一條命令引發的悲劇

原創 routerstp 2018-09-13 03:01

    12月22日,今天天氣很冷,氣候越來越詭異了,有時候自己忍不住會想:不知道地球還能撐多長時間?轉而又覺得自己杞人憂天了,做螻蟻就要有螻蟻的覺悟,該幹啥就幹啥去吧,想那麼多虛無縹緲的東西,咱又不是蜘蛛超人!煩心事還挺多,離石客戶上了一堆子設備,還不是一個廠家的,搞的天天看手冊,再想想公司那幫精力旺盛的哥們,忍字當頭啊!

    交投的項目拖了很多天了,客戶天天催,服務器和存儲上架以後,真有N長時間沒過去了,怪不得他們着急!在各方人員積極、安全、可靠的配合下,分公司的基本條件算是滿足了,終於可以實施***了,聽到這一消息我淚流滿面,合着就你們着急我不着急啊!

    咔咔咔的蹦到交投總部,機櫃裏擺了個USG5310,哥們就問了,USG5310的*** License灌進去沒有,大家都說不知道,我擦,這也太誇張了吧,趕緊給公司商務打電話,這貨有沒有license啊,商務有點暈,不知道啊,就下了個主機。昏迷中,過程不細說了,license下來的時候已經到了第2天,趕緊把license灌進去,***的那套命令終於出來了,開工!!

    簡略的給客戶做了個地址規劃,總部這邊的服務器就扔到192.168.20.0/24網段裏了,下面7個分公司規劃的網段分別爲172.16.1.0/24-172.16.7.0/24,分公司的網絡狀況不太樂觀,有兩個是靜態公網IP的,其它都是pppoe撥號了;看了看手冊,好長時間沒做這個了,還得熟悉一下流程和命令,決定採用IKE安全策略+安全策略模板方式建立IPSEC隧道,安全策略是針對分公司的靜態IP的,pppoe撥號直接用策略模板方式,分公司的靜態IP現在還不清楚,算了,先做策略模板吧。

    securecrt登陸USG5310,輸入用戶名和密碼,先前在word裏寫了一段命令,直接複製進去:

#
 

acl number 3000
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

quit
#
web-manager enable
web-manager security enable
#
ike local-name sxjt
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 218.26.x.x 218.26.x.x

#
ike proposal 10

quit
#
ike peer a                               
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10
undo version 2
local-id-type name
remote-name sxyj
quit

#
ipsec proposal tran1

quit
#
ipsec policy-template map1_temp 11
security acl 3000
ike-peer a
proposal tran1

quit
#
ipsec policy map1 11 isakmp template map1_temp
#
interface GigabitEthernet0/0/0
ip address 192.168.253.254 255.255.255.0

quit
#
interface GigabitEthernet0/0/1
ip address 218.26.x.x 255.255.255.224
ipsec policy map1

quit
#
firewall zone trust
add interface GigabitEthernet0/0/0

quit
#
firewall zone untrust
add interface GigabitEthernet0/0/1

quit
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
policy source 192.168.20.0 0.0.0.255

quit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255    
policy destination 172.16.2.0 0.0.0.255
policy destination 172.16.3.0 0.0.0.255
policy destination 172.16.4.0 0.0.0.255
policy destination 172.16.5.0 0.0.0.255
policy destination 172.16.6.0 0.0.0.255
policy destination 172.16.7.0 0.0.0.255
policy destination 172.16.1.0 0.0.0.255
address-group 1

policy 2
action source-nat
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255     
policy source 192.168.20.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
address-group 1

quit
#
ip route-static 0.0.0.0 0.0.0.0 218.26.x.x
ip route-static 192.168.0.0 255.255.255.0 192.168.253.253
ip route-static 192.168.1.0 255.255.255.0 192.168.253.253
ip route-static 192.168.2.0 255.255.255.0 192.168.253.253
ip route-static 192.168.3.0 255.255.255.0 192.168.253.253
ip route-static 192.168.4.0 255.255.255.0 192.168.253.253
ip route-static 192.168.5.0 255.255.255.0 192.168.253.253
ip route-static 192.168.6.0 255.255.255.0 192.168.253.253
ip route-static 192.168.7.0 255.255.255.0 192.168.253.253
ip route-static 192.168.8.0 255.255.255.0 192.168.253.253
ip route-static 192.168.9.0 255.255.255.0 192.168.253.253
ip route-static 192.168.10.0 255.255.255.0 192.168.253.253
ip route-static 192.168.20.0 255.255.255.0 192.168.253.253
re

save

OK,保存了以後,跟客戶說了一聲,vty是一定要做的,不然到了分公司出了問題會讓你欲哭無淚,客戶直接扔了一車出來就咔咔咔的蹦到了晉城,分公司進門就喊了一嗓子:斷網了啊~然後USG2000上架、加電,登陸進去直接複製命令:

