一条命令引发的悲剧

最新推荐文章于 2024-12-28 21:34:07 发布

weixin_34212762

最新推荐文章于 2024-12-28 21:34:07 发布

阅读量171

点赞数

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/routerstp/464254

本文详细记录了在USG5310防火墙上配置IPSec隧道的过程，包括配置IKE策略、安全策略模板以及NAT策略等内容，并分享了配置过程中遇到的问题及解决方法。

12月22日，今天天气很冷，气候越来越诡异了，有时候自己忍不住会想：不知道地球还能撑多长时间？转而又觉得自己杞人忧天了，做蝼蚁就要有蝼蚁的觉悟，该干啥就干啥去吧，想那么多虚无缥缈的东西，咱又不是蜘蛛超人！烦心事还挺多，离石客户上了一堆子设备，还不是一个厂家的，搞的天天看手册，再想想公司那帮精力旺盛的哥们，忍字当头啊！

交投的项目拖了很多天了，客户天天催，服务器和存储上架以后，真有N长时间没过去了，怪不得他们着急！在各方人员积极、安全、可靠的配合下，分公司的基本条件算是满足了，终于可以实施×××了，听到这一消息我泪流满面，合着就你们着急我不着急啊！

咔咔咔的蹦到交投总部，机柜里摆了个USG5310，哥们就问了，USG5310的××× License灌进去没有，大家都说不知道，我擦，这也太夸张了吧，赶紧给公司商务打电话，这货有没有license啊，商务有点晕，不知道啊，就下了个主机。昏迷中，过程不细说了，license下来的时候已经到了第2天，赶紧把license灌进去，×××的那套命令终于出来了，开工！！

简略的给客户做了个地址规划，总部这边的服务器就扔到192.168.20.0/24网段里了，下面7个分公司规划的网段分别为172.16.1.0/24-172.16.7.0/24，分公司的网络状况不太乐观，有两个是静态公网IP的，其它都是pppoe拨号了；看了看手册，好长时间没做这个了，还得熟悉一下流程和命令，决定采用IKE安全策略+安全策略模板方式建立IPSEC隧道，安全策略是针对分公司的静态IP的，pppoe拨号直接用策略模板方式，分公司的静态IP现在还不清楚，算了，先做策略模板吧。

securecrt登陆USG5310，输入用户名和密码，先前在word里写了一段命令，直接复制进去：

acl number 3000
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

quit
#
web-manager enable
web-manager security enable
#
ike local-name sxjt
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 218.26.x.x 218.26.x.x

#
ike proposal 10

quit
#
ike peer a
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10
undo version 2
local-id-type name
remote-name sxyj
quit

#
ipsec proposal tran1

quit
#
ipsec policy-template map1_temp 11
security acl 3000
ike-peer a
proposal tran1

quit
#
ipsec policy map1 11 isakmp template map1_temp
#
interface GigabitEthernet0/0/0
ip address 192.168.253.254 255.255.255.0

quit
#
interface GigabitEthernet0/0/1
ip address 218.26.x.x 255.255.255.224
ipsec policy map1

quit
#
firewall zone trust
add interface GigabitEthernet0/0/0

quit
#
firewall zone untrust
add interface GigabitEthernet0/0/1

quit
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
policy source 192.168.20.0 0.0.0.255

quit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 172.16.2.0 0.0.0.255
policy destination 172.16.3.0 0.0.0.255
policy destination 172.16.4.0 0.0.0.255
policy destination 172.16.5.0 0.0.0.255
policy destination 172.16.6.0 0.0.0.255
policy destination 172.16.7.0 0.0.0.255
policy destination 172.16.1.0 0.0.0.255
address-group 1

policy 2
action source-nat
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255
policy source 192.168.20.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
address-group 1

