请教Juniper ISG1000做MIP后为什么Ping不通内网地址？？

发布于 2022-09-05 21:31:14 字数 9573 浏览 12 评论 1

set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 1000 "internet"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "internet" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1/1" zone "Untrust"
set interface "ethernet1/1.1" tag 111 zone "Trust"
set interface "ethernet1/2" zone "Trust"
set interface "tunnel.1" zone "Trust"
unset interface vlan1 ip
set interface mgt ip 192.168.1.1/24
set interface ethernet1/1 ip 61.1.1.1/30
set interface ethernet1/1 route
set interface ethernet1/2 ip 10.20.29.1/30
set interface ethernet1/2 nat
set interface tunnel.1 ip unnumbered interface ethernet1/1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1/1 ip manageable
set interface ethernet1/2 ip manageable
set interface ethernet1/1 manage ping
set interface ethernet1/1 manage telnet
set interface ethernet1/1 manage snmp
set interface ethernet1/1 manage web
set interface "ethernet1/1" mip 71.1.1.1 host 10.20.36.8 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.20.0.0/16" 10.20.0.0 255.255.0.0
set address "Trust" "10.20.0.0/24" 10.20.0.0 255.255.255.0
set address "Trust" "10.20.40.0/21" 10.20.40.0 255.255.248.0
set address "Trust" "AAA-Self-Portal" 10.20.36.8 255.255.255.255
set address "Trust" "FOR AAA" 71.1.1.1 255.255.255.255
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set icap av-vendor-id symantec-5
set url protocol websense
exit
set policy id 10 from "Untrust" to "Trust" "Any" "MIP(71.1.1.1)" "PING" permit log
set policy id 10
exit
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
exit
set policy id 6 from "Trust" to "Untrust" "10.20.40.0/21" "Any" "ANY" permit log
set policy id 6
exit
set policy id 8 from "Untrust" to "Trust" "Any" "MIP(71.1.1.1)" "ANY" permit log
set policy id 8
exit
set policy id 7 from "Untrust" to "Trust" "Any" "FOR AAA" "ANY" nat dst ip 10.20.36.8 permit log
set policy id 7
exit
set policy id 9 from "Trust" to "Untrust" "AAA-Self-Portal" "Any" "ANY" permit log
set policy id 9
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 71.1.1.1/32 vrouter "trust-vr" preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet1/1 gateway 61.1.1.2 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

复制代码PC1(10.20.36.-------(10.20.36.1)路由器(10.20.29.2)--------(10.20.29.1)ISG1000(61.1.1.2 )-----（61.1.1.1）CISCO路由器
(10.20.40.1)_|
PC2(10.20.40.10)________|

内网的默认路由指向ISG1000，现要求外网能够访问PC1提供的MIP(71.1.1.1)的公网服务
现象一C2可以上网，转换出去的地址是61.1.1.2
现象二C1可以上网，转换出去的地址是71.1.1.1，但是外网的地址Ping不通71.1.1.1
现象三:内网的所有机器只能ping通内网的路由器，Ping不通ISG1000
现象四:get log traffic policy 9 可以看到 PC1 Ping外网的时候的日志：
nsisg1000-> get log traffic policy 9
PID 9, from Trust to Untrust, src AAA-Self-Portal, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 2229
==================================================================================
Date    Time    Duration Source IP       Port Destination IP Port Service
Reason                      Xlated Src IP Port Xlated Dst IP Port ID
==================================================================================
2002-07-05 07:13:15 0:00:04 10.20.36.8    25581 212.187.171.245 768 ICMP
Close - RESP                41.72.96.162 25581 212.187.171.245 768
2002-07-05 07:13:15 0:00:05 10.20.36.8    25325 212.187.171.245 768 ICMP
Close - RESP                41.72.96.162 25325 212.187.171.245 768

现象四:get log traffic policy 6 可以看到 PC1 Ping外网的时候的日志：
nsisg1000-> get log traffic policy 6
PID 6, from Trust to Untrust, src 10.20.40.0/21, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 30529
==================================================================================
Date    Time    Duration Source IP       Port Destination IP Port Service
Reason                      Xlated Src IP Port Xlated Dst IP Port ID
==================================================================================
2002-07-05 07:13:49 0:01:06 10.20.40.120 58937 95.84.162.74 30459 UDP PORT 30459
Close - AGE OUT             61.1.1.2  23944 95.84.162.74 30459
2002-07-05 07:13:49 0:00:20 10.20.40.167 49263 74.53.106.178    80 HTTP

现象五:get log traffic policy 其他策略的时候就没有任何log

请问各位高手，我问题在哪里？

分享到QQ

分享到微博