USG9560(V5R1C30SPC100)安全区域之间无法访问

发布时间:  2016-12-31 浏览次数:  78 下载次数:  0
问题描述

设备:USG9560

版本:V5R1C30SPC100

topo:

组网概述:

生产网用户:在trust区域。

服务器:在DMZ区域

配置脚本:

policy-based-route
 rule name "DMZ_TO_Internal_no policy"
  ingress-interface GigabitEthernet3/1/2.502
  ingress-interface GigabitEthernet3/1/2.503
  ingress-interface Eth-Trunk3.200
  destination-address address-set serverTO20M_deny
  action no-pbr
 rule name Trust_To_internal_Nopolicy
  ingress-interface GigabitEthernet1/2/0.706
  destination-address address-set trust100m
  action no-pbr                          
 rule name Trust_To_sonatel2
  description Trust_To_sonatel2
  ingress-interface GigabitEthernet1/2/0.706
  source-address address-set trust100m
  track ip-link to_sonatel2
  action pbr egress-interface Eth-Trunk1 next-hop 10.33.1.20
 rule name DMZ&Itcloud_To_20M
  description DMZ&Itcloud_To_20M
  ingress-interface GigabitEthernet3/1/2.502
  ingress-interface GigabitEthernet3/1/2.503
  ingress-interface Eth-Trunk3.200
  source-address address-set serverto20m
  track ip-link dmz&itcloud_to_20m
  action pbr egress-interface Eth-Trunk2 next-hop 10.33.1.28
 rule name internet_to_bluecoat
#

 rule name z11
  source-zone itcloud
  destination-zone dmz
  action permit

 rule name trust_dmz_0
  source-zone trust
  destination-zone dmz
  service trust_dmz
  action permit

故障描述:

1.用户通过trust区域不能访问DMZ区域。

2.用户通过itcloud区域能访问DMZ区域。




处理过程

通过查看域间policy,策略是放通的。通过查看明细绘话表发现通过trust区域访问的用户经过了NAT转换出局了。但是实际上的流量是横向流量不需要出局。

 Current Total Sessions : 5
 http  VPN: public --> public  ID: a68f61965a1482b64eb58657400022
 Zone: trust --> sonatel2 Slot: 2 CPU: 2  TTL: 00:15:00  Left: 00:14:33
 Recv Interface: GigabitEthernet1/2/0.706
 Interface: Eth-Trunk1  NextHop: 10.33.1.20
 <--packets: 9 bytes: 831 --> packets: 0 bytes: 0
 Remote 10.31.11.121:7447[41.82.212.203:2228] --> 194.213.3.109:80 PolicyName: -
--
 TCP State: fin-1

 http  VPN: public --> public  ID: a68f61fc4734037c45258657400022
 Zone: trust --> sonatel2 Slot: 2 CPU: 2  TTL: 00:20:00  Left: 00:19:12
 Recv Interface: GigabitEthernet1/2/0.706
 Interface: Eth-Trunk1  NextHop: 10.33.1.20
 <--packets: 1 bytes: 52 --> packets: 0 bytes: 0
 Remote 10.31.11.121:7446[41.82.212.203:2227] --> 194.213.3.109:80 PolicyName: -

在查看策略路由,发现是由于从trust到DMZ区域的路由命中了策略路由,导致进行了PBR策略。

解决方案:

1.在策略路由里新增一个不做转换的策略,将服务器地址放进去。

rule name Trust_To_internal_Nopolicy
  ingress-interface GigabitEthernet1/2/0.706
  destination-address address-set trust100m
  action no-pbr   


根因

路由优先匹配策略路由。

END