一条命令引起的悲剧
12月22日,今每天气很冷,气候愈来愈诡异了,有时候本身忍不住会想:不知道地球还能撑多长时间?转而又以为本身杞人忧天了,作蝼蚁就要有蝼蚁的觉悟,该干啥就干啥去吧,想那么多虚无缥缈的东西,咱又不是蜘蛛超人!烦心事还挺多,离石客户上了一堆子设备,还不是一个厂家的,搞的每天看手册,再想一想公司那帮精力旺盛的哥们,忍字当头啊!web
交投的项目拖了不少天了,客户每天催,服务器和存储上架之后,真有N长时间没过去了,怪不得他们着急!在各方人员积极、安全、可靠的配合下,分公司的基本条件算是知足了,终于能够实施×××了,听到这一消息我泪流满面,合着就大家着急我不着急啊!安全
咔咔咔的蹦到交投总部,机柜里摆了个USG5310,哥们就问了,USG5310的××× License灌进去没有,你们都说不知道,我擦,这也太夸张了吧,赶忙给公司商务打电话,这货有没有license啊,商务有点晕,不知道啊,就下了个主机。昏迷中,过程不细说了,license下来的时候已经到了第2天,赶忙把license灌进去,×××的那套命令终于出来了,开工!!服务器
简略的给客户作了个地址规划,总部这边的服务器就扔到192.168.20.0/24网段里了,下面7个分公司规划的网段分别为172.16.1.0/24-172.16.7.0/24,分公司的网络情况不太乐观,有两个是静态公网IP的,其它都是pppoe拨号了;看了看手册,好长时间没作这个了,还得熟悉一下流程和命令,决定采用IKE安全策略+安全策略模板方式创建IPSEC隧道,安全策略是针对分公司的静态IP的,pppoe拨号直接用策略模板方式,分公司的静态IP如今还不清楚,算了,先作策略模板吧。网络
securecrt登录USG5310,输入用户名和密码,先前在word里写了一段命令,直接复制进去:ide
#
测试
acl number 3000
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 172.16.1.0 0.0.0.255ui
quit
#
web-manager enable
web-manager security enable
#
ike local-name sxjt
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 218.26.x.x 218.26.x.xip
#
ike proposal 10rem
quit
#
ike peer a
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10
undo version 2
local-id-type name
remote-name sxyj
quitit
#
ipsec proposal tran1
quit
#
ipsec policy-template map1_temp 11
security acl 3000
ike-peer a
proposal tran1
quit
#
ipsec policy map1 11 isakmp template map1_temp
#
interface GigabitEthernet0/0/0
ip address 192.168.253.254 255.255.255.0
quit
#
interface GigabitEthernet0/0/1
ip address 218.26.x.x 255.255.255.224
ipsec policy map1
quit
#
firewall zone trust
add interface GigabitEthernet0/0/0
quit
#
firewall zone untrust
add interface GigabitEthernet0/0/1
quit
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
policy source 192.168.20.0 0.0.0.255
quit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 172.16.2.0 0.0.0.255
policy destination 172.16.3.0 0.0.0.255
policy destination 172.16.4.0 0.0.0.255
policy destination 172.16.5.0 0.0.0.255
policy destination 172.16.6.0 0.0.0.255
policy destination 172.16.7.0 0.0.0.255
policy destination 172.16.1.0 0.0.0.255
address-group 1
policy 2
action source-nat
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
policy source 192.168.4.0 0.0.0.255
policy source 192.168.5.0 0.0.0.255
policy source 192.168.6.0 0.0.0.255
policy source 192.168.7.0 0.0.0.255
policy source 192.168.9.0 0.0.0.255
policy source 192.168.8.0 0.0.0.255
policy source 192.168.10.0 0.0.0.255
policy source 192.168.0.0 0.0.0.255
policy source 192.168.20.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
address-group 1
quit
#
ip route-static 0.0.0.0 0.0.0.0 218.26.x.x
ip route-static 192.168.0.0 255.255.255.0 192.168.253.253
ip route-static 192.168.1.0 255.255.255.0 192.168.253.253
ip route-static 192.168.2.0 255.255.255.0 192.168.253.253
ip route-static 192.168.3.0 255.255.255.0 192.168.253.253
ip route-static 192.168.4.0 255.255.255.0 192.168.253.253
