免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 请教Juniper ISG1000做MIP后为什么Ping不通内网地址??
最近访问板块 发新帖
查看: 6522 | 回复: 1
打印 上一主题 下一主题

请教Juniper ISG1000做MIP后为什么Ping不通内网地址?? [复制链接]

loveoov

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2010-07-29 17:03 |只看该作者 |倒序浏览
  1. set vrouter trust-vr sharable
  2. set vrouter "untrust-vr"
  3. exit
  4. set vrouter "trust-vr"
  5. unset auto-route-export
  6. exit
  7. set auth-server "Local" id 0
  8. set auth-server "Local" server-name "Local"
  9. set auth default auth server "Local"
  10. set auth radius accounting port 1646
  11. set admin name "netscreen"
  12. set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
  13. set admin auth timeout 10
  14. set admin auth server "Local"
  15. set admin privilege read-write
  16. set admin format dos
  17. set zone "Trust" vrouter "trust-vr"
  18. set zone "Untrust" vrouter "trust-vr"
  19. set zone "DMZ" vrouter "trust-vr"
  20. set zone "VLAN" vrouter "trust-vr"
  21. set zone id 1000 "internet"
  22. set zone "Untrust-Tun" vrouter "trust-vr"
  23. set zone "Trust" tcp-rst
  24. set zone "Untrust" block
  25. unset zone "Untrust" tcp-rst
  26. set zone "DMZ" tcp-rst
  27. set zone "VLAN" block
  28. unset zone "VLAN" tcp-rst
  29. unset zone "internet" tcp-rst
  30. set zone "Untrust" screen tear-drop
  31. set zone "Untrust" screen syn-flood
  32. set zone "Untrust" screen ping-death
  33. set zone "Untrust" screen ip-filter-src
  34. set zone "Untrust" screen land
  35. set zone "V1-Untrust" screen tear-drop
  36. set zone "V1-Untrust" screen syn-flood
  37. set zone "V1-Untrust" screen ping-death
  38. set zone "V1-Untrust" screen ip-filter-src
  39. set zone "V1-Untrust" screen land
  40. set interface "ethernet1/1" zone "Untrust"
  41. set interface "ethernet1/1.1" tag 111 zone "Trust"
  42. set interface "ethernet1/2" zone "Trust"
  43. set interface "tunnel.1" zone "Trust"
  44. unset interface vlan1 ip
  45. set interface mgt ip 192.168.1.1/24
  46. set interface ethernet1/1 ip 61.1.1.1/30
  47. set interface ethernet1/1 route
  48. set interface ethernet1/2 ip 10.20.29.1/30
  49. set interface ethernet1/2 nat
  50. set interface tunnel.1 ip unnumbered interface ethernet1/1
  51. unset interface vlan1 bypass-others-ipsec
  52. unset interface vlan1 bypass-non-ip
  53. set interface ethernet1/1 ip manageable
  54. set interface ethernet1/2 ip manageable
  55. set interface ethernet1/1 manage ping
  56. set interface ethernet1/1 manage telnet
  57. set interface ethernet1/1 manage snmp
  58. set interface ethernet1/1 manage web
  59. set interface "ethernet1/1" mip 71.1.1.1 host 10.20.36.8 netmask 255.255.255.255 vr "trust-vr"
  60. unset flow no-tcp-seq-check
  61. set flow tcp-syn-check
  62. set pki authority default scep mode "auto"
  63. set pki x509 default cert-path partial
  64. set address "Trust" "10.20.0.0/16" 10.20.0.0 255.255.0.0
  65. set address "Trust" "10.20.0.0/24" 10.20.0.0 255.255.255.0
  66. set address "Trust" "10.20.40.0/21" 10.20.40.0 255.255.248.0
  67. set address "Trust" "AAA-Self-Portal" 10.20.36.8 255.255.255.255
  68. set address "Trust" "FOR AAA" 71.1.1.1 255.255.255.255
  69. set ike respond-bad-spi 1
  70. unset ike ikeid-enumeration
  71. unset ike dos-protection
  72. unset ipsec access-session enable
  73. set ipsec access-session maximum 5000
  74. set ipsec access-session upper-threshold 0
  75. set ipsec access-session lower-threshold 0
  76. set ipsec access-session dead-p2-sa-timeout 0
  77. unset ipsec access-session log-error
  78. unset ipsec access-session info-exch-connected
  79. unset ipsec access-session use-error-log
  80. set icap av-vendor-id symantec-5
  81. set url protocol websense
  82. exit
  83. set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(71.1.1.1)" "PING" permit log
  84. set policy id 10
  85. exit
  86. set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
  87. exit
  88. set policy id 6 from "Trust" to "Untrust"  "10.20.40.0/21" "Any" "ANY" permit log
  89. set policy id 6
  90. exit
  91. set policy id 8 from "Untrust" to "Trust"  "Any" "MIP(71.1.1.1)" "ANY" permit log
  92. set policy id 8
  93. exit
  94. set policy id 7 from "Untrust" to "Trust"  "Any" "FOR AAA" "ANY" nat dst ip 10.20.36.8 permit log
  95. set policy id 7
  96. exit
  97. set policy id 9 from "Trust" to "Untrust"  "AAA-Self-Portal" "Any" "ANY" permit log
  98. set policy id 9
  99. exit
  100. set nsmgmt bulkcli reboot-timeout 60
  101. set ssh version v2
  102. set config lock timeout 5
  103. set snmp port listen 161
  104. set snmp port trap 162
  105. set vrouter "untrust-vr"
  106. set route 71.1.1.1/32 vrouter "trust-vr" preference 20
  107. exit
  108. set vrouter "trust-vr"
  109. unset add-default-route
  110. set route 0.0.0.0/0 interface ethernet1/1 gateway 61.1.1.2 preference 20
  111. exit
  112. set vrouter "untrust-vr"
  113. exit
  114. set vrouter "trust-vr"
  115. exit
复制代码
PC1(10.20.36.-------(10.20.36.1)路由器(10.20.29.2)--------(10.20.29.1)ISG1000(61.1.1.2 )-----(61.1.1.1)CISCO路由器
                       (10.20.40.1)_|
PC2(10.20.40.10)________|

