Home  >  Article  >  Operation and Maintenance  >  NAT configuration in USG firewall

NAT configuration in USG firewall

WBOY
WBOYforward
2023-05-17 13:25:471406browse

USGFirewall NATConfiguration

Learning purpose

  • Master how to configure NATServer on the USG firewall

  • Master how to configure NATEasy IP on the USG firewall

Topology diagram

NAT configuration in USG firewall

#:

You are the company's network administrator. The company is segregated into three zones using network firewalls. Now we need to publish the telnet service provided by a server (IP address: 10.0.3.3) in the DMZ area. The public addresses are 10.0.10.20 and 24. And users in the internal network Trust area access through Easy-IP. outside area. Access from other directions is prohibited.

                    Define the G0/0/1 and G0/0/21 interfaces to vlan11, define the G0/0/2 and G0/0/22 interfaces to vlan12, and define the G0/0/3 and The G0/0/23 interface is defined to vlan13. Three network segments are planned respectively.

LearningLearning tasks

Step 1.Basic configuration and IPAddressing

                First, configure the address information for the three routers.

[Huawei]sysname R1

[R1]interface g0/0/1

[R1-GigabitEthernet0/0/1]ip add 10.0.10.124

[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1

[R1-GigabitEthernet0/0/1]interfaceloopback0

[R1-LoopBack0]ip add 10.0.1.1 24

[R1-LoopBack0]q

[Huawei]sysname R2

[R2]interface g0/0/1

[ R2-GigabitEthernet0/0/1]ip add 10.0.20.224

[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2

[R2-GigabitEthernet0/ 0/1]interfaceloopback0

[R2-LoopBack0]ip add 10.0.2.2 24

[R2-LoopBack0]q

[Huawei]sysname R3

[R3]interface g0/0/1

[R3-GigabitEthernet0/0/1]ip add 10.0.30.324

[R3-GigabitEthernet0/0/1]desc this portconnect to S1 -G0/0/3

[R3-GigabitEthernet0/0/1]interfaceloopback0

[R3-LoopBack0]ip add 10.0.3.3 24

[R3-LoopBack0] q

When configuring the address for the firewall, G0/0/1 is configured with 10.0.20.254/24.

[SRG]sysname FW

13:06:03 2014/07 /08

[FW]interface g0/0/1

13:06:30 2014/07/08

[FW-GigabitEthernet0/0/1]ip add 10.0.20.25424

13:07:01 2014/07/08

[FW-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/22

13:07:52 2014/07/08

[FW-GigabitEthernet0/0/1]interface g0/0/0

13:08:23 2014/07/08

[FW-GigabitEthernet0/0/0]dis this

13:08:31 2014/07/08

#interface GigabitEthernet0/0/0

alias GE0/MGMT

ipaddress 192.168.0.1 255.255.255.0

dhcpselect interface

dhcpserver gateway-list 192.168.0.1

#return

[FW-GigabitEthernet0/0/0]undo ip add

13:08:42 2014/07/08

Info: The DHCP server configuration on this interface will be deleted.

[FW-GigabitEthernet0/0/0]display this

13:08:46 2014/07/08

#interface GigabitEthernet0/0/0

alias GE0/MGMT

return

[FW-GigabitEthernet0/0/0 ]ip add 10.0.10.25424

13:09:29 2014/07/08

[FW-GigabitEthernet0/0/0]desc this portconnect to S1-G0/0/21

13:10:05 2014/07/08

[FW-GigabitEthernet0/0/0]interface G0/0/2

13:10:15 2014/07/ 08

[FW-GigabitEthernet0/0/2]ip add 10.0.30.25424

13:10:28 2014/07/08

[FW-GigabitEthernet0/0/ 2]desc this portconnect to S1-G0/0/23

13:10:53 2014/07/08

[FW-GigabitEthernet0/0/2]q

Vlan needs to be defined on the switch according to requirements

[Huawei]sysname S1

[S1]vlan batch 11 to 13

Info: This operation may take a few seconds. Please wait for a moment...done.

