千家信息网

请输入关键字词

热门搜索排行

最新搜索排行

导航: 首页 > 网络安全 >

USG防火墙ipsec穿越nat的示例分析

发表于:2025-01-20 作者:千家信息网编辑
千家信息网最后更新 2025年01月20日,USG防火墙ipsec穿越nat的示例分析,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。AR1:acl number 3001rule
千家信息网最后更新 2025年01月20日USG防火墙ipsec穿越nat的示例分析

USG防火墙ipsec穿越nat的示例分析,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。

AR1:

acl number 3001

rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255

rule 2 permit ip source 10.1.2.0 0.0.0.255

rule 3 permit ip source 172.16.1.0 0.0.0.255

interfaceGigabitEthernet0/0/0

ip address 202.100.1.2 255.255.255.0

nat outbound 3001

#

interfaceGigabitEthernet0/0/1

ip address 172.16.1.2 255.255.255.0

#

ip route-static10.1.2.0 255.255.255.0 172.16.1.1

################################################################

FW1:

acl number 3001

rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

ike proposal 1

#

ike peer 1

pre-shared-key %$%$Kvy%6e6}DWp&azElXM;@VMD;%$%$

ike-proposal 1

nat traversal

#

ipsec proposal 1

#

ipsec policy-template temp 1

security acl 3001

ike-peer 1

proposal 1

#

ipsec policy l2l 1 isakmp template temp

#

interface GigabitEthernet0/0/1

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

ip address 202.100.1.1 255.255.255.0

ipsec policy l2l

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

#

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

action permit

policy service service-set ike

policy service service-set esp

policy service service-set natt

policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

action permit

policy source 10.1.2.0 mask 24

policy destination 10.1.1.0 mask 24

#

policy interzone trust untrust outbound

policy 0

action permit

policy source 10.1.1.0 mask 24

###########################################

FW2:

acl number 3001

rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

#

ike proposal 1

#

ike peer 1

pre-shared-key %$%$a6XbSSW~L%o`:;YS:d}~V|sj%$%$

ike-proposal 1

remote-address 202.100.1.1

nat traversal

#

ipsec proposal 1

#

ipsec policy l2l 1 isakmp

security acl 3001

ike-peer 1

proposal 1

#

interface GigabitEthernet0/0/1

ip address 10.1.2.1 255.255.255.0

#

interface GigabitEthernet0/0/2

ip address 172.16.1.1 255.255.255.0

ipsec policy l2l

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

#

ip route-static 0.0.0.0 0.0.0.0 172.16.1.2

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

action permit

policy service service-set ike

policy service service-set esp

policy service service-set natt

policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

action permit

policy source 10.1.1.0 mask 24

policy destination 10.1.2.0 mask 24

#

policy interzone trust untrust outbound

policy 0

action permit

policy source 10.1.2.0 mask 24

#

###############################################################

[FW1]dis ike sa

15:49:39 2014/08/01

current ike sa number: 2

-----------------------------------------------------------------------------

conn-id peer flag phase ***

-----------------------------------------------------------------------------

40001 202.100.1.2:10244 RD v2:2 public

2 202.100.1.2:10244 RD v2:1 public

[FW1]dis ipsec sa brief

15:49:43 2014/08/01

current ipsec sa number: 2

current ipsec tunnel number: 1

------------------------------------------------------------------------------

Src Address Dst Address SPI Protocol Algorithm

------------------------------------------------------------------------------

202.100.1.2 202.100.1.1 268723444 ESP EES;A:HMAC-MD5-96;

202.100.1.1 202.100.1.2 3352737410 ESP EES;A:HMAC-MD5-96;

[FW1]display ipsec sa

15:51:44 2014/08/01

===============================

Interface: GigabitEthernet0/0/2

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "l2l"

sequence number: 1

mode: template

***: public

-----------------------------

connection id: 40001

rule number: 4294967295

encapsulation mode: tunnel

holding time: 0d 0h 20m 26s

tunnel local : 202.100.1.1 tunnel remote: 202.100.1.2

flow source: 10.1.1.0-10.1.1.255 0-65535 0

flow destination: 10.1.2.0-10.1.2.255 0-65535 0

[inbound ESP SAs]

spi: 268723444 (0x100464f4)

***: public said: 0 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436260/2374

max received sequence-number: 9

udp encapsulation used for nat traversal: Y

[outbound ESP SAs]

spi: 3352737410 (0xc7d6b682)

***: public said: 1 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436260/2374

max sent sequence-number: 10

udp encapsulation used for nat traversal: Y

################################################

[FW1]display ipsec statistics

15:53:57 2014/08/01

the security packet statistics:

input/output security packets: 76/9

input/output security bytes: 540/540

input/output dropped security packets: 67/0

the encrypt packet statistics

send sae:9, recv sae:9, send err:0

local cpu:9, other cpu:0, recv other cpu:0

intact packet:9, first slice:0, after slice:0

the decrypt packet statistics

send sae:9, recv sae:9, send err:0

local cpu:9, other cpu:0, recv other cpu:0

reass first slice:0, after slice:0, len err:0

dropped security packet detail:

no enough memory: 0, too long: 0

can't find SA: 67, wrong SA: 0

authentication: 0, replay: 0

front recheck: 0, after recheck: 0

exceed byte limit: 0, exceed packet limit: 0

change cpu enc: 0, dec change cpu: 0

change datachan: 0, fib search: 0

rcv enc(dec) form sae said err: 0, 0

port number error: 0

send port: 0, output l3: 0, l2tp input: 0

negotiate about packet statistics:

IP packet ok:0, err:0, drop:0

IP rcv other cpu to ike:0, drop:0

IKE packet inbound ok:3, err:0

IKE packet outbound ok:3, err:0

SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0

ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4

看完上述内容,你们掌握USG防火墙ipsec穿越nat的示例分析的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注行业资讯频道,感谢各位的阅读!

很赞哦!
示例 防火墙 分析 防火 内容 方法 更多 问题 束手无策 为此 原因 对此 技能 篇文章 经验 行业 资讯 资讯频道 频道 数据库的安全要保护哪些东西 数据库安全各自的含义是什么 生产安全数据库录入 数据库的安全性及管理 数据库安全策略包含哪些 海淀数据库安全审计系统 建立农村房屋安全信息数据库 易用的数据库客户端支持安全管理 连接数据库失败ssl安全错误 数据库的锁怎样保障安全 数据库运动会数据流图 蚂蚁帮扶软件开发 新软件开发会有自己公司吗 政治网络安全调查报告 网络安全审查办法核心内容 济南互联网科技通讯工业园 各级领导对于网络安全重视 杭州游卡网络技术有限公司税号 sql安装服务器配置 从事软件开发会有前途吗 玉山软件开发有限公司在线咨询 数据库 删除末尾的字符 数据库箭头什么意思啊 国贸的网络安全防范系统 网络安全生产大检查汇报 web数据库mysql接口 网络安全和人工智能专业职业 旅游景点数据库设计er图 公安局网络安全宣传资料 临床流式细胞软件开发 怎么样学习软件开发 嘉兴金迅软件开发 管家婆服务器设置端口转发 国家网络安全大讨论发言稿 企业服务器如何挑选 数据库sa登陆提示233 监控视频管理web服务器 cs1.6服务器参数 2M服务器带宽 db2分区数据库表空

相关文章

0