USG5160 V100R005 域间包过滤故障

发布时间:  2013-05-29 浏览次数:  109 下载次数:  0
问题描述
防火墙型号USG5160 版本V100R005,用防火墙出接口218.56.33.244的3389端口映射到内部一台web服务器10.37.6.131的3389端口,通过从公网不能成功登陆内部服务器的3389端品,但从内部网络能成功登陆WEB服务器的3389端口。

关键配置:
 firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
 nat server 47 protocol tcp global 218.56.33.244 3389 inside 10.37.6.131 3389
policy interzone trust untrust inbound
policy 0
  action permit
policy service service-set tcp
  policy service service-set udp
policy destination 10.37.6.10
告警信息
处理过程
首先查看防火墙的会话表发现没有相应的会话,查看滤间包过滤策略发现默认的untrust到trust inbound包过滤策略是关闭的,而用户自定义的untrust到trust inbound包过滤策略没有开启允许到内部服务器的策略,正确配置域间包过滤策略故障解决。

policy interzone trust untrust inbound
policy 0
  action permit
policy service service-set tcp
  policy service service-set udp
policy destination 10.37.6.131
根因
域间包过滤配置错误
建议与总结

END