有策略路由的情况下USG5120BSR域内NAT不成功

发布时间:  2014-12-15 浏览次数:  274 下载次数:  0
问题描述


办公网 (VLAN30 192.168.30.0/24)不能通过服务器的域名访问内部服务器(VLAN 10:192.168.10.0/24)
客户关键配置:
#
nat address-group index 0 name pool 120.237.105.218 120.237.105.218      
nat address-group index 1 name pool1 120.237.105.220 120.237.105.220
nat address-group index 2 name pool2 120.237.105.221 120.237.105.221
nat address-group index 3 name 6 192.168.150.150 192.168.150.150
nat address-group index 4 name 7 192.168.100.2 192.168.100.2
nat server 0 protocol tcp global 120.237.105.221 smtp inside 192.168.10.16 smtp no-reverse   //NAT server配置
nat server 1 protocol tcp global 120.237.105.221 pop3 inside 192.168.10.16 pop3 no-reverse
nat server 2 protocol tcp global 120.237.105.221 www inside 192.168.10.16 www no-reverse
nat server 3 protocol tcp global 120.237.105.220 www inside 192.168.10.13 www no-reverse
nat server 4 global interface Dialer0 inside 192.168.1.22 no-reverse
nat server 7 global 120.237.105.218 inside 192.168.10.17 no-reverse
#
acl number 2002
rule 0 deny source 192.168.10.0 0.0.0.255
rule 5 permit source 192.168.1.0 0.0.0.255
rule 10 deny source 192.168.30.0 0.0.0.255
rule 20 permit source 192.168.20.0 0.0.0.255
#
acl number 3001 //策略路由调用的ACL
description vlan10
step 10
rule 5 deny ip source 192.168.1.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.0.255
rule 15 permit ip source 192.168.30.0 0.0.0.255
rule 20 deny ip source 192.168.20.0 0.0.0.255
#
policy-based-route vlan10 permit node 10   //策略路由
  if-match acl 3001
  apply ip-address next-hop 120.237.132.9 
policy-based-route vlan10 permit node 12
  if-match acl 2002
#
nat-policy zone trust  //域内NAT
policy 0
  action source-nat
  policy source range 192.168.30.2 192.168.30.254
  policy destination 192.168.10.16 mask 32
  address-group 7 
  apply output-interface Dialer0 
#
告警信息
处理过程
firwall的会话信息
<USG5100>dis firewall session table destination global 120.237.105.220
11:22:43  2014/11/24
Current Total Sessions : 3
http  VPN:public --> public 192.168.30.253:59286[120.237.105.219:2088]-->120.237
.105.220:80[192.168.10.13:80]

  udp  VPN:public --> public 184.105.247.198:38427-->120.237.105.220:623[192.168
.10.13:623]
分析:源IP被转换到移动出口IP,经查看配置命中了策略路由,由移动出口出去,源被转换到了120.237.105.219

修改了策略路由的ACL,策略路由调用的ACL 3001排除 源为:192.168.30.0/24  目的为:192.168.10.13 ,会话信息变为:
<USG5100>dis firewall session table destination global  120.237.105.220
10:46:21  2014/11/25
Current Total Sessions : 6
  http  VPN:public --> public 103.2.208.250:54319-->120.237.105.220:80[192.168.1
0.13:80]
  http  VPN:public --> public 103.2.208.250:54320-->120.237.105.220:80[192.168.1
0.13:80]
  http  VPN:public --> public 103.2.208.250:56986-->120.237.105.220:80[192.168.1
0.13:80]
  http  VPN:public --> public 192.168.30.253:59287[192.168.100.2:2089]-->120.237
.105.220:80[192.168.10.13:80]
  http  VPN:public --> public 103.2.208.250:54321-->120.237.105.220:80[192.168.1
0.13:80]
  http  VPN:public --> public 192.168.30.253:59286[192.168.100.2:2088]-->120.237
.105.220:80[192.168.10.13:80]

源和目的都已经转换,照理说回包的时候会根据回话表进行转换,但是现在客户那边还是不能访问。

根因
虽然USG上有会话状态,但是服务器回包的时候首包也要查看路由表,服务器回包的首包命中了策略路由,所以域内NAT不成功
解决方案
在策略路由调用的ACL下也把服务器回包的源和目的排除掉:
acl number 3001
rule 8 deny ip source 192.168.10.0 0.0.0.255 destination  192.168.30.0 0.0.0.255 
rule 9 deny ip source 192.168.30.0 0.0.0.255 destination  192.168.10.0 0.0.0.255 

END