防火墙USG2160(V300R001C00SPC700)域内nat不生效

发布时间:  2013-06-14 浏览次数:  518 下载次数:  0
问题描述
客户配置了nat sever映射,基本的配置以及域内nat,但通过域内的PC去访问同一域内的服务器,访问失败。以下是详细配置:

# CLI_VERSION=V300R001

#*****BEGIN****public****#
#
sysname USG2100
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 111.111.111.10 111.111.111.10
nat server 0 protocol tcp global interface Ethernet0/0/0 800 inside 192.168.11.200 800 no-reverse
nat server 1 protocol tcp global interface Ethernet0/0/0 900 inside 192.168.11.200 900 no-reverse
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve 
dns server 8.8.8.8
#
vlan batch 1
#
firewall statistic system enable
#
dns proxy enable 
#
license-server domain lic.huawei.com
#
runmode firewall
#
update schedule ips daily 5:22
update schedule av daily 5:22
security server domain sec.huawei.com
#
web-manager enable
undo web-manager config-guide enable
#
user-manage web-authentication port 8888
#
l2fwdfast enable
#
interface Vlanif1
ip address 192.168.11.1 255.255.255.0
dhcp select interface
dhcp server ip-range 192.168.11.1 192.168.11.150
dhcp server gateway-list 192.168.11.1
dhcp server dns-list 192.168.11.1
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
ip address 111.111.111.10 255.255.255.252
nat enable
detect ftp
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall interzone trust untrust
detect ftp
#
#
aaa
local-user admin password cipher %$%$P3CtU)/"|YmZmc+KR|n(,md[%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
 
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0/0 111.111.111.9
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode password
modem both
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
ip service-set oahttp type object
service 0 protocol tcp source-port 1 to 65535 destination-port 800
#
ip service-set oaftp type object
service 0 protocol tcp source-port 1 to 65535 destination-port 900
#
slb
#
cwmp
#
right-manager server-group
#
policy interzone trust untrust inbound
policy 0
  action permit
  policy service service-set oahttp
  policy destination 192.168.11.200 mask 32

policy 1
  action permit
  policy service service-set oaftp
  policy destination 192.168.11.200 mask 32
#
nat-policy zone trust
policy 0
  action source-nat
  policy source 192.168.11.0 mask 24
  policy destination 111.111.111.10 mask 32
  address-group 1
#
return
#-----END----#
告警信息
处理过程
将源nat配置中的目的地址写成服务器的私有地址,问题解决。

nat-policy zone trust
policy 0
  action source-nat
  policy source 192.168.11.0 mask 24
  policy destination 111.111.111.10 mask 32 (修改成192.168.11.200)
  address-group 1
根因
定位思路:

1.查看防火墙基本配置,均无问题
2.nat sever配置也无问题
3.同一域内,不涉及转发策略问题
4.查看防火墙的源nat匹配次数为0,说明没有被命中,设备没有进行源地址转换
5.检查域内nat配置,发现目标地址配置的是nat sever的公网地址,问题找到,此处应该是服务器的私有地址
建议与总结
在与相关的nat sever映射配置中,对目标地址做转发策略限制或是设置感兴趣的数据流,目的地址均需要设置私有地址,切不可使用公网地址。(版本V300R001 适用)

END