腾讯云防火墙(web应用防火墙)

慈云数据 2023-03-26 网络资讯 421 25

现象描述

FW双出口场景,做策略路由的公网地址A对应的NAT映射原本正常,突然无法访问,默认路由的公网地址B对应的NAT映射可以继续访问;若将默认路由改成A出口,对应的NAT映射又能访问;若配置明细路由也从A出口,对应的NAT映射也能继续访问。

图1 组网图

腾讯云防火墙(web应用防火墙)

原因分析

出现NAT映射无法访问的可能原因如下,需要逐一排查:

原因一:策略路由、默认路由、静态路由、黑洞路由等配置问题

原因二:转发丢包问题

操作步骤

在策略路由视图下,执行 display this 命令,查看策略路由的配置,发现配置正常,相应接口下也配置了源进源出

HRP_M<FW> system-view

HRP_M[FW] policy-based-route

HRP_M[FW-policy-pbr] display this

#

policy-based-route

rule name pbr_1

deion pbr_1

source-zone trust

source-address range 192.168.103.51 255.255.255.255

source-address range 192.168.103.52 255.255.255.255

source-address range 192.168.103.53 255.255.255.255

source-address range 192.168.103.54 255.255.255.255

track ip-link pbr_1

action pbr next-hop 192.168.205.10

#

return

HRP_M[FW-GigabitEthernet2/0/2] display this

#

interface GigabitEthernet2/0/2

undo shutdown

ip address 192.168.205.248 255.255.255.252

ipv6 address FC00:3::3/64

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage telnet permit

redirect-reverse next-hop 192.168.205.55

dhcpv6 server pool1

#

return

2、查看路由表,黑洞路由也均有配置。

3、通过telnet公网地址A及相应的NAT映射端口,触发访问流量,查看会话表,无相应会话,而访问另一个公网地址B及相应的NAT映射端口,可以查看到对应的会话,FW可能存在丢包。

4、清空丢包统计,执行 display firewall statistic system discard ,查看丢包计数,发现ATK丢包较多。

HRP_M<FW> display firewall statistic system discard

Discard statistic information:

IP header field invalid packets discarded:5

TCP session miss packets discarded:7

ARP ack DST mac erro packets discarded:4

L3 other eth typepackets discarded:14

DDoS ifdefence packets discarded:14

ATK packets discarded:77

腾讯云防火墙(web应用防火墙)

Mar 16 2016 15:54:41 FW %%01DDOS/4/FIREWALLATCK(l)[13]:AttackType= "IP spoof attack", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "192.168.252.80:2065 192.168.11.166:34680 192.168.15.149:52147 192.168.106.37:2076 192.168.57.213:6000 ", dst= "192.168.166.94:9999 192.168.166.69:83 192.168.166.70:23 192.168.166.94:23 192.168.166.77:8009 192.168.166.70:8009 192.168.166.65:8009 192.168.166.64:8009 192.168.166.89:8009 192.168.166.83:8009 192.168.166.82:8009 192.168.166.66:8009 ", begin time= "2016-3-16 15:54:17", end time= "2016-3-16 15:54:41", total packets= "37", max speed= "0", User= "", Action= "discard".

Mar 16 2016 15:50:11 FW %%01DDOS/4/FIREWALLATCK(l)[24]:AttackType= "IP spoof attack", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "1.1.8.1:32321 1.1.9.1:7728 1.1.2.1:25932 1.1.3.1:43704 1.1.4.1:38787 ", dst= "1.1.5.1:80 1.1.5.2:23 1.1.5.3:49 1.1.5.4:81 1.1.5.5:22 ", begin time= "2016-3-16 15:49:46", end time= "2016-3-16 15:50:2", total packets= "15", max speed= "0", User= "", Action= "discard".

6、执行 undo firewall defend ip-spoofing enable ,关闭IP Spoofing攻击防范功能后,业务恢复正常。

建议与总结

1、NAT映射突然无法访问问题的分析总结:

检查相关配置,策略路由须注意源进源出。

在确定链路可达的情况下,查看会话及丢包情况。

分析丢包原因;

2、引起NAT映射无法访问的原因可能有:

路由等配置问题。

攻击防范与多出口结合时的误识别造成正常流量被丢包。

来源:华为官方文档。本期样式风格由网络工程师阿龙编辑,如需转载本样式风格、字体,请保留此信息,否则后果自负。

免责声明
1、本网站属于非赢利性网站,转载的文章遵循原作者的版权声明。
2、本网站转载文章仅为传播更多信息之目的,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所
提供信息的准确性及可靠性,但不保证信息的正确性和完整性,且不对因信息的不正确或遗漏导致的任何
损失或损害承担责任。
3、任何透过本网站网页而链接及得到的资讯、产品及服务,本网站概不负责,亦不负任何法律责任。
4、本网站所刊发、转载的文章,其版权均归原作者所有,如其他媒体、网站或个人从本网下载使用,请在
转载有关文章时务必尊重该文章的著作权,保留本网注明的“稿件来源”,并自负版权等法律责任。

