USG5310 IPSEC匹配nat规则问题

发布时间:  2014-06-17 浏览次数:  293 下载次数:  0
问题描述
用户组网很简单直接为 USG------Internet---------USG5310 
搭建ipsec vpn,能够成功建立,第一阶段,第二阶段隧道都可以成功建立起来,但是就是没有办法进行通信,查看用户配置的nat-policy 规则前面有做拒绝,并且地址映射当中也有加上no-reverse 参数。
告警信息
查看用户会话表信息如下
  icmp  VPN:public --> public
  Zone: trust--> untrust2  TTL: 00:00:20  Left: 00:00:16
  Interface: GigabitEthernet0/0/1  NextHop: X.X.X.X   MAC: 00-12-d9-a1-3d-80
  <--packets:0 bytes:0   -->packets:2 bytes:120
  10.0.203.100:1[10.200.60.1:1]-->172.16.250.6:2048
用户的nat-policy配置如下:
nat-policy interzone trust untrust2 outbound
policy 3
  action no-nat
  policy source address-set kumonkids_wx
  policy destination address-set kumonkids_jp

policy 1
  action no-nat
  policy source 10.0.0.0 mask 8
  policy source 172.16.0.0 mask 16
  policy destination 172.25.0.0 mask 16  
  policy destination 192.168.30.0 mask 24
  policy destination 192.168.8.0 mask 22

policy 5
  action no-nat
  policy source 10.0.0.0 mask 16
  policy source 172.16.0.0 mask 16
  policy destination 10.2.14.0 mask 23

policy 4
  action no-nat
  policy source 10.0.0.0 mask 16
  policy destination 192.168.220.0 mask 23

policy 2
  action no-nat
  policy source 10.0.194.113 0
  policy destination X.X.X.X 0

policy 6
  action source-nat
  policy source 10.0.200.0 mask 22
  policy destination 10.151.10.0 mask 24 
  address-group ccpm no-pat

policy 0
  action source-nat
  policy source 172.16.0.0 0.0.255.255
  policy source 10.0.0.0 0.255.255.255
  address-group 2
在查看反向会话表的时候如下:
<wxhx-usg5310>display firewall  server-map                                                                                         
16:54:58  2014/05/19                                                                                                               
server-map item(s)                                                                                                                
------------------------------------------------------------------------------                                                    
No-Pat, 10.0.203.100[10.200.60.1] -> ANY, Zone: ---                                                                               
   Protocol: ANY(Appro: ---), Left-Time: 00:12:00, Addr-Pool: 10                                                                   
   VPN: public -> public                                                                                                           
                                                                                                                                   
No-Pat Reverse, ANY -> 10.200.60.1[10.0.203.100], Zone: untrust2                                                                  
   Protocol: ANY(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---                                                                  
   VPN: public -> public

处理过程
在进行分析中,首先让用户把源nat规则取消,然后内网马上可以跟对端内网进行通信,但是一旦加上源nat转换规则之后,内网马上就无法跟对端进行通信,后来查看会话,server-map发现内网电脑居然有生成server-map表项,然后具体查看用户配置,发现用户没有配置nat server  ,但是源nat规则中有设置转换为no-pat,取消掉之后,问题解决。
根因
由于在分析过程中发现了内网电脑在访问外网时产生了反响会话表,所以后来具体进行分析发现了现网配置的nat规则中包含有no-pat的形式,policy 6                                                                                                  
  action source-nat                                                                                                                
  policy service service-set ip                                                                                                    
  policy source 10.0.200.0 mask 22                                                                                                 
  policy destination 10.151.10.0 mask 24                                                                                           
  address-group 10 (ccpm) no-pat 
建议与总结
在ipsec成功建立之后,数据不通,我们一般只会检查nat server配置是否加上no-reverse 或者在接口上是否有配置nat ,或者域间nat规则是否是先不做nat 转换,以后一定要注意这点,后来经过查阅资料发现,在配置时,nat no-pat,nat server,aspf,slb都会生成servermap,所以在以后检查配置时,一定要注意这几个都要进行检查。

END