[S1]interface g0/0/1

[S1-GigabitEthernet0/0/1]port link-typeaccess

[S1 -GigabitEthernet0/0/1]port default vlan11

[S1]interface g0/0/2

[S1-GigabitEthernet0/0/2]port link-typeaccess

[S1-GigabitEthernet0/0/2]port default vlan12

[S1-GigabitEthernet0/0/2]interface g0/0/3

[S1-GigabitEthernet0/0/3]port link -typeaccess

[S1-GigabitEthernet0/0/3]port default vlan13

[S1-GigabitEthernet0/0/3]interface g0/0/21

[S1- GigabitEthernet0/0/21]port link-typeaccess

[S1-GigabitEthernet0/0/21]port default vlan11

[S1-GigabitEthernet0/0/21]interface g0/0/22

[S1-GigabitEthernet0/0/22]port link-typeaccess

[S1-GigabitEthernet0/0/22]port default vlan12

[S1-GigabitEthernet0/0/22 ]interface g0/0/23

[S1-GigabitEthernet0/0/23]port link-typeaccess

[S1-GigabitEthernet0/0/23]port default vlan13

Step 2.Configure the interface to the security zone

The firewall has four zones by default, namely "local", "trust", "untrust", and "dmz".

In the experiment, we used three zones: "trust", 'untrust" and "dmz". Configure G0/0/0 to the untrust zone, and configure G0/0/0/2 to the dmz zone. Configure G0/0/0/1 to the trust zone.

[FW]firewall zone trust

13:45:31 2014/07/08

[FW- zone-trust]dis this

13:45:35 2014/07/08

#firewall zone trust

setpriority 85

addinterface GigabitEthernet0/0/0

#return

[FW-zone-trust]undo add inter ]undo add interface g0/0/0

13:46:01 2014/07/08

[FW-zone-trust]add interface g0/0/1

13:46:22 2014/07/08

[FW-zone-trust]firewall zone untrust

[FW-zone-untrust]add interface g0/0/0

13:47:24 2014/07/08

[[FW-zone-untrust]firewall zone dmz

13:48:06 2014/07/08

[FW-zone-dmz]add interface g0/0/2

13:48:13 2014/07/08

[FW-zone-dmz]q

By default, the firewall does not allow communication between other areas outside the local area. In order to ensure the accuracy of the configuration, we configure the default firewall filtering rules to allow communication between all areas. After the configuration is completed, Test connectivity on the FW device.

[FW]firewall packet-filter default permitall

13:51:19 2014/07/08

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]ping -c 1 10.0.10.1

13:51:56 2014/07/08

PING 10.0.10.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms

---10.0.10.1 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/90/90 ms

[FW ]ping -c 1 10.0.20.2

13:52:08 2014/07/08

PING 10.0.20.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms

---10.0.20.2 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 400/400/400 ms

[FW]ping -c 1 10.0.30.3

13:52:18 2014/07/08

PING 10.0.30.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.30.3 : bytes=56 Sequence=1 ttl=255 time=410 ms

---10.0.30.3 ping statistics ---

1packet(s) transmitted

1packet( s) received

0.00% packet loss

round-trip min/avg/max = 410/410/410 ms

Step 3. Configure static routing to achieve network security Connectivity

Configure default routes on R2 and R3, and configure clear static routes on FW to achieve communication between the three loopback0 interfaces. Since R1 is an Internet device and does not need to know the private network information of the internal and DMZ zones, there is no need to define a default route.

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254

[FW]ip route-static 10.0.1.0 24 10.0.10.1

13:58:26 2014/07/08

[FW]ip route-static 10.0.2.0 24 10.0.20.2

13:58:40 2014/07/08

[FW]ip route-static 10.0.3.0 24 10.0.30.3

13:58:52 2014/07/08

Test connectivity to 10.0.1.0, 10.0.2.0, 10.0.3.0 on the firewall.