quit
#
ip route-static 0.0.0.0 0.0.0.0 218.26.x.x
ip route-static 192.168.0.0 255.255.255.0 192.168.253.253
ip route-static 192.168.1.0 255.255.255.0 192.168.253.253
ip route-static 192.168.2.0 255.255.255.0 192.168.253.253
ip route-static 192.168.3.0 255.255.255.0 192.168.253.253
ip route-static 192.168.4.0 255.255.255.0 192.168.253.253
ip route-static 192.168.5.0 255.255.255.0 192.168.253.253
ip route-static 192.168.6.0 255.255.255.0 192.168.253.253
ip route-static 192.168.7.0 255.255.255.0 192.168.253.253
ip route-static 192.168.8.0 255.255.255.0 192.168.253.253
ip route-static 192.168.9.0 255.255.255.0 192.168.253.253
ip route-static 192.168.10.0 255.255.255.0 192.168.253.253
ip route-static 192.168.20.0 255.255.255.0 192.168.253.253
re

save

OK，保存了以后，跟客户说了一声，vty是一定要做的，不然到了分公司出了问题会让你欲哭无泪，客户直接扔了一车出来就咔咔咔的蹦到了晋城，分公司进门就喊了一嗓子：断网了啊~然后USG2000上架、加电，登陆进去直接复制命令：

acl number 3000
rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

acl number 3001
rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

rule 5 permit ip source 172.16.1.0 0.0.0.255
#
ike local-name sxyj
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
ike proposal 10

quit
#
ike peer a
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10
local-id-type name
remote-name sxjt
remote-address 218.26.x.x

quit
#
ipsec proposal tran1

quit
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1

quit
#
interface Dialer1
link-protocol ppp
ppp pap local-user xxxx password simple xxxxxx
mtu 1450
ip address ppp-negotiate
dialer user xxx
dialer bundle 1
ipsec policy map1
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
undo ip fast-forwarding qff
#
interface Ethernet0/0/1
mtu 1400
ip address 172.16.1.1 255.255.255.0
undo ip fast-forwarding qff
#
firewall zone trust
set priority 85
add interface Ethernet0/0/1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Dialer1
#
firewall interzone trust untrust
packet-filter 3001 outbound
nat outbound 3001 interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1

复制完以后看了看，没啥错误，就在防火墙上鼓捣，两边防火墙的内网口IP给ping通了，dis ipsec sa和dis ike sa看了一下，隧道顺利建立，呵呵呵，高兴啊！笔记本直接连防火墙内网口上配了个IP，喜滋滋的ping总部服务器地址，结果出来傻眼了，竟然不通！来来回回的看了好几遍配置，然后又看隧道状态，都没问题啊，怎么回事啊，我擦！没办法了，客户都在边上看着呢，打个400看一下吧，400通了然后看了下配置，喊了声没问题啊，我当时就郁了，我说哥啊，没问题为什么就不通呢，不通就是有问题的么！那哥喊了声，你等着啊，一会给你电话。我就对着配置左看右看，后来想了想，给总部那边去了个电话，让他们用192.168.20.0的地址ping我的笔记本地址，那边说没问题，看来问题是出在分公司这边啊，是不是分公司这边有什么命令限制住了？？心里喊了声：毛毛同学，在这种危机时刻你自己要淡定啊！深呼吸3次，然后又仔细的看配置，嘿嘿，被我逮住了吧，原来是3001的ACL搞的，竟然在trust和untrust区域的包过滤规则中加入了3001，先应用了deny规则，把数据包头给扔掉了，当然不通！赶紧把这条命令undo掉，然后测试，一切OK！

经验主义害死人啊，从别的地方复制命令然后修改听上去煞是简单，不过出了问题然后再排查难度也蛮大的，因为不是你一条一条做的吗，当然印象不深，印象不深的后果就是你左看右看就是看不出那儿有毛病！以后一定包过滤规则和NAT规则做两条ACL，那样有问题了也好排查，这次就算了，谁叫咱是懒人一个呢，嘿嘿！

转载于:https://blog.51cto.com/routerstp/464254