USG5500 外网双链路,但只能通过某个出口访问内网服务器。

发布时间:  2012-07-17 浏览次数:  176 下载次数:  0
问题描述
电信------
            USG5500-----内网服务器
网通------
客户反馈 USG5500 外网双链路,  但只能通过   221.2.141.198 地址访问内网服务器
 
客户配置如下:

[USG5500]  dis ip in b
15:42:24  2012/02/04
*down: administratively down
(s): spoofing
Interface                   IP Address      Physical Protocol Description
GigabitEthernet0/0/0        192.168.0.1     down     down     Huawei, USG5500
GigabitEthernet0/0/1        202.110.217.68  up       up       Huawei, USG5500
GigabitEthernet0/0/2        221.2.141.198   up       up       Huawei, USG5500
GigabitEthernet0/0/3        191.100.1.1     up       up       Huawei, USG5500
GigabitEthernet0/0/4        191.100.6.1     up       up       Huawei, USG5500
 [USG5500]dis cu
15:43:23  2012/02/04
#
 sysname USG5500
 
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction inbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
 firewall packet-filter default permit interzone local isp direction inbound
 firewall packet-filter default permit interzone local isp direction outbound
 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound
 firewall packet-filter default permit interzone trust dmz direction inbound
 firewall packet-filter default permit interzone trust dmz direction outbound
 firewall packet-filter default permit interzone trust isp direction inbound
 firewall packet-filter default permit interzone trust isp direction outbound
 firewall packet-filter default permit interzone dmz untrust direction inbound
 firewall packet-filter default permit interzone dmz untrust direction outbound
 firewall packet-filter default permit interzone isp untrust direction inbound
 firewall packet-filter default permit interzone isp untrust direction outbound
 firewall packet-filter default permit interzone dmz isp direction inbound
 firewall packet-filter default permit interzone dmz isp direction outbound
#
 nat address-group 1 202.110.217.68 202.110.217.68
 nat address-group 2 221.2.141.198 221.2.141.198
 nat server 0 protocol tcp global 202.110.217.68 443 inside 191.100.6.2 443
 nat server 1 protocol tcp global 221.2.141.198 www inside 191.100.8.253 www
 nat server 2 protocol tcp global 221.2.141.198 8065 inside 191.100.8.253 8065
 nat server 3 protocol udp global 221.2.141.198 8065 inside 191.100.8.253 8065
 nat server 4 protocol tcp global 202.110.217.67 www inside 10.112.193.65 www
#
 firewall ipv6 session link-state check
#
 firewall session link-state check
#
 firewall defend smurf enable
firewall defend ip-spoofing enable
 firewall defend arp-spoofing enable
 firewall defend sip-flood enable
 firewall source-ip detect interface GigabitEthernet0/0/1
 firewall source-ip detect interface GigabitEthernet0/0/2
 firewall defend arp-flood interface GigabitEthernet0/0/3 max-rate 1000
#                                        


interface GigabitEthernet0/0/0
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 202.110.217.68 255.255.255.248
#
interface GigabitEthernet0/0/2
 ip address 221.2.141.198 255.255.255.240
#
interface GigabitEthernet0/0/3
 ip address 191.100.1.1 255.255.255.240
#
interface GigabitEthernet0/0/4
 ip address 191.100.6.1 255.255.255.252
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/3
 add interface GigabitEthernet0/0/4
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
#
firewall zone dmz                        
 set priority 50
#
firewall zone name isp
 set priority 20
 add interface GigabitEthernet0/0/1
 
ip route-static 0.0.0.0 0.0.0.0 221.2.141.193
 ip route-static 0.0.0.0 0.0.0.0 202.110.217.65
 ip route-static 10.112.0.0 255.255.0.0 191.100.1.2
 ip route-static 191.100.8.0 255.255.255.0 191.100.1.2
 ip route-static 192.168.1.0 255.255.255.0 191.100.1.2
 
 
告警信息
处理过程
  关闭ip-spoofing   或者通过策略路由保证进出接口一致 
根因
从上面的配置看出,客户写的两条默认路由。开始怀疑是由于之前遇到的问题,由于两条默认路由,有可能访问进来的会话从一个接口进入,从另一个接口出去,由于上行设备开启来回路径不一致路由检查,到时报文被丢弃,但是我们通过如下测试:
在公网找了一台设备ping usg5500不能访问的接口地址
[USG2100]ping -c 100 202.110.217.68
                                         
[USG5500-hidecmd]dis firewall session table verbose_hide both-direction destination global 202.110.217.68
10:30:55  2012/02/04
 Current Total Sessions : 0
 
在USG5500S上查看会话,没有会话信息,还不是之前所怀疑的从一个接口进入从另一个接口出去的问题,上行设备开启严格路由检查丢弃的原因,从现象看应该是报文没有到达防火墙,或者直接被防火墙丢弃。
仔细检查配置发现攻击防范开启
firewall defend ip-spoofing enable
ip-spoofing 原理
对报文的源IP地址进行FIB表反查,如果反查该IP地址的出接口与报文的入接口不相同,则视为IP欺骗攻击,给予处理。配置明细路由时,来回都是网通网络,不存在问题,但是无明细路由,根据FIB表会发现出接口为电信,进而判定为攻击,后续也不进行处理
建议与总结
在双出口组网情况下,如果不能保证从进入接口一直,建议不要开启firewall defend ip-spoofing enable

END