解决在防火墙上带内网地址方式ping公网地址不通问题

发布时间:  2012-07-20 浏览次数:  150 下载次数:  0
问题描述
某局点客户利用USG5310搭建网络,基础上网配置(NAT)好之后客户测试效果,防火墙直接ping网关可以通,防火墙ping公网地址可以通,客户又利用带内网地址方式ping公网地址,(ping -a 内网地址 公网地址)时,返回提示ping超时,此时带内网地址ping公网地址不能ping通。
告警信息
处理过程

客户配置

 sysname USG5310
#
#
 web-manager enable
 web-manager security enable
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction inbound
 firewall packet-filter default permit interzone local untrust direction outbound
  firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound
 firewall packet-filter default permit interzone trust dmz direction inbound
 firewall packet-filter default permit interzone trust dmz direction outbound
 #
 nat address-group 1 internet 2.2.2.2 2.2.2.2

#
 firewall statistic system enable
#
interface GigabitEthernet0/0/0
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address  2.2.2.2 255.255.255.224
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50
#
firewall zone vzone
 set priority 0
#
firewall zone name cernet
 set priority 10
 add interface GigabitEthernet0/0/2
#
policy interzone trust untrust outbound
 policy 1
 action permit
#
nat-policy interzone local untrust outbound
#
nat-policy interzone trust untrust outbound
 policy 1
 action source-nat
 address-group internet

#

nat-policy interzone local untrust outbound
 policy 1
 action source-nat
 address-group internet

#

aaa
 local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
 local-user admin service-type web terminal
 local-user admin level 3
 authentication-scheme default
#
 authorization-scheme default
#
 accounting-scheme default
#
 domain default
#
#
right-manager server-group
#
 slb
#
p2p-class 0
 cir default 40960
#
#
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.2

 ip route-static 172.16.0.0 255.255.0.0 172.16.1.254
 ip route-static 210.36.99.0 255.255.255.0 192.168.1.2
#
user-interface con 0
user-interface vty 0 4
#
return

修改后问题解决。

根因

查看客户配置,已经开放了必要的域间规则,并且配置了域间NAT。检查其他配置,发现客户是从本地(local)带内网地址ping外网地址,想到可以利用local-untrust 来做NAT,解决问题。

建议与总结

END