华三H3C防火墙堆叠后不能后第二台设备外网口不能NAT访问外网不通-华三防火墙-苏州网络调试,销售,17804441181网络,苏州服务器维修,苏州IT外包服务,视频监控安装,公司集团电话安装,LED广告屏-克莱维斯

组网及说明

两台防火墙堆叠双主作为出口，下行链路跨框聚合，上行公网口连接在slot 2上

问题描述

一台PC接在slot 1下，ping 114不通，将PC接到slot 2下，ping 114则正常

过程分析

在设备上收集debug ip packet查看报文走向，可以看到整个过程没有问题

*Jul 29 22:46:55:534 2022 FW IPFW/7/IPFW_PACKET: -COntext=1;

Receiving, interface = GigabitEthernet1/0/2 1/0/2口收到终端的报文

version = 4, headlen = 20, tos = 0

pktlen = 60, pktid = 28308, offset = 0, ttl = 64, protocol = 1

checksum = 4924, s = X.X.X.X, d = 114.114.114.114

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Receiving IP packet from interface GigabitEthernet1/0/2.

Payload: ICMP

type = 8, code = 0, checksum = 0x4429.

*Jul 29 22:46:55:534 2022 FW IPFW/7/IPFW_PACKET: -COntext=1;

Transferring, interface = GigabitEthernet2/0/24 //发送给slot 2

version = 4, headlen = 20, tos = 0

pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1

checksum = 5180, s = X.X.X.X, d = 114.114.114.114

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Sending to slot 2

Payload: ICMP

type = 8, code = 0, checksum = 0x4429.

*Jul 29 22:46:55:540 2022 FW IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;

Transferring, interface = GigabitEthernet2/0/24

version = 4, headlen = 20, tos = 0

pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1

checksum = 5180, s = X.X.X.X, d = 114.114.114.114

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: IP TR: Receive packet from another node. //slot 2收到了转发过来的报文

Payload: ICMP

type = 8, code = 0, checksum = 0x4429.

*Jul 29 22:46:55:540 2022 FW IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;

Sending, interface = GigabitEthernet2/0/24 //从2/0/24发出去了

version = 4, headlen = 20, tos = 0

pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1

checksum = 5180, s = X.X.X.X, d = 114.114.114.114

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Sending IP packet received from interface GigabitEthernet1/0/2 at interface GigabitEthernet2/0/24.

Payload: ICMP

type = 8, code = 0, checksum = 0x4429.

策略已经放通：

*Jul 29 22:46:55:534 2022 FW FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=GigabitEthernet1/0/2(4), If-Out=GigabitEthernet2/0/24(90); Packet Info:Src-IP=X.X.X.X, Dst-IP=114.114.114.114, VPN-Instance=, Src-MacAddr=H-H-H,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742),Terminal=invalid(0), SecurityPolicy=shangwang, Rule-ID=1.

在公网口无法抓包向114发送请求的报文，debugging nat packet没有对应输出。

后续确认堆叠双主，流量跨框场景，NAT配置在物理口时，会导致NAT无法正常转换，所以出现不通。

解决方法

将NAT配置在逻辑接口上

上一篇：没有了！
下一篇：华三H3C防火墙开启保持上一跳功能说明及配置方法

我们凭借多年的智能化设计及施工经验，坚持以“帮助中小企业实现现代化网络”为宗旨，累计为4000多家客户提供品质智能化服务，得到了客户的一致好评。如果您有综合布线、计算机网络、无线覆盖、门禁考勤、机房建设、防火墙、路由器及交换机调试等方面的需求...
请立即点击咨询我们或拨打咨询热线： 17804441181，我们会详细为你一一解答你心中的疑难。项目经理在线

我们已经准备好了,你呢？

华三H3C防火墙堆叠后不能后第二台设备外网口不能NAT访问外网不通

组网及说明

问题描述

过程分析

解决方法

我们已经准备好了,你呢？

联系方式

二维码