Print

防火墙nat66不通定位

2020-09-05 发表

组网及说明

FD00::xxxx:xx:132:23:2/64 pc1----------FD00::xxxx:xx:132:23:1/64 reth2 fw reth1 2408:xxxx:xxx:1003::3/64--------- pc2  2408:xxxx:xxx:1003::2


问题描述

pc1pingpc2触发nat66表象构建但是业务不通

过程分析

 fw上reth1下面配置nat66

#

nat66 prefix source FD00:x:x:5023:: 64 2408:xxxx:xxx:1003:: 64

 ipv6 address 2408:xxxx:xxx:1003::3/64

#

ipv6 route-static :: 0 2408:xxxx:xxx:1003::2

#

初步看路由转换配置无异常

按照防火墙常规定位过程先查看会话,发现是有记录的,状态处理仅到了ICMPV6_REQUEST,初步怀疑pc2没有回包

[H3C]dis nat66 ses ver

Slot 1:

Initiator:

  Source      IP/port: FD00::xxxx:xx:132:23:2/1

  Destination IP/port: 2408:xxxx:xxx:1003::2/32768

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: IPV6-ICMP(58)

  Inbound interface: Reth2

  Source security zone: Trust

Responder:

  Source      IP/port: 2408:xxxx:xxx:1003::2/1

  Destination IP/port: 2408:xxxx:xxx:1003:xxxx:xxx:23:2/33024

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: IPV6-ICMP(58)

  Inbound interface: Reth1

  Source security zone: Untrust

State: ICMPV6_REQUEST

Application: ICMP

Rule ID: 0

Rule name: Local-Trust

Start time: 2020-08-13 18:20:28  TTL: 49s

Initiator->Responder:            4 packets        320 bytes

Responder->Initiator:            0 packets          0 bytes

Total sessions found: 1

         

debug nat和ip packet看数据包转换和转发正常,大概率为pc2电脑的问题

*Aug 13 18:31:31:101 2020 H3C NAT/7/COMMON: -COntext=1;

 PACKET: (Reth2-out-session) Protocol: ICMPV6

fd00::xxxx:xx:132:23:2:    1 - 2408:xxxx:xxx:1003::2:32768(VPN:    0) ------>

2408:xxxx:xxx:1003:8c7a:132:23:2:    1 - 2408 :xxxx:xxx: 1003::2:32768(VPN:    0)

*Aug 13 18:31:31:101 2020 H3C IP6FW/7/IP6FW_PACKET: -COntext=1;

Sending, interface = Reth1, version = 6, traffic class = 0,

flow label = 0, payload length = 40, protocol = 58, hop limit = 127,

Src = 2408 :xxxx:xxx: 1003:8c7a:132:23:2, Dst = 2408 :xxxx:xxx: 1003::2, 

prompt: Sending the packet from Reth2 through Reth1.

协调现场进行抓包,发现pc2没有回应数据包,但是现场表示换了其他的电脑也是一样的情况,排查陷入僵局;

翻看nat66限制那个地方找到突破点,

1. 配置限制和指导

转换后的源IPv6地址前缀不能与NAT66设备的外网地址前缀以及目的外网地址前缀相同

发现现场没有避开这个限制


解决方法

将nat66配置修正避开限制指导说明后现场问题解决