解决双出口发布服务器和L2TP同时拨号通信问题

发布时间:  2012-07-18 浏览次数:  136 下载次数:  0
问题描述

客户使用USG2220设备,配置双出口,内网2台服务器做发布,实现2台服务器分别走不同出口通信。同时在外网利用L2TP客户端拨号到内网和服务器通信。

客户服务器发布配置后,发现,预期实现的双出口数据流分别到不同服务器功能未实现,同时只能实现一台服务器发布。

客户配置L2TP,单条链路可以拨号成功,和内网通信,利用另一条链路做LNS服务器地址,一直不能正常拨通。

客户拓扑如下:

告警信息
处理过程

修改后的客户配置如下:

17:55:33 2010/11/23
#
acl number 3000
rule 5 permit ip
acl number 3001
rule 0 permit ip
acl number 3011
rule 0 deny ip source 192.168.102.0 0.0.0.255
rule 1 permit ip source 192.168.102.2 0
acl number 3012
rule 6 permit ip source 192.168.102.3 0
#
sysname USG2220
#
web-manager enable
#
l2tp enable
#
info-center timestamp debugging date
#
firewall packet-filter default permit interzone local trust direction inbound

firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction
inbound
firewall packet-filter default permit interzone local untrust direction
outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound

firewall packet-filter default permit interzone local untrust2 direction inbound
firewall packet-filter default permit interzone local untrust2 direction
outbound
firewall packet-filter default permit interzone trust untrust direction
inbound
firewall packet-filter default permit interzone trust untrust direction
outbound
firewall packet-filter default permit interzone trust untrust2 direction inbound

firewall packet-filter default permit interzone trust untrust2 direction outboundoutbound
firewall packet-filter default permit interzone untrust2 untrust direction inbound
firewall packet-filter default permit interzone untrust2 untrust direction
outbound
nat server protocol tcp global 124.67.49.174 www inside 192.168.102.2 www
nat server protocol tcp global 123.178.192.194 www inside 192.168.102.3 www
#
firewall statistic system enable
#
vlan 1
#
vlan 2
#
traffic classifier class2
if-match acl 3012
traffic classifier class1
if-match acl 3011
#
traffic behavior behavior1
remark ip-nexthop 124.67.49.173 output-interface GigabitEthernet0/0/0
traffic behavior behavior2
remark ip-nexthop 123.178.192.193 output-interface GigabitEthernet0/0/1
#
qos policy mypolicy1
classifier class1 behavior behavior1
qos policy mypolicy2
classifier class1 behavior behavior2
#
interface Cellular0/1/0
link-protocol ppp
#
interface Vlanif2
ip address 192.168.102.1 255.255.255.0
#
interface Ethernet1/0/0
port link-type access
port access vlan 2
#
interface Ethernet1/0/1
port link-type access
#
interface Ethernet1/0/2
port link-type access
#
interface Ethernet1/0/3
port link-type access
#
interface Ethernet1/0/4
port link-type access
#
interface Virtual-Template0
ppp authentication-mode pap
ip address 172.19.20.1 255.255.255.0
remote address pool 1
#
interface GigabitEthernet0/0/0
ip address 124.67.49.174 255.255.255.252
qos apply policy mypolicy1 outbound
#
interface GigabitEthernet0/0/1
ip address 123.178.192.194 255.255.255.252
qos apply policy mypolicy2 outbound
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif2
add interface Virtual-Template0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#
firewall zone name untrust2
set priority 6
add interface GigabitEthernet0/0/1
#
firewall interzone trust untrust
nat outbound 3000 interface GigabitEthernet0/0/0
#
firewall interzone trust untrust2
nat outbound 3001 interface GigabitEthernet0/0/1
#
l2tp-group 1
undo tunnel authentication
mandatory-lcp
allow l2tp virtual-template 0
#
aaa
local-user webadmin password simple webadmin2000
local-user webadmin service-type web telnet
local-user webadmin level 3
local-user dlvpn password simple 7777777
local-user dlvpn service-type ppp
local-user dlvpn level 3
ip pool 1 172.19.20.2 172.19.20.100
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
Dright-manager server-group
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 124.67.49.173
ip route-static 0.0.0.0 0.0.0.0 123.178.192.193 preference 61
ip route-static 172.19.20.0 255.255.255.0 Virtual-Template0
#
user-interface con 0
user-interface tty 9
authentication-mode none
modem both
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return

根因

1.客户配置策略路由有问题,策略路由应用在内网接口,照成策略路由配置后不生效。

2.客户同时配置了多条等价默认路由,未配置默认路由,这样配置后,所有数据流只会匹配第一条默认路由。

3.客户配置ACL错误。

建议与总结

END