
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: Reth1
Source security zone: Untrust
State: ICMPV6_REQUEST
Application: ICMP
Rule ID: 0
Rule name: Local-Trust
Start time: 2020-08-13 18:20:28 TTL: 49s
Initiator->Responder: 4 packets 320 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
debug nat和ip packet看数据包转换和转发正常,大概率为pc2电脑的问题
PACKET: (Reth2-out-session) Protocol: ICMPV6
fd00::xxxx:xx:132:23:2: 1 - 2408:xxxx:xxx:1003::2:32768(VPN: 0) ------>
2408:xxxx:xxx:1003:8c7a:132:23:2: 1 - 2408 :xxxx:xxx: 1003::2:32768(VPN: 0)
*Aug 13 18:31:31:101 2020 H3C IP6FW/7/IP6FW_PACKET: -COntext=1;
Sending, interface = Reth1, version = 6, traffic class = 0,
flow label = 0, payload length = 40, protocol = 58, hop limit = 127,
Src = 2408 :xxxx:xxx: 1003:8c7a:132:23:2, Dst = 2408 :xxxx:xxx: 1003::2,
prompt: Sending the packet from Reth2 through Reth1.
协调现场进行抓包,发现pc2没有回应数据包,但是现场表示换了其他的电脑也是一样的情况,排查陷入僵局;
翻看nat66限制那个地方找到突破点,
转换后的源IPv6地址前缀不能与NAT66设备的外网地址前缀以及目的外网地址前缀相同
发现现场没有避开这个限制
将nat66配置修正避开限制指导说明后现场问题解决