91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

USG防火墻ipsec穿越nat的示例分析

發布時間:2022-01-10 10:25:26 來源:億速云 閱讀:202 作者:柒染 欄目:安全技術

USG防火墻ipsec穿越nat的示例分析,相信很多沒有經驗的人對此束手無策,為此本文總結了問題出現的原因和解決方法,通過這篇文章希望你能解決這個問題。

AR1:

acl number 3001  

rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255

rule 2 permit ip source 10.1.2.0 0.0.0.255

rule 3 permit ip source 172.16.1.0 0.0.0.255

interfaceGigabitEthernet0/0/0

ip address 202.100.1.2 255.255.255.0

nat outbound 3001

#

interfaceGigabitEthernet0/0/1

ip address 172.16.1.2 255.255.255.0

#

ip route-static10.1.2.0 255.255.255.0 172.16.1.1

################################################################

FW1:

acl number 3001

rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

ike proposal 1

#

ike peer 1

pre-shared-key %$%$Kvy%6e6}DWp&azElXM;@VMD;%$%$

ike-proposal 1

   nat traversal

#

ipsec proposal 1

#

ipsec policy-template temp 1

security acl 3001

ike-peer 1

proposal 1

#

ipsec policy l2l 1 isakmp template temp

#

interface GigabitEthernet0/0/1

ip address 10.1.1.1 255.255.255.0      

#

interface GigabitEthernet0/0/2

ip address 202.100.1.1 255.255.255.0

ipsec policy l2l

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

#

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

  action permit

  policy service service-set ike

  policy service service-set esp

  policy service service-set natt

  policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

  action permit

  policy source 10.1.2.0 mask 24

  policy destination 10.1.1.0 mask 24

#                                       

policy interzone trust untrust outbound

policy 0

  action permit

  policy source 10.1.1.0 mask 24

###########################################

FW2:

acl number 3001

rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

#

ike proposal 1

#

ike peer 1

pre-shared-key %$%$a6XbSSW~L%o`:;YS:d}~V|sj%$%$

ike-proposal 1

remote-address 202.100.1.1

   nat traversal

#

ipsec proposal 1

#

ipsec policy l2l 1 isakmp

security acl 3001

ike-peer 1

proposal 1

#

interface GigabitEthernet0/0/1

ip address 10.1.2.1 255.255.255.0

#                                       

interface GigabitEthernet0/0/2

ip address 172.16.1.1 255.255.255.0

ipsec policy l2l

firewall zone trust                     

set priority 85

add interface GigabitEthernet0/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/2

#

ip route-static 0.0.0.0 0.0.0.0 172.16.1.2

ip service-set natt type object

service 1 protocol udp destination-port 4500

#

ip service-set ike type object

service 0 protocol udp destination-port 500

#

policy interzone local untrust inbound

policy 0

  action permit

  policy service service-set ike

  policy service service-set esp

  policy service service-set natt

  policy service service-set icmp

#

policy interzone trust untrust inbound

policy 0

  action permit

  policy source 10.1.1.0 mask 24

  policy destination 10.1.2.0 mask 24

#

policy interzone trust untrust outbound

policy 0

  action permit                          

  policy source 10.1.2.0 mask 24

#

###############################################################

[FW1]dis ike sa

15:49:39  2014/08/01

current ike sa number: 2

-----------------------------------------------------------------------------

conn-id    peer                    flag          phase ***

-----------------------------------------------------------------------------

40001      202.100.1.2:10244       RD            v2:2  public

2          202.100.1.2:10244       RD            v2:1  public

[FW1]dis ipsec sa brief

15:49:43  2014/08/01

current ipsec sa number: 2

current ipsec tunnel number: 1

------------------------------------------------------------------------------

Src Address     Dst Address     SPI        Protocol  Algorithm

------------------------------------------------------------------------------

202.100.1.2     202.100.1.1     268723444  ESP       EUSG防火墻ipsec穿越nat的示例分析ES;A:HMAC-MD5-96;

202.100.1.1     202.100.1.2     3352737410 ESP       EUSG防火墻ipsec穿越nat的示例分析ES;A:HMAC-MD5-96;

[FW1]display ipsec sa

15:51:44  2014/08/01

===============================

Interface: GigabitEthernet0/0/2

    path MTU: 1500

===============================

  -----------------------------

  IPsec policy name: "l2l"

  sequence number: 1

  mode: template

  ***: public

  -----------------------------

    connection id: 40001

    rule number: 4294967295

    encapsulation mode: tunnel

    holding time: 0d 0h 20m 26s

    tunnel local : 202.100.1.1    tunnel remote: 202.100.1.2

    flow      source: 10.1.1.0-10.1.1.255 0-65535 0

    flow destination: 10.1.2.0-10.1.2.255 0-65535 0

    [inbound ESP SAs]

      spi: 268723444 (0x100464f4)

      ***: public  said: 0  cpuid: 0x0000

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436260/2374

      max received sequence-number: 9

      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]

      spi: 3352737410 (0xc7d6b682)

      ***: public  said: 1  cpuid: 0x0000

      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887436260/2374

      max sent sequence-number: 10

      udp encapsulation used for nat traversal: Y

################################################

[FW1]display ipsec statistics

15:53:57  2014/08/01

  the security packet statistics:

    input/output security packets: 76/9

    input/output security bytes: 540/540

    input/output dropped security packets: 67/0

    the encrypt packet statistics

      send sae:9, recv sae:9, send err:0

      local cpu:9, other cpu:0, recv other cpu:0

      intact packet:9, first slice:0, after slice:0

    the decrypt packet statistics

      send sae:9, recv sae:9, send err:0

      local cpu:9, other cpu:0, recv other cpu:0

      reass  first slice:0, after slice:0, len err:0

    dropped security packet detail:

      no enough memory: 0, too long: 0

      can't find SA: 67, wrong SA: 0

      authentication: 0, replay: 0

      front recheck: 0, after recheck: 0

      exceed byte limit: 0, exceed packet limit: 0

      change cpu enc: 0, dec change cpu: 0

      change datachan: 0, fib search: 0

      rcv enc(dec) form sae said err: 0, 0

      port number error: 0

      send port: 0, output l3: 0, l2tp input: 0

  negotiate about packet statistics:      

    IP packet  ok:0, err:0, drop:0

    IP rcv other cpu   to ike:0, drop:0

    IKE packet inbound   ok:3, err:0

    IKE packet outbound  ok:3, err:0

    SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0

    ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4

看完上述內容,你們掌握USG防火墻ipsec穿越nat的示例分析的方法了嗎?如果還想學到更多技能或想了解更多相關內容,歡迎關注億速云行業資訊頻道,感謝各位的閱讀!

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

正蓝旗| 高平市| 澄江县| 民勤县| 德令哈市| 西平县| 福清市| 土默特右旗| 木里| 浮梁县| 镇远县| 利辛县| 绥江县| 建昌县| 许昌市| 广东省| 花垣县| 延安市| 禄劝| 泾源县| 盈江县| 扬中市| 丹东市| 临江市| 房产| 安龙县| 稻城县| 县级市| 夏河县| 宜昌市| 柳河县| 泸州市| 乐清市| 贺州市| 岢岚县| 长宁县| 山西省| 涡阳县| 巴南区| 称多县| 侯马市|