USG防火墻ipsec穿越nat的示例分析，相信很多沒有經(jīng)驗(yàn)的人對此束手無策，為此本文總結(jié)了問題出現(xiàn)的原因和解決方法，通過這篇文章希望你能解決這個問題。

創(chuàng)新互聯(lián)建站專注于烏什企業(yè)網(wǎng)站建設(shè),成都響應(yīng)式網(wǎng)站建設(shè),商城系統(tǒng)網(wǎng)站開發(fā)。烏什網(wǎng)站建設(shè)公司,為烏什等地區(qū)提供建站服務(wù)。全流程按需網(wǎng)站開發(fā)，專業(yè)設(shè)計，全程項(xiàng)目跟蹤，創(chuàng)新互聯(lián)建站專業(yè)和態(tài)度為您提供的服務(wù)

AR1:

acl number 3001

rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255

rule 2 permit ip source 10.1.2.0 0.0.0.255

rule 3 permit ip source 172.16.1.0 0.0.0.255

interfaceGigabitEthernet0/0/0

ip address 202.100.1.2 255.255.255.0

nat outbound 3001

#

interfaceGigabitEthernet0/0/1

ip address 172.16.1.2 255.255.255.0

#

ip route-static10.1.2.0 255.255.255.0 172.16.1.1

################################################################

FW1:

acl number 3001

rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

ike proposal 1

#

ike peer 1

pre-shared-key %$%$Kvy%6e6}DWp&azElXM;@VMD;%$%$

ike-proposal 1

  nat traversal

#

ipsec proposal 1

#

ipsec policy-template temp 1

security acl 3001

ike-peer 1

proposal 1

#

ipsec policy l2l 1 isakmp template temp

#

interface GigabitEthernet0/0/1

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

ip address 202.100.1.1 255.255.255.0

ipsec policy l2l

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

#

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

  action permit

  policy service service-set ike

  policy service service-set esp

  policy service service-set natt

  policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

  action permit

  policy source 10.1.2.0 mask 24

  policy destination 10.1.1.0 mask 24

#

policy interzone trust untrust outbound

policy 0

  action permit

  policy source 10.1.1.0 mask 24

###########################################

FW2:

acl number 3001

rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

#

ike proposal 1

#

ike peer 1

pre-shared-key %$%$a6XbSSW~L%o`:;YS:d}~V|sj%$%$

ike-proposal 1

remote-address 202.100.1.1

  nat traversal

#

ipsec proposal 1

#

ipsec policy l2l 1 isakmp

security acl 3001

ike-peer 1

proposal 1

#

interface GigabitEthernet0/0/1

ip address 10.1.2.1 255.255.255.0

#

interface GigabitEthernet0/0/2

ip address 172.16.1.1 255.255.255.0

ipsec policy l2l

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

#

ip route-static 0.0.0.0 0.0.0.0 172.16.1.2

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

  action permit

  policy service service-set ike

  policy service service-set esp

  policy service service-set natt

  policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

  action permit

  policy source 10.1.1.0 mask 24

  policy destination 10.1.2.0 mask 24

#

policy interzone trust untrust outbound

policy 0

  action permit

  policy source 10.1.2.0 mask 24

#

###############################################################

[FW1]dis ike sa

15:49:39  2014/08/01

current ike sa number: 2

-----------------------------------------------------------------------------

conn-id  peer              flag      phase ***

-----------------------------------------------------------------------------

40001    202.100.1.2:10244    RD        v2:2  public

2      202.100.1.2:10244    RD        v2:1  public

[FW1]dis ipsec sa brief

15:49:43  2014/08/01

current ipsec sa number: 2

current ipsec tunnel number: 1

------------------------------------------------------------------------------

Src Address    Dst Address    SPI      Protocol  Algorithm

------------------------------------------------------------------------------

202.100.1.2    202.100.1.1    268723444  ESP    EES;A:HMAC-MD5-96;

202.100.1.1    202.100.1.2    3352737410 ESP    EES;A:HMAC-MD5-96;

[FW1]display ipsec sa

15:51:44  2014/08/01

===============================

Interface: GigabitEthernet0/0/2

  path MTU: 1500

===============================

  -----------------------------

  IPsec policy name: "l2l"

  sequence number: 1

  mode: template

  ***: public

  -----------------------------

  connection id: 40001

  rule number: 4294967295

  encapsulation mode: tunnel

  holding time: 0d 0h 20m 26s

  tunnel local : 202.100.1.1  tunnel remote: 202.100.1.2

  flow    source: 10.1.1.0-10.1.1.255 0-65535 0

  flow destination: 10.1.2.0-10.1.2.255 0-65535 0

  [inbound ESP SAs]

     spi: 268723444 (0x100464f4)

    ***: public  said: 0  cpuid: 0x0000

    proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

    sa remaining key duration (bytes/sec): 1887436260/2374

    max received sequence-number: 9

    udp encapsulation used for nat traversal: Y

  [outbound ESP SAs]

    spi: 3352737410 (0xc7d6b682)

    ***: public  said: 1  cpuid: 0x0000

    proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

    sa remaining key duration (bytes/sec): 1887436260/2374

    max sent sequence-number: 10

    udp encapsulation used for nat traversal: Y

################################################

[FW1]display ipsec statistics

15:53:57  2014/08/01

  the security packet statistics:

  input/output security packets: 76/9

  input/output security bytes: 540/540

  input/output dropped security packets: 67/0

  the encrypt packet statistics

    send sae:9, recv sae:9, send err:0

    local cpu:9, other cpu:0, recv other cpu:0

    intact packet:9, first slice:0, after slice:0

  the decrypt packet statistics

    send sae:9, recv sae:9, send err:0

    local cpu:9, other cpu:0, recv other cpu:0

    reass  first slice:0, after slice:0, len err:0

  dropped security packet detail:

    no enough memory: 0, too long: 0

    can't find SA: 67, wrong SA: 0

    authentication: 0, replay: 0

    front recheck: 0, after recheck: 0

    exceed byte limit: 0, exceed packet limit: 0

    change cpu enc: 0, dec change cpu: 0

    change datachan: 0, fib search: 0

    rcv enc(dec) form sae said err: 0, 0

    port number error: 0

    send port: 0, output l3: 0, l2tp input: 0

  negotiate about packet statistics:

  IP packet  ok:0, err:0, drop:0

  IP rcv other cpu  to ike:0, drop:0

  IKE packet inbound  ok:3, err:0

  IKE packet outbound  ok:3, err:0

  SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0

  ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4

看完上述內(nèi)容，你們掌握USG防火墻ipsec穿越nat的示例分析的方法了嗎？如果還想學(xué)到更多技能或想了解更多相關(guān)內(nèi)容，歡迎關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道，感謝各位的閱讀！

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點(diǎn)與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

分享題目：USG防火墻ipsec穿越nat的示例分析-創(chuàng)新互聯(lián)
本文來源：http://weahome.cn/article/dhsocj.html