策略路由造成同区域两个LAN的主机不能互相通信

发布时间:  2012-07-19 浏览次数:  191 下载次数:  0
问题描述

防火墙采用双出口,将G0/2、G0/3均加入trust区域,G0/3配置策略路由实现分流。故障现象为:两个LAN下的主机(192.168.30.253和192.168.210.1)不能互相ping通,但是通过防火墙能ping通这两个主机,两个局域网上网正常。
告警信息
处理过程

1.删除域内NAT,问题仍然存在;

2.查看会话表,存在以下表项:

[USG3000-acl-adv-3011]dis fire session table destination inside ip 192.168.210.1
DNS:192.168.210.1:53<--192.168.220.60:50944
DNS:192.168.210.1:53<--192.168.220.53:57582
icmp:192.168.30.253:256---192.168.210.1:256
DNS:192.168.210.1:53<--192.168.220.53:62151
表明trust区域内存在两主机的会话(会话表项不是用的箭头,表示是同区域会话),考虑到是icmp 请求数据到达对方后,没有响应。

3.查看策略路由acl number 3010
 rule 1 deny ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
 rule 2 deny ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
 rule 3 deny ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
 rule 4 deny ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
 rule 5 permit ip source 192.168.208.0 0.0.0.255
 rule 10 permit ip source 192.168.209.0 0.0.0.255
 rule 15 permit ip source 192.168.210.9 0
acl number 3011
 rule 5 permit ip source 192.168.210.0 0.0.0.255
 rule 10 permit ip source 192.168.211.0 0.0.0.255
 rule 15 permit ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
 rule 20 permit ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
 rule 25 permit ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
 rule 30 permit ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
#
 
route-policy po_wangtong permit node 5
 if-match acl 3010
 apply ip-address next-hop 61.163.26.74
route-policy po_wangtong permit node 10
 if-match acl 3011
 apply ip-address next-hop 218.28.60.162
 
标红部分包含IP地址192.168.210.1,被命中后,从192.168.210.1到192.168.30.253的数据包将按照策略路由交给下一跳218.28.60.162,造成192.168.30.253不能收到icmp  reply。

4.修改策略路由的ACL 3011,增加规则后ACL 3011为

 acl number 3011
 rule 3 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.210.0 0.0.0.255
 rule 4 deny ip source 192.168.210.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 5 permit ip source 192.168.210.0 0.0.0.255
 rule 10 permit ip source 192.168.211.0 0.0.0.255
 rule 15 permit ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
 rule 20 permit ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
 rule 25 permit ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
 rule 30 permit ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
5.调试icmp,发现数据包来回均存在。通过PC上测试,能够互相ping通。
根因
  1. 域内NAT造成问题;
  2. 策略路由造成数据没有按原路返回。
建议与总结

END