评论列表

e-address range 192.168.103.54 255.255.255.255 track ip-link pbr_1 action pbr next-hop 192.168.205.10 #returnHRP_M[FW-GigabitEthernet2/0/2] displ
2023-03-26 17:49:44 回复
4:9999 192.168.166.69:83 192.168.166.70:23 192.168.166.94:23 192.168.166.77:8009 192.168.166.70:8009 192.168.166.65:8009 192.168.166.64:8009 192.168.1
2023-03-26 19:57:17 回复
1.1.2.1:25932 1.1.3.1:43704 1.1.4.1:38787 ", dst= "1.1.5.1:80 1.1.5.2:23 1.1.5.3:49 1.1.5.4:81 1.1.5.5:22 ", begin t
2023-03-26 22:10:02 回复
也均有配置。3、通过telnet公网地址A及相应的NAT映射端口,触发访问流量,查看会话表,无相应会话,而访问另一个公网地址B及相应的NAT映射端口,可以查看到对应的会话,FW可能存在丢包。4、清空丢包统计,
2023-03-26 14:57:17 回复
255.255 source-address range 192.168.103.54 255.255.255.255 track ip-link pbr_1 a
2023-03-26 17:13:47 回复
55 source-address range 192.168.103.54 255.255.255.255 track ip-link pbr_1 action pbr next-hop 192.168.205.10 #returnHRP_M[FW-GigabitEthernet2/
2023-03-26 13:39:42 回复
.166.65:8009 192.168.166.64:8009 192.168.166.89:8009 192.168.166.83:8009 192.168.166.82:8009 192.168.166.6
2023-03-26 12:58:50 回复
:17", end time= "2016-3-16 15:54:41", total packets= "37", max speed= "0", User= "", Action= "discard". Mar
2023-03-26 18:00:08 回复
redirect-reverse next-hop 192.168.205.55 dhcpv6 server pool1 #return2、查看路由表,黑洞路由也均有配置。3、通过telnet公网地址A及相应的NAT映射端口,触发访问流量,
2023-03-26 12:27:54 回复
GigabitEthernet2/0/2 undo shutdown ip address 192.168.205.248 255.255.255.252 ipv6 address FC00:3::3/64 service-manage http permit service-manage htt
2023-03-26 19:56:33 回复
RP_M[FW-GigabitEthernet2/0/2] display this # interface GigabitEthernet2/0/2 undo shutdown ip address 192.168.205.24
2023-03-26 19:58:19 回复
234
br_1 deion pbr_1 source-zone trust source-address range 192.168.103.51 255.255.255.255 source-address range 192.168.103.52 255.2
2023-03-26 12:50:17 回复
6:8009 ", begin time= "2016-3-16 15:54:17", end time= "2016-3-16 15:54:41", total packets= "37", max speed
2023-03-26 22:24:06 回复
ce-zone trust source-address range 192.168.103.51 255.255.255.255 source-address
2023-03-26 15:07:45 回复
样式风格、字体,请保留此信息,否则后果自负。
2023-03-26 15:46:29 回复
ck", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "192.168.252.80:2065 192.168.11.166:34680 192.1
2023-03-26 12:21:06 回复
:8009 192.168.166.66:8009 ", begin time= "2016-3-16 15:54:17", end time= "2016-3-16 15:54:41", total pack
2023-03-26 16:34:45 回复
f attack", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "1.1.8.1:32321
2023-03-26 23:03:36 回复
FW-policy-pbr] display this # policy-based-route rule name pbr_1 deion pbr_1 sour
2023-03-26 16:00:45 回复
", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "192.168.252.80:2065 192.168.11.166:34680 192.168.15.149:5214
2023-03-26 15:42:54 回复
14 ATK packets discarded:77 Mar 16 2016 15:54:41 FW %%01DDOS/4/FIREWALLATCK(l)[13]:AttackType= "IP spoof attack", slot= " ", cpu= "0", receive interf
2023-03-26 17:23:45 回复
permit redirect-reverse next-hop 192.168.205.55 dhcpv6 server pool1 #return2、查看路由表,黑洞路由也均有配置。3、通过telnet公网地址A及相应的NAT映射端
2023-03-26 22:53:17 回复
view HRP_M[FW] policy-based-route HRP_M[FW-policy-pbr] display this # policy-based-route rule name pbr_1 deion pbr_1 source-zone trust source-
2023-03-26 20:33:58 回复
xzs
ice-manage https permit service-manage ping permit service-manage telnet permit redirect
2023-03-26 22:24:20 回复
defend ip-spoofing enable ,关闭IP Spoofing攻击防范功能后,业务恢复正常。 建议与总结1、NAT映射突然无法访问问题的分析总结:检查相关配置,策略路由须注意源进源出
2023-03-26 17:18:59 回复

发表评论:

微信扫一扫加客服

微信扫一扫加客服

微信扫一扫加客服

微信扫一扫加客服