USG2160防火墙由于nat server导致ipsec单通

发布时间:  2015-03-28 浏览次数:  401 下载次数:  0
问题描述

客户防火墙USG2160(V300R001C10SPC500)与思科路由器建议ipsec VPN,实现两侧内网互访。

ipsec成功建立,对端设备内网电脑能正常ping通本端内网主机,但本段内网主机ping不通对端内网ping不通。访问单通。

告警信息

处理过程

1、核实对端主机是否禁ping ,对端内网主机能互相ping通。

2、检查USG2160上ike sa ,ipsec sa状态:

 

[USG2100]dis ipsec sa
20:56:37  2015/03/02
===============================
Interface: Ethernet0/0/0
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "ipsec1429583913"
  sequence number: 1
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 92576
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 1m 26s
    tunnel local : 10.2.1.5    tunnel remote: 119.167.225.120
    flow      source: 192.168.6.0/255.255.255.0 0/0
    flow destination: 192.168.1.121/255.255.255.255 0/0

    [inbound ESP SAs]
      spi: 348346443 (0x14c3584b)
      vpn: public  said: 0  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES
      sa remaining key duration (bytes/sec): 29491200/3514
      max received sequence-number: 1
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 2378726652 (0x8dc87cfc)
      vpn: public  said: 1  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES
      sa remaining key duration (bytes/sec): 29491200/3514
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: Y

3、查看防火墙会话表,发现本地内网终端访问对端的时候做了NAT转换

nat策略配置如下

nat-policy interzone trust untrust outbound
policy 0
  action no-nat
  policy source 192.168.6.0 0.0.0.255
  policy destination 192.168.1.121 0.0.0.0

4、再次核实配置发现:

nat server 1 protocol tcp global interface Ethernet0/0/0 www inside 192.168.6.66 www

该地址主动访问时会匹配nat server的反向server-map表,做了nat转换修改nat server配置 在配置后添加no-reverse参数后问题解决

解决方案

内网虚拟主机访问的时候会匹配nat server的反向server-map表,做了nat转换,修改nat server配置 在配置后添加no-reverse参数后问题解决

END