(続き) MIPなしのまま以下のようにポリシー作成しても、 >>46のやったこと3で書いたようにGlobalポリシーでdenyされてしまいます。。。 set policy id * from "Untrust" to "Trust" "Any" "*.*.*.97/32" "ANY" nat dst ip 192.168.1.11 つまりoutboundはできるようになりましたが、今度はinboundがダメになりました。 長々とスレ汚しすみません。光が見えてきたのでもう少しつきあっていただけるとうれしいです。
今スレをちょっと読み返してみた。こんな感じでいいのか? アドレスは適当にしたので読み替えろ。自宅にSSGは無いから5GTな 面倒だからI/F表記は変えない trust I/F:192.168.7.250/24 untrust I/F:172.16.0.113/29 対向I/F:172.16.0.118/29 set address "Trust" "Trust-Seg" 192.168.7.0 255.255.255.0 set address "Untrust" "ISP" 172.16.0.0 255.255.255.0 set interface untrust ext ip 172.16.0.98 255.255.255.248 dip 4 172.16.0.97 172.16.0.97 set interface "untrust" mip 10.0.0.97 host 192.168.7.250 netmask 255.255.255.255 vr "trust-vr" set route 10.0.0.97/32 gateway 192.168.7.250 set policy id 100 from "Trust" to "Untrust" "Trust-Seg" "ISP" "ANY" nat src dip-id 4 permit log set policy id 200 from "Untrust" to "Trust" "ISP" "MIP(10.0.0.97)" "ANY" permit log
53 :11/06/04
PID 100, from Trust to Untrust, src Trust-Seg, dst ISP, service ANY, action Permit Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface 2011-06-04 13:41:36 0:00:04 192.168.7.250 46800 172.16.0.113 1024 ICMP 2040 trust Close - RESP 1 10.0.0.97 46800 172.16.0.113 1024 PID 200, from Untrust to Trust, src ISP, dst MIP(10.0.0.97), service ANY, action Permit 2011-06-04 13:42:38 0:00:04 172.16.0.118 1 10.0.0.97 97 ICMP 2040 untrust Close - RESP 1 172.16.0.118 1 192.168.7.250 97
54 :11/06/04
うおお間違って対向のじゃなく自I/Fのログ晒してもうたw ns-5gt-> get log tra PID 100, from Trust to Untrust, src Trust-Seg, dst ISP, service ANY, action Permit ============================================================================================================ Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface ============================================================================================================ 2011-06-04 13:52:51 0:00:01 192.168.7.250 47800 172.16.0.118 1024 ICMP 2046 trust Close - RESP 1 10.0.0.97 47800 172.16.0.118 1024
(続き) >52 set policy id 100 でsrc dip-id 4 って設定されてるのに ログでは10.0.0.97 にNATされてるから、 やっぱりMIPアドレスでSrc-NATされてますよね。 policy id 100 のSrc-NATをやめて dipとルーティングを削除しても同じように動くと思うのですが 試してもらないでしょうかw
57 :11/06/04
>>56 あーやっと言いたい事が分かった気がする(多分)。つーかMIP必要なくね? 面倒だからホストは立てんけど set interface trust ip 192.168.7.250/24 set interface untrust ip 172.16.0.113/29 set address "Trust" "Globals" 172.16.0.96 255.255.255.248 set address "Trust" "Trust-Seg" 192.168.7.0 255.255.255.0 set address "Untrust" "ISP" 172.16.0.0 255.255.255. set interface untrust ext ip 172.16.0.98 255.255.255.248 dip 4 172.16.0.97 172.16.0.97 set policy id 100 from "Trust" to "Untrust" "Trust-Seg" "ISP" "ANY" nat src dip-id 4 permit log set policy id 200 from "Untrust" to "Trust" "ISP" "Globals" "ANY" nat dst ip 192.168.7.250 permit log set route 172.16.0.96/29 gateway 192.168.7.250
58 :11/06/04
ns-5gt-> get log tra PID 100, from Trust to Untrust, src Trust-Seg, dst ISP, service ANY, action Permit ============================================================================================================ Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface ============================================================================================================ 2011-06-04 19:34:18 0:00:03 192.168.7.250 53000 172.16.0.118 1024 ICMP 2046 trust Close - RESP 1 172.16.0.97 1059 172.16.0.118 1024
59 :11/06/04
PID 200, from Untrust to Trust, src ISP, dst Globals, service ANY, action Permit ============================================================================================================ Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface ============================================================================================================ 2011-06-04 19:34:22 0:00:04 172.16.0.118 0 172.16.0.97 106 ICMP 2037 untrust Close - RESP 1 172.16.0.118 0 192.168.7.250 106
>>50-61 お休みに試してまでもらって本当にありがとうございます。 お二方(?)のアドバイスを参考に自分なりに格闘し、ext ipのDIPとウソルーティング切ることができました。 set interface ethernet0/0 ip *.*.*.113/29 set interface ethernet0/0 route set interface ethernet0/0 ext ip *.*.*.96 255.255.255.240 dip 4 *.*.*.97 *.*.*.97 set interface ethernet0/1 ip 192.168.1.1/24 set interface ethernet0/1 route (続きます)
63 :11/06/06
set address "Trust" "192.168.1.11/32" 192.168.1.11 255.255.255.255 set policy id 44 from "Trust" to "Untrust" "192.168.1.11/32" "Any" "ANY" nat src dip-id 4 permit log set policy id 46 from "Untrust" to "Trust" "Any" "*.*.*..97/32" "ANY" nat dst ip 192.168.1.11 permit log set route 0.0.0.0/0 interface ethernet0/0 gateway *.*.*.118 set route *.*.*.97/32 interface ethernet0/1 gateway 192.168.1.0 (続きます)
64 :11/06/06
>>62-63のように設定し、inboundは疎通するようになりました。 ただ192.168.1.11のhostから*.*.*.113へpingで到達できなくなって(Globalのdenyログにも出ない)、outboundが疎通できません。 そこでuntrust->trustのポリシーをDIP無しの単純な set policy id 44 from "Trust" to "Untrust" "192.168.1.11/32" "Any" "ANY" permit log にしたところpingは通るようになりました。(ただsrc ipが192.168.1.11のままなので外部へは行けず) あちら立てればこちらが立たずでほんと困ってます。。。長々とすみません。