USG6650内服服务器NAT映射中断故障

发布时间:  2016-05-11 浏览次数:  153 下载次数:  1
问题描述


1、网络拓扑如上,服务器通过S5700接入到USG6650,在USG6650上做NAT转换成公网地址,使得公网能够访问内网服务器,进行业务互访。一部分服务器通过静态路由指向线路1,一部分服务器通过策略路由指向线路2

2、故障现象:该服务器业务自入网以来一直运行正常,某日客户打电话告知走线路2的服务器业务突然中断,公网无法访问内网服务器。

3、现网关键配置:

[USG6600] display  cu
[USG6600] display  current-configuration
2016-03-16 14:35:56.230
!Software Version V500R001C20SPC100
#
sysname USG6600
#

#                                        
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend teardrop enable
firewall defend ip-fragment enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend ip-spoofing enable
firewall defend action discard
#

ip-link check enable                     
ip-link name pbr_1
destination x.x.x.93 interface GigabitEthernet2/0/2 mode icmp


firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Eth-Trunk2
add interface Vlanif900
#
firewall zone untrust
set priority 5                          
add interface GigabitEthernet1/0/0
add interface GigabitEthernet2/0/0
#
#
firewall zone name untrust1 id 4
set priority 80
add interface GigabitEthernet2/0/2

ip route-static 0.0.0.0 0.0.0.0 x.x.x.65
#

nat server nat53 52 protocol tcp global x.x.x.92 8136 inside 192.168.103.51 8136 no-reverse
nat server nat54 53 protocol tcp global x.x.x.92 8088 inside 192.168.103.51 8088 no-reverse
nat server nat55 54 protocol tcp global x.x.x.92 www inside 192.168.103.52 www no-reverse
nat server nat56 55 protocol tcp global x.x.x.92 8080 inside 192.168.103.53 8080 no-reverse
nat server nat57 56 protocol tcp global x.x.x.92 8139 inside 192.168.103.54 8139 no-reverse
                 
#
sa
#
location
#
nat address-group addressgroup1 0
mode pat
section 0 x.x.x.93 x.x.x.93
#                                        
policy-based-route
rule name pbr_1
  description pbr_1
  source-zone trust
  source-address 192.168.103.51 mask 255.255.255.255
  source-address 192.168.103.52 mask 255.255.255.255
  source-address 192.168.103.53 mask 255.255.255.255
  source-address 192.168.103.54 mask 255.255.255.255
  track ip-link pbr_1
  action pbr next-hop x.x.x.93
#
nat-policy
rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  source-address 192.168.102.3 mask 255.255.255.255
  source-address 192.168.104.11 mask 255.255.255.255
  source-address 192.168.104.12 mask 255.255.255.255
  source-address 192.168.105.1 mask 255.255.255.255
  action nat address-group addressgroup1
rule name policy_nat_2
  source-zone trust
  destination-zone untrust1
  source-address 192.168.103.51 mask 255.255.255.255
  source-address 192.168.103.52 mask 255.255.255.255
  source-address 192.168.103.53 mask 255.255.255.255
  source-address 192.168.103.54 mask 255.255.255.255
  action nat easy-ip
#

告警信息

无告警信息

处理过程

1、首先检查USG6650的NAT映射配置有没有变化,本次中断服务器具体映射配置如下:

 nat server nat53 52 protocol tcp global x.x.x.92 8136 inside 192.168.103.51 8136 no-reverse

 nat server nat54 53 protocol tcp global x.x.x.92 8088 inside 192.168.103.51 8088 no-reverse

 nat server nat55 54 protocol tcp global x.x.x.92 www inside 192.168.103.52 www no-reverse

 nat server nat56 55 protocol tcp global x.x.x.92 8080 inside 192.168.103.53 8080 no-reverse

 nat server nat57 56 protocol tcp global x.x.x.92 8139 inside 192.168.103.54 8139 no-reverse

2、查看后发现NAT映射配置没有问题,下一步查看域间策略,发现域间策略也全部为放开状态,也不会导致该服务器断网。

3、对比原有备份配置和现网配置,发现现网配置多了如下配置:

 firewall defend port-scan enable

 firewall defend ip-sweep enable

 firewall defend teardrop enable

 firewall defend ip-fragment enable

 firewall defend fraggle enable

 firewall defend ping-of-death enable

 firewall defend ip-spoofing enable

 firewall defend action discard

根因

通过防火墙攻击防范原理分析,根因为开启了firewall defend ip-spoofing enable,开启此命令后设备对报文的源IP地址进行FIB表反查,如果反查该IP地址的出接口与报文的入接口不相同,则视为IP欺骗攻击,阻断该报文。由于中断业务的服务器是通过策略路由走的线路2,报文的入接口也走线路2;但进行FIB表反查时报文走的应该是线路1,所以USG6650认为是IP欺骗攻击,阻断该报文,造成业务中断。

解决方案

在USG6650上关闭firewall defend ip-spoofing enable功能后,业务恢复。

建议与总结

USG工作在透明模式或者多出口场景下,或应用了策略路由时,不能配置IP欺骗攻击防范功能

END