server-map导致ipsec vpn业务不通的问题

发布时间:  2014-06-06 浏览次数:  341 下载次数:  0
问题描述
现象描述:

客户组网如下:

Server----USG5530-----Internet-----USG2210----PC

ipsec vpn隧道建立完成,两边都能看到ipsec sa。且大部分业务都能通。但是USG5530一边有一台内网服务器不能访问USG2210一边的设备。

[USG5530]dis ipsec sa
22:57:08  2014/06/05
===============================
Interface: GigabitEthernet0/0/2
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "map"
  sequence number: 1
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40001
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 18m 38s
    tunnel local : 12.0.0.2    tunnel remote: 23.0.0.2
    flow      source: 192.168.1.0-192.168.1.255 0-65535 0
    flow destination: 192.168.2.0-192.168.2.255 0-65535 0

    [inbound ESP SAs]
      spi: 3367274807 (0xc8b48937)
      vpn: public  said: 0  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436500/2482
      max received sequence-number: 5
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 2616669447 (0x9bf73507)
      vpn: public  said: 1  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436500/2482
      max sent sequence-number: 6
      udp encapsulation used for nat traversal: N

[USG2210]display ipsec sa
23:01:29  2014/06/05
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "map"
  sequence number: 1
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40001
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 23m 0s
    tunnel local : 23.0.0.2    tunnel remote: 12.0.0.2
    flow      source: 192.168.2.0-192.168.2.255 0-65535 0
    flow destination: 192.168.1.0-192.168.1.255 0-65535 0

    [inbound ESP SAs]
      spi: 2616669447 (0x9bf73507)
      vpn: public  said: 0  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436500/2220
      max received sequence-number: 5
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3367274807 (0xc8b48937)
      vpn: public  said: 1  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436500/2220
      max sent sequence-number: 6
      udp encapsulation used for nat traversal: N
告警信息
USG5530上看会话表,发现数据包有做nat转换,如下:

[USG5530]display firewall session table verbose source inside 192.168.1.100
23:04:19  2014/06/05
Current Total Sessions : 1
  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:18
  Interface: GigabitEthernet0/0/2  NextHop: 12.0.0.1  MAC: 00-e0-fc-f1-0d-02
  <--packets:0 bytes:0   -->packets:1 bytes:60
  192.168.1.100:5511[12.0.0.10:5511]-->192.168.2.1:2048
处理过程
在nat server之后加上no-reverse,加上no-reverse之后不会生成反向的server-map表项,从而解决该问题。如下:

[USG5530]display firewall server-map
23:15:09  2014/06/05
server-map item(s)
------------------------------------------------------------------------------
Nat Server, any -> 12.0.0.10:80[192.168.1.100:80], Zone: ---
   Protocol: tcp(Appro: http), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public
根因
检查nat的配置如下:

[USG5530]display nat-policy interzone trust untrust outbound

nat-policy interzone trust untrust outbound
policy 0 (0 times matched)
  action no-nat
  policy service service-set ip
  policy source any
  policy destination 192.168.2.0 mask 24

policy 1 (102312 times matched)
  action source-nat
  policy service service-set ip
  policy source any
  policy destination any
  easy-ip GigabitEthernet0/0/2

发现设备no-nat在前面,但是设备没有命中次数。

这个时候,查看server-map表项,发现了问题所在,如下:

[USG5530]dis firewall server-map
23:08:17  2014/06/05
server-map item(s)
------------------------------------------------------------------------------
Nat Server, any -> 12.0.0.10:80[192.168.1.100:80], Zone: ---
   Protocol: tcp(Appro: http), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

Nat Server Reverse, 192.168.1.100[12.0.0.10] -> any, Zone: ---
   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

发现有192.168.1.100的server-map表项,由于配置中有一条nat server映射:

nat server 1 protocol tcp global 12.0.0.10 www inside 192.168.1.100 www

所以当192.168.1.100发报文去对端的时候,会命中该server-map表项,从而导致业务不通。
建议与总结
nat no-pat,nat server,aspf,slb都会生成servermap,在做ipsec vpn的时候需要注意下。

END