f1030防火牆端口映射與IPSEC衝突
- 0關注
- 0收藏,304瀏覽
問題描述:
最近遇到一個問題,之前出口防火牆上做了內網服務器的端口映射,後麵又跟總部的華為AR6300對接做了IPSEC打通,發現在F1030做了映射的服務器PING不通對端的服務器,取消映射就正常,不知道有沒有人遇到過??前幾天在總部出現無法PING通H3C這邊服務器時發現是因為AR6300上做的映射 是nat server,後麵改成nat static映射 後就能正常訪問了。但是H3C好像配置不了nat static的端口映射。。。
- 2025-05-08提問
- 舉報
-
(0)
最佳答案
ipsec的感興趣流怎麼寫的,精細化的寫法嗎?還是隻寫了一個源地址?
- 2025-05-08回答
- 評論(2)
- 舉報
-
(0)
感興趣流應該也沒問題,隻要不做映射 都是正常的
解決了,感謝
1. NAT與IPSec優先級衝突:映射服務器的流量被NAT優先處理,未觸發IPSec加密,導致流量以明文發送至公網,無法匹配IPSec隧道。
2. ACL規則衝突:NAT outbound使用的ACL未排除IPSec感興趣流,導致加密流量被錯誤NAT轉換。
3. NAT回流未配置:內網通過公網IP訪問映射端口時,未啟用NAT hairpin,導致流量路徑未經過IPSec隧道。解決方案:
1. 分離NAT與IPSec流量:
修改NAT的ACL,拒絕IPSec感興趣流(如總部服務器網段)。
acl advanced 2000
rule 0 deny ip source 內網服務器網段 destination IPSec對端網段
rule 5 permit ip
確保IPSec策略的ACL(如acl 3000)精確匹配需要加密的流量。
2. 啟用NAT回流:
interface GigabitEthernet1/0/1
nat hairpin enable
nat outbound 2000
安全策略放行內網到服務器的回流流量(源:內網地址段,目的:服務器私網地址)。
3. 檢查IPSec配置:
確認IPSec策略正確調用IKE profile,且隧道模式為非模板方式(主動觸發協商)。
驗證兩端感興趣流完全對稱,避免ACL範圍不匹配。
4. 端口衝突排查:
確保NAT server未映射UDP 500/4500端口,避免與IPSec協商流量衝突。通過上述調整,可解決NAT與IPSec優先級衝突,保證加密流量正確觸發隧道建立。
- 2025-05-08回答
- 評論(4)
- 舉報
-
(0)
剛剛測試的時候做映射沒加reversible。。。額,還 以為通了
基本上你說的都做了,反正IPSEC兩端互通都沒問題,明天 我又發現了,做單向映射就沒問題,但如果 命令加了reversible,就不通了,難道回流要單獨做?
剛剛又檢查了一遍,下行口寫了nat hairpin enable,外網口沒做,加上就正常了。。。感謝大佬
高興早了,剛剛是幻覺??我剛加上是通了,後麵用客戶機器測試還是不行。。-_-!!!
剛剛測試的時候做映射沒加reversible。。。額,還 以為通了
配置放不方便發一下,要不然不好排查問題
- 2025-05-08回答
- 評論(1)
- 舉報
-
(0)
就是原來正常的在出口做了nat server端口映射了內網的服務器,後麵跟總部做了IPSEC,放通的服務器這個網段,然後就發現訪問不了總部對應放通的服務器
就是原來正常的在出口做了nat server端口映射了內網的服務器,後麵跟總部做了IPSEC,放通的服務器這個網段,然後就發現訪問不了總部對應放通的服務器
###下行口###
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.1.1.1 255.255.255.248
nat hairpin enable
###外網口###
interface GigabitEthernet1/0/15
port link-mode route
ip address 1.1.1.114 255.255.255.248
ip address 1.1.1.115 255.255.255.248 sub
ip address 1.1.1.116 255.255.255.248 sub
ip address 1.1.1.117 255.255.255.248 sub
ip address 1.1.1.118 255.255.255.248 sub
tcp mss 1300
nat outbound 3002 address-group 1
nat outbound 3001 address-group 0
###0.1是我的測試機###
nat server protocol tcp global current-interface 22222 inside 192.169.0.1 22222 reversible
nat hairpin enable
ipsec apply policy GE1/0/15
###公網地址組###
NAT address group information:
Totally 3 NAT address groups.
