JUNIPER SSG 双WAN口问题

水手一枚 · 发表于 2013-1-6 23:57:18

本来E0/1用做L2TP VPN使用的。前几天发现用不了。以为是L2TP设置问题。对了配置发现没问题。开始检查这个接口的设置。发现从外网到达不了这个接口。贴出配置，大家帮忙分析下，问题出在哪里。E0/1连电信，E0/2连移动。

水手一枚 · 发表于 2013-1-6 23:57:34

unset key protection enable
set clock dst-off
set clock ntp
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netstar"
set admin password "nB5UF2rsPlSIccYENsFBcuPt3nNrzn"
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood                      监视这个区域的攻击
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Untrust"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 172.16.255.1/29
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 58.221.193.250/29
set interface ethernet0/1 route
set interface ethernet0/2 ip 112.2.27.248/28
set interface ethernet0/2 route
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/0 manage mtrace
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
set interface ethernet0/2 dip 5 112.2.27.245 112.2.27.245
set interface "ethernet0/1" mip 58.221.193.253 host 192.168.10.6 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 112.2.27.247 host 192.168.10.6 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "172.16.255.0/29" 172.16.255.0 255.255.255.248
set address "Trust" "192.168.10.6/32" 192.168.10.6 255.255.255.255
set address "Trust" "Inside.192" 192.168.0.0 255.255.0.0
set address "Untrust" "172.16.199.0/24" 172.16.199.0 255.255.255.0
set address "Untrust" "192.168.0.0" 192.168.0.0 255.255.0.0
set address "Untrust" "192.168.10.6/255.255.255.0" 192.168.10.6 255.255.255.0
set address "DMZ" "192.168.10.0/24" 192.168.10.0 255.255.255.0
set ippool "172.16.199.x" 172.16.199.2 172.16.199.100
set user "it" uid 5
set user "it" ike-id u-fqdn "it@zg.com.cn" share-limit 1
set user "it" type ike
set user "it" "enable"
set user "zg" uid 3
set user "zg" ike-id u-fqdn "zg@zg.com.cn" share-limit 1
set user "zg" type ike
set user "zg" password "Hmd1do1HNozggcsBzdCAC9OtBKn/Odc2Tw=="
unset user "zg" type auth
set user "zg" "enable"
set user "zgle" uid 9
set user "zgle" type l2tp
set user "zgle" remote ippool "172.16.199.x"
set user "zgle" password "JhzqkK7rNdWCdwsmzVCn6mtgjfn9rBeE8A=="
unset user "zgle" type auth
set user "zgle" "enable"
set user "zgled" uid 6
set user "zgled" type l2tp
set user "zgled" remote ippool "172.16.199.x"
set user "zgled" password "Z0guux91NU8DYosZdnCsWyI6RJn/j+6irQ=="
unset user "zgled" type auth
set user "zgled" "enable"
set user-group "ZGLED" id 2
set user-group "ZGLED" user "zgle"
set user-group "aa" id 3
set user-group "aa" user "zgled"
set crypto-policy
exit
set ike gateway "Mobile" dialup "zg" Aggr outgoing-interface "ethernet0/2" preshare "X805qb30NZ2VznsZIjCPr5OgjlnRKC/Arw==" proposal "pre-g2-des-md5"
unset ike gateway "Mobile" nat-traversal
set ike gateway "Telecom" dialup "it" Aggr outgoing-interface "ethernet0/1" preshare "nDmuzB7WNW1QgWsyduC+oSg2bMnaFaJ+Sg==" proposal "pre-g2-des-md5"
unset ike gateway "Telecom" nat-traversal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Mobile" gateway "Mobile" no-replay tunnel idletime 0 proposal "g2-esp-des-md5"
set vpn "Telecom" gateway "Telecom" no-replay tunnel idletime 0 proposal "g2-esp-des-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 61.147.37.1
set l2tp default dns2 192.168.10.4
set l2tp default ippool "172.16.199.x"
set l2tp "L2tp-telecom" id 2 outgoing-interface ethernet0/1 keepalive 60