#

acl number 3000
rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

acl number 3001
rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

rule 5 permit ip source 172.16.1.0 0.0.0.255 
#
ike local-name sxyj
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
  firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
ike proposal 10

quit
#
ike peer a
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10                         
local-id-type name
remote-name sxjt
remote-address 218.26.x.x

quit
#
ipsec proposal tran1

quit
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1

quit
#
interface Dialer1
link-protocol ppp
ppp pap local-user xxxx password simple xxxxxx
mtu 1450
ip address ppp-negotiate
dialer user xxx
dialer bundle 1
ipsec policy map1
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1       
undo ip fast-forwarding qff
#
interface Ethernet0/0/1
mtu 1400
ip address 172.16.1.1 255.255.255.0
undo ip fast-forwarding qff
#
firewall zone trust
set priority 85                         
add interface Ethernet0/0/1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Dialer1
#
firewall interzone trust untrust
packet-filter 3001 outbound
nat outbound 3001 interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
 

複製完以後看了看,沒啥錯誤,就在防火牆上鼓搗,兩邊防火牆的內網口IP給ping通了,dis ipsec sa和dis ike sa看了一下,隧道順利建立,呵呵呵,高興啊!筆記本直接連防火牆內網口上配了個IP,喜滋滋的ping總部服務器地址,結果出來傻眼了,竟然不通!來來回回的看了好幾遍配置,然後又看隧道狀態,都沒問題啊,怎麼回事啊,我擦!沒辦法了,客戶都在邊上看着呢,打個400看一下吧,400通了然後看了下配置,喊了聲沒問題啊,我當時就鬱了,我說哥啊,沒問題爲什麼就不通呢,不通就是有問題的麼!那哥喊了聲,你等着啊,一會給你電話。我就對着配置左看右看,後來想了想,給總部那邊去了個電話,讓他們用192.168.20.0的地址ping我的筆記本地址,那邊說沒問題,看來問題是出在分公司這邊啊,是不是分公司這邊有什麼命令限制住了??心裏喊了聲:毛毛同學,在這種危機時刻你自己要淡定啊!深呼吸3次,然後又仔細的看配置,嘿嘿,被我逮住了吧,原來是3001的ACL搞的,竟然在trust和untrust區域的包過濾規則中加入了3001,先應用了deny規則,把數據包頭給扔掉了,當然不通!趕緊把這條命令undo掉,然後測試,一切OK!

經驗主義害死人啊,從別的地方複製命令然後修改聽上去煞是簡單,不過出了問題然後再排查難度也蠻大的,因爲不是你一條一條做的嗎,當然印象不深,印象不深的後果就是你左看右看就是看不出那兒有毛病!以後一定包過濾規則和NAT規則做兩條ACL,那樣有問題了也好排查,這次就算了,誰叫咱是懶人一個呢,嘿嘿!

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

bat記錄遠程桌面連接登錄信息

jason1982 2019-02-24 12:57:09

Exchange Server 2010 POP3&IMAP設置詳解

lingping 2019-02-23 14:05:54

虛擬化技術--服務器虛擬化

dawei818 2019-02-23 14:05:39

windows 2008 全新仲裁模式

qyh282110204 2019-02-23 14:05:36

軟路由建立PPPOE服務器

ct19871125 2019-02-23 14:04:24

MySQL性能優化的21個最佳實踐

fdb2b 2019-02-23 14:01:03

centos下簡單實現日誌切割,並上傳至日誌服務器。

隨風上升 2019-02-23 13:59:02

遠程訪問及控制

曉晶 2019-02-23 13:58:40

web網站服務1

曉晶 2019-02-23 13:58:27

郵件服務器

曉晶 2019-02-23 13:58:27

web網站服務2

曉晶 2019-02-23 13:58:27

iscsi存儲

samplelife 2019-02-23 13:57:35

Nagios 3.2 監控部署(一)

samplelife 2019-02-23 13:57:35

50元打造雙網卡負載均衡服務器

138web 2019-02-23 13:55:58

網絡打印機的一般故障

zhongqijian916 2019-02-23 13:54:50