Address group ID: 0
Port range: 1-65535
Address information:
Start address End address
1.1.1.115 1.1.1.115
1.1.1.118 1.1.1.118
Address group ID: 1
Port range: 1-65535
Address information:
Start address End address
1.1.1.114 1.1.1.114
###NAT調用的ACL###
Advanced IPv4 ACL 3001, 16 rules,
ACL's step is 5
rule 1 deny ip source 192.168.90.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (235 times matched)
rule 2 deny ip source 192.168.90.0 0.0.0.255 destination 192.168.254.0 0.0.0.255 (15 times matched)
rule 3 deny ip source 192.168.90.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (478 times matched)
rule 4 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (18 times matched)
rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.250.0 0.0.1.255
rule 6 deny ip source 10.190.11.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (2 times matched)
rule 7 deny ip source 10.190.11.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (2214 times matched)
rule 10 permit ip source 192.168.90.0 0.0.0.255 (15084193 times matched)
rule 15 permit ip source 10.190.11.0 0.0.0.255 (1118225 times matched)
rule 20 deny ip source 10.250.0.0 0.0.0.255 destination 192.168.250.0 0.0.1.255
rule 31 deny ip source 192.169.0.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (13 times matched)
rule 33 deny ip source 192.169.0.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (44 times matched)
rule 34 deny ip source 10.250.0.0 0.0.0.255 destination 192.168.92.0 0.0.0.255
rule 35 deny ip source 10.250.0.0 0.0.0.255 destination 192.168.254.0 0.0.0.255 (124525 times matched)
rule 60 permit ip source 192.169.0.0 0.0.0.255 (1792062 times matched)
rule 70 permit ip source 10.250.0.0 0.0.0.255 (1537695 times matched)
Advanced IPv4 ACL 3002, 3 rules,
ACL's step is 5
rule 0 permit ip source 192.168.70.0 0.0.0.255 (226494634 times matched)
rule 5 permit ip source 192.168.110.0 0.0.0.255 (407892544 times matched)
rule 10 permit ip source 192.168.80.0 0.0.0.
###IPSEC調用的ACL###
Advanced IPv4 ACL named IPsec_GE1/0/15_IPv4_1, 12 rules,
ACL's step is 5
rule 1 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (35718479 times matched)
rule 2 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.254.0 0.0.0.255 (111301 times matched)
rule 3 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (2567821 times matched)
rule 4 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (1795 times matched)
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (39241 times matched)
rule 6 permit ip source 10.190.11.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (666056 times matched)
rule 7 permit ip source 10.190.11.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (700750 times matched)
rule 10 permit ip source 192.169.0.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (23003932 times matched)
rule 20 permit ip source 10.250.0.0 0.0.0.255 destination 192.168.250.0 0.0.1.255 (12977961 times matched)
rule 30 permit ip source 10.250.0.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (37307 times matched)
rule 40 permit ip source 192.169.0.0 0.0.0.255 destination 192.168.92.0 0.0.0.255 (777608 times matched)
rule 50 permit ip source 10.250.0.0 0.0.0.255 destination 192.168.254.0 0.0.0.255 (191626818 times matched)
255 (104806 times matched)
###IPSEC配置###
ipsec transform-set GE1/0/15_IPv4_1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec policy GE1/0/15 1 isakmp
transform-set GE1/0/15_IPv4_1
security acl name IPsec_GE1/0/15_IPv4_1
local-address 1.1.1.114
remote-address 2.2.2.18
ike-profile GE1/0/15_IPv4_1
#
ike profile GE1/0/15_IPv4_1
keychain GE1/0/15_IPv4_1
local-identity address 1.1.1.114
match remote identity address 2.2.2.18 255.255.255.255
match local address GigabitEthernet1/0/15
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group14
#
ike keychain GE1/0/15_IPv4_1
match local address GigabitEthernet1/0/15
pre-shared-key address 2.2.2.18 255.255.255.255 key cipher $c$3$bAVYrIKbgD7oI12fGzWyBfLCyULG2k14tvel
- 2025-05-09回答
- 評論(0)
- 舉報
-
(0)
編輯答案
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
解決了,感謝