set l2tp "L2tp-telecom" remote-setting ippool "172.16.199.x" dns1 61.147.37.1
set l2tp "L2tp-telecom" auth server "Local" user-group "aa"
set l2tp "ZGLED1" id 4 outgoing-interface ethernet0/2 keepalive 60
set l2tp "ZGLED1" remote-setting ippool "172.16.199.x" dns1 61.147.37.1
set l2tp "ZGLED1" auth server "Local" user-group "ZGLED"
set url protocol websense
exit
set policy id 29 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel l2tp "L2tp-telecom"
set policy id 29
exit
set policy id 27 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel l2tp "ZGLED1"
set policy id 27
exit
set policy id 25 from "Trust" to "Untrust"  "172.16.255.0/29" "Dial-Up VPN" "ANY" tunnel vpn "Telecom" id 0x27 pair-policy 24
set policy id 25
exit
set policy id 24 from "Untrust" to "Trust"  "Dial-Up VPN" "172.16.255.0/29" "ANY" tunnel vpn "Telecom" id 0x27 pair-policy 25 log
set policy id 24
exit
set policy id 21 from "Trust" to "Untrust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "Mobile" id 0x1c log
set policy id 21
exit
set policy id 20 from "Untrust" to "Trust"  "Dial-Up VPN" "Inside.192" "ANY" tunnel vpn "Mobile" id 0x22 pair-policy 23 log
set policy id 20
exit
set policy id 14 name "Telecom-mail" from "Untrust" to "Trust"  "Any" "MIP(58.221.193.253)" "ANY" permit log
set policy id 14
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 7 name "Mobile-mail" from "Untrust" to "Trust"  "Any" "MIP(112.2.27.247)" "ANY" permit log
set policy id 7
exit
set policy id 26 from "Untrust" to "Trust"  "Any" "MIP(112.2.27.247)" "HTTP" permit
set policy id 26
set dst-address "MIP(58.221.193.253)"
set service "HTTPS"
set service "IMAP"
set service "POP3"
set service "SMTP"
set service "MS-EXCHANGE"
exit
set policy id 19 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel l2tp "L2tp-telecom" log
set policy id 19
exit
set policy id 28 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit
set policy id 28
exit
set policy id 22 from "Trust" to "Untrust"  "Inside.192" "Dial-Up VPN" "ANY" tunnel vpn "Telecom" id 0x20
set policy id 22
exit
set policy id 23 from "Trust" to "Untrust"  "Inside.192" "Dial-Up VPN" "ANY" tunnel vpn "Mobile" id 0x22 pair-policy 20 log
set policy id 23
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "210.72.145.44"
set ntp interval 120
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/2 gateway 112.2.27.241
set route 192.168.10.0/24 gateway 192.168.10.1
set route 172.16.0.0/16 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
set source-routing enable
set sibr-routing enable
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 112.2.27.241
set route 192.168.10.0/24 interface ethernet0/0 gateway 172.16.255.5
set route 192.168.0.0/16 interface ethernet0/0 gateway 172.16.255.5
set route 172.16.0.0/16 gateway 172.16.255.5
set route 0.0.0.0/0 interface ethernet0/0 gateway 58.221.193.249 preference 20 metric 10 description "Telecom"
set route source 192.168.1.0/24 interface ethernet0/1 gateway 58.221.193.249 preference 10 description "Leader"
set route source 192.168.10.0/24 interface ethernet0/1 gateway 58.221.193.249 preference 10 description "Server"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"

exit

stuhorse · 发表于 2013-1-7 00:17:34

谢谢楼主的帖子

CA-IOS · 发表于 2013-1-7 08:46:56

皇家禁卫队 · 发表于 2013-1-27 06:15:48

看帖子的要发表下看法

Uncle-齐 · 发表于 2013-4-12 23:35:15

顶顶

账号		自动登录	找回密码
密码			论坛注册

JUNIPER SSG 双WAN口问题

客服中心

投诉建议