内网的默认路由指向ISG1000,现要求外网能够访问PC1提供的MIP(71.1.1.1)的公网服务
现象一C2可以上网,转换出去的地址是61.1.1.2
现象二C1可以上网,转换出去的地址是71.1.1.1,但是外网的地址Ping不通71.1.1.1
现象三:内网的所有机器只能ping通内网的路由器,Ping不通ISG1000
现象四:get log traffic policy 9 可以看到 PC1 Ping外网的时候的日志:
nsisg1000-> get log traffic policy 9
PID 9, from Trust to Untrust, src AAA-Self-Portal, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 2229
==================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service
Reason                         Xlated Src IP    Port Xlated Dst IP    Port ID
==================================================================================
2002-07-05 07:13:15    0:00:04 10.20.36.8      25581 212.187.171.245   768 ICMP     
Close - RESP                   41.72.96.162    25581 212.187.171.245   768
2002-07-05 07:13:15    0:00:05 10.20.36.8      25325 212.187.171.245   768 ICMP     
Close - RESP                   41.72.96.162    25325 212.187.171.245   768


现象四:get log traffic policy 6 可以看到 PC1 Ping外网的时候的日志:
nsisg1000-> get log traffic policy 6
PID 6, from Trust to Untrust, src 10.20.40.0/21, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 30529
==================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service
Reason                         Xlated Src IP    Port Xlated Dst IP    Port ID
==================================================================================
2002-07-05 07:13:49    0:01:06 10.20.40.120    58937 95.84.162.74    30459 UDP PORT 30459
Close - AGE OUT                61.1.1.2  23944 95.84.162.74    30459
2002-07-05 07:13:49    0:00:20 10.20.40.167    49263 74.53.106.178      80 HTTP

现象五:get log traffic policy 其他策略的时候就没有任何log

请问各位高手,我问题在哪里?
testab

论坛徽章:
0
2 [报告]
发表于 2010-08-01 10:18 |只看该作者
在ISG1000G上缺少回指路由

set route 10.20.36.0/24 interface ethernet1/2 gateway  10.20.29.2
set route 10.20.40.0/24 interface ethernet1/2 gateway  10.20.29.2
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP