现象描述
FW双出口场景,做策略路由的公网地址A对应的NAT映射原本正常,突然无法访问,默认路由的公网地址B对应的NAT映射可以继续访问;若将默认路由改成A出口,对应的NAT映射又能访问;若配置明细路由也从A出口,对应的NAT映射也能继续访问。
图1 组网图
原因分析
出现NAT映射无法访问的可能原因如下,需要逐一排查:
原因一:策略路由、默认路由、静态路由、黑洞路由等配置问题
原因二:转发丢包问题
操作步骤
在策略路由视图下,执行 display this 命令,查看策略路由的配置,发现配置正常,相应接口下也配置了源进源出
HRP_M<FW> system-view
HRP_M[FW] policy-based-route
HRP_M[FW-policy-pbr] display this
#
policy-based-route
rule name pbr_1
deion pbr_1
source-zone trust
source-address range 192.168.103.51 255.255.255.255
source-address range 192.168.103.52 255.255.255.255
source-address range 192.168.103.53 255.255.255.255
source-address range 192.168.103.54 255.255.255.255
track ip-link pbr_1
action pbr next-hop 192.168.205.10
#
return
HRP_M[FW-GigabitEthernet2/0/2] display this
#
interface GigabitEthernet2/0/2
undo shutdown
ip address 192.168.205.248 255.255.255.252
ipv6 address FC00:3::3/64
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
redirect-reverse next-hop 192.168.205.55
dhcpv6 server pool1
#
return
2、查看路由表,黑洞路由也均有配置。
3、通过telnet公网地址A及相应的NAT映射端口,触发访问流量,查看会话表,无相应会话,而访问另一个公网地址B及相应的NAT映射端口,可以查看到对应的会话,FW可能存在丢包。
4、清空丢包统计,执行 display firewall statistic system discard ,查看丢包计数,发现ATK丢包较多。
HRP_M<FW> display firewall statistic system discard
Discard statistic information:
IP header field invalid packets discarded:5
TCP session miss packets discarded:7
ARP ack DST mac erro packets discarded:4
L3 other eth typepackets discarded:14
DDoS ifdefence packets discarded:14
ATK packets discarded:77
Mar 16 2016 15:54:41 FW %%01DDOS/4/FIREWALLATCK(l)[13]:AttackType= "IP spoof attack", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "192.168.252.80:2065 192.168.11.166:34680 192.168.15.149:52147 192.168.106.37:2076 192.168.57.213:6000 ", dst= "192.168.166.94:9999 192.168.166.69:83 192.168.166.70:23 192.168.166.94:23 192.168.166.77:8009 192.168.166.70:8009 192.168.166.65:8009 192.168.166.64:8009 192.168.166.89:8009 192.168.166.83:8009 192.168.166.82:8009 192.168.166.66:8009 ", begin time= "2016-3-16 15:54:17", end time= "2016-3-16 15:54:41", total packets= "37", max speed= "0", User= "", Action= "discard".
Mar 16 2016 15:50:11 FW %%01DDOS/4/FIREWALLATCK(l)[24]:AttackType= "IP spoof attack", slot= " ", cpu= "0", receive interface= "GE2/0/2 ", proto= "TCP", src= "1.1.8.1:32321 1.1.9.1:7728 1.1.2.1:25932 1.1.3.1:43704 1.1.4.1:38787 ", dst= "1.1.5.1:80 1.1.5.2:23 1.1.5.3:49 1.1.5.4:81 1.1.5.5:22 ", begin time= "2016-3-16 15:49:46", end time= "2016-3-16 15:50:2", total packets= "15", max speed= "0", User= "", Action= "discard".
6、执行 undo firewall defend ip-spoofing enable ,关闭IP Spoofing攻击防范功能后,业务恢复正常。
建议与总结
1、NAT映射突然无法访问问题的分析总结:
检查相关配置,策略路由须注意源进源出。
在确定链路可达的情况下,查看会话及丢包情况。
分析丢包原因;
2、引起NAT映射无法访问的原因可能有:
路由等配置问题。
攻击防范与多出口结合时的误识别造成正常流量被丢包。
来源:华为官方文档。本期样式风格由网络工程师阿龙编辑,如需转载本样式风格、字体,请保留此信息,否则后果自负。
评论列表
发表评论: