USG6650V100R001C30SPC600L2TPVPN做LNS远程终端拨号成功无法访问内

发布时间:  2017-03-10 浏览次数:  82 下载次数:  0
问题描述

USG6650L2TPVPN做LNS远程移动办公终端拨号成功无法访问内网

远程移动办公终端拨号成功信息如下:

处理过程

查看远程终端访问内网的会话表信息:

 [USG6600-diagnose]display firewall session table verbose-hide both-direction source inside 192.168.109.38
 21:05:54  2017/01/14
  Current Total Sessions : 1
   icmp  VPN:public --> public  ID: a58f699fee2705bdaa587a92ae
   Zone: untrust--> trust  TTL: 00:00:20  Left: 00:00:16    User: xxxx@yyct   Input-interface: Virtual-Template8
   Output-interface: GigabitEthernet1/0/7  NextHop: 10.141.78.13  MAC: xx-xx-xx-xx-xx-xx
   <--packets:0 bytes:0   -->packets:1 bytes:60
   192.168.109.38:1-->10.141.78.13:2048
 
   icmp  VPN:public --> public  ID: a58f699fee2705bdaa587a92ae
   Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:16    User: yyct@yyct
   Output-interface: GigabitEthernet1/0/4  NextHop: 111.111.111.111  MAC: xx-xx-xx-xx-xx-xx   //回程流量被发送到物理接口 GigabitEthernet1/0/4
   <--packets:0 bytes:0   -->packets:1 bytes:60
   10.141.78.13:2048-->192.168.109.38:1

[USG6600]display  ip interface  brief 
 21:17:13  2017/01/14
 *down: administratively down
 (s): spoofing
 Interface                   IP Address      Physical Protocol Description 
 GigabitEthernet1/0/4        111.111.111.111   up       up       Huawei, USG6600 
 GigabitEthernet1/0/7         11.11.11.11  up       up       Huawei, USG6600 
 Virtual-Template8           192.168.109.31  up       up(s)    Huawei, USG6600

根因

GigabitEthernet1/0/7配置有策略路由将访问内网的回程流量重定向物理接口GigabitEthernet1/0/4

 

解决方案

GigabitEthernet1/0/7接口取消重定向配置或者对回程流量做不做重定向配置

修改配置后远程终端访问内网会话表信息如下:

[USG6600-diagnose]display firewall session table verbose-hide both-direction source inside 192.168.109.38
 21:10:53  2017/01/14
  Current Total Sessions : 1
   icmp  VPN:public --> public  ID: a58f663169c905bdaa587a93da
   Zone: trust--> trust  TTL: 00:00:20  Left: 00:00:19    User: yyct@yyct   Input-interface: Virtual-Template8
   Output-interface: GigabitEthernet1/0/7  NextHop: 10.141.78.13  MAC: xx-xx-xx-xx-xx-xx
   <--packets:0 bytes:0   -->packets:3 bytes:180
   192.168.109.38:1-->10.141.78.13:2048
 
   icmp  VPN:public --> public  ID: a58f663169c905bdaa587a93da
   Zone: trust--> trust  TTL: 00:00:20  Left: 00:00:19    User: yyct@yyct
   Output-interface: Virtual-Template8:0  NextHop: 192.168.109.38  MAC: 00-00-00-00-00-00
   <--packets:0 bytes:0   -->packets:3 bytes:180
   10.141.78.13:2048-->192.168.109.38:1
从会话表信息可确认回程流量已经被准确的回送到Virtual-Template8口 业务已正常

END