ip route-static 192.168.5.0 255.255.255.0 192.168.253.253
ip route-static 192.168.6.0 255.255.255.0 192.168.253.253
ip route-static 192.168.7.0 255.255.255.0 192.168.253.253
ip route-static 192.168.8.0 255.255.255.0 192.168.253.253
ip route-static 192.168.9.0 255.255.255.0 192.168.253.253
ip route-static 192.168.10.0 255.255.255.0 192.168.253.253
ip route-static 192.168.20.0 255.255.255.0 192.168.253.253
re
save
OK,保存了之后,跟客户说了一声,vty是必定要作的,否则到了分公司出了问题会让你欲哭无泪,客户直接扔了一车出来就咔咔咔的蹦到了晋城,分公司进门就喊了一嗓子:断网了啊~而后USG2000上架、加电,登录进去直接复制命令:
#
acl number 3000
rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
acl number 3001
rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 5 permit ip source 172.16.1.0 0.0.0.255
#
ike local-name sxyj
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
ike proposal 10
quit
#
ike peer a
exchange-mode aggressive
pre-shared-key 123456
ike-proposal 10
local-id-type name
remote-name sxjt
remote-address 218.26.x.x
quit
#
ipsec proposal tran1
quit
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1
quit
#
interface Dialer1
link-protocol ppp
ppp pap local-user xxxx password simple xxxxxx
mtu 1450
ip address ppp-negotiate
dialer user xxx
dialer bundle 1
ipsec policy map1
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
undo ip fast-forwarding qff
#
interface Ethernet0/0/1
mtu 1400
ip address 172.16.1.1 255.255.255.0
undo ip fast-forwarding qff
#
firewall zone trust
set priority 85
add interface Ethernet0/0/1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Dialer1
#
firewall interzone trust untrust
packet-filter 3001 outbound
nat outbound 3001 interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
复制完之后看了看,没啥错误,就在防火墙上鼓捣,两边防火墙的内网口IP给ping通了,dis ipsec sa和dis ike sa看了一下,隧道顺利创建,呵呵呵,高兴啊!笔记本直接连防火墙内网口上配了个IP,喜滋滋的ping总部服务器地址,结果出来傻眼了,居然不通!来来回回的看了好几遍配置,而后又看隧道状态,都没问题啊,怎么回事啊,我擦!没办法了,客户都在边上看着呢,打个400看一下吧,400通了而后看了下配置,喊了声没问题啊,我当时就郁了,我说哥啊,没问题为何就不通呢,不通就是有问题的么!那哥喊了声,你等着啊,一会给你电话。我就对着配置左看右看,后来想了想,给总部那边去了个电话,让他们用192.168.20.0的地址ping个人笔记本地址,那边说没问题,看来问题是出在分公司这边啊,是否是分公司这边有什么命令限制住了??内心喊了声:毛毛同窗,在这种危机时刻你本身要淡定啊!深呼吸3次,而后又仔细的看配置,嘿嘿,被我逮住了吧,原来是3001的ACL搞的,居然在trust和untrust区域的包过滤规则中加入了3001,先应用了deny规则,把数据包头给扔掉了,固然不通!赶忙把这条命令undo掉,而后测试,一切OK!
经验主义害死人啊,从别的地方复制命令而后修改听上去煞是简单,不过出了问题而后再排查难度也蛮大的,由于不是你一条一条作的吗,固然印象不深,印象不深的后果就是你左看右看就是看不出那儿有毛病!之后必定包过滤规则和NAT规则作两条ACL,那样有问题了也好排查,此次就算了,谁叫咱是懒人一个呢,嘿嘿!
- 1. 自定义Cell引起的悲剧。。。。
- 2. 一条命令引起的思考
- 3. sizeIncrement引发的悲剧
- 4. 一个高温引发的悲剧
- 5. 悲剧,闹剧
- 6. myibatis中使用sql的单行注释引起的悲剧
- 7. BOM格式形成的\uFEFF引起的悲剧
- 8. 一条cltq指令引起的血案
- 9. extern引起的闹剧
- 10. 一部流行剧引起的思考?
- 更多相关文章...
- • Docker info 命令 - Docker命令大全
- • Docker version 命令 - Docker命令大全
- • Docker 清理命令
- • RxJava操作符(一)Creating Observables
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 自定义Cell引起的悲剧。。。。
- 2. 一条命令引起的思考
- 3. sizeIncrement引发的悲剧
- 4. 一个高温引发的悲剧
- 5. 悲剧,闹剧
- 6. myibatis中使用sql的单行注释引起的悲剧
- 7. BOM格式形成的\uFEFF引起的悲剧
- 8. 一条cltq指令引起的血案
- 9. extern引起的闹剧
- 10. 一部流行剧引起的思考?