[FW]ping -c 1 10.0.1.1

14:00:18 2014/07/08

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms

---10.0.1.1 ping statistics ---

1packet (s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/80/80 ms

[FW]ping -c 1 10.0.2.2

14:00:25 2014/07/08

PING 10.0.2.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms

---10.0.2.2 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 170/170/170 ms

[FW ]ping -c 1 10.0.3.3

14:00:29 2014/07/08

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms

--- 10.0.3.3 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min /avg/max = 110/110/110 ms

Under the current configuration, all areas can communicate without being checked. Since NAT has not yet been defined, the internal and DMZ zones cannot communicate with the external zone.

Step 4.Configure inter-zone security filtering

Configure data sent from part of the network segment 10.0.2.3 in the Trust zone to the Untrust zone The package is released. Telnet request sent from the Untrust zone to DMZ target server 10.0.3.3 was allowed to pass..

[FW]firewall session link-state check

[FW]policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound]policy0

14:06:57 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255

14 :07:18 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]actionpermit

14:07:31 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]q

14:07:40 2014/07/08

[FW-policy-interzone-trust- untrust-outbound]q

14:07:40 2014/07/08

]policy interzone dmz untrust inbound

14:09:01 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound]policy0

14:09:08 2014/07/08

[FW-policy-interzone-dmz- untrust-inbound-0]policydestination 10.0.3.3 0

14:09:37 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service -set telnet

[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit

14:09:55 2014/07/08

[FW- policy-interzone-dmz-untrust-inbound-0]q

14:09:55 2014/07/08

Step 5. ConfigureEasy-Ip, implement Trust zone to Untrust zone Access.

Configure Easy-IP to perform NAT source address translation. And bind NAT to the interface.

[FW-nat-policy-interzone-trust-untrust-outbound]policy0

14:14:00 2014/07/08

[FW-nat-policy -interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.2

55

14:14:26 2014/07/08

[FW- nat-policy-interzone-trust-untrust-outbound-0]actionsource-nat

14:14:37 2014/07/08

[FW-nat-policy-interzone-trust- untrust-outbound-0]easy-ipg0/0/0

14:14:51 2014/07/08

[FW-nat-policy-interzone-trust-untrust-outbound- 0]q

After the configuration is completed, verify whether the access between the Trust zone and the Untrust zone is normal.

ping 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

---10.0.1.1 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packet loss

ping -a 10.0.2.2 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=220 ms

Reply from 10.0. 1.1: bytes=56 Sequence=2 ttl=254 time=100 ms

Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms

Reply from 10.0. 1.1: bytes=56 Sequence=4 ttl=254 time=120 ms

Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=440 ms

---10.0 .1.1 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-trip min/ AVG/MAX = 100/196/440 ms

Note that the connectivity between testing and 10.0.1.1 here is unreasonable. The extended ping successfully achieves connectivity because the source address of 10.0.2.2 was specified when sending the packet. The reason is that when sending a data packet directly to 10.0.1.1, when the source address of the data packet reaches 10.0.1.1, the source address of the data packet is 10.0.20.2, which does not belong to the client address range of NAT translation.

Step 6. Publish the intranet server 10.0.3.3

Configure the telnet service of the intranet server 10.0.3.3 and map it to the address 10.0.10.20

[FW] nat server protocol tcp global10.0.10.20 telnet inside 10.0.3.3 telnet

              Enable the Telnet function on R3 and test it on R1. When testing, please note that the external address is 10.0.10.20, so when R1 accesses 10.0.3.3, the target address it accesses is 10.0.10.20.

[R3]user-interface vty 0 4

[R3-ui-vty0-4]authentication-mode password

Please configure the login password(maximum length 16) :16

[R3-ui-vty0-4]set authentication password ?

cipher Set the password with cipher text

[R3-ui-vty0-4]set authentication passwordcip

[R3-ui-vty0-4]set authentication passwordcipher Huawei

[R3-ui-vty0-4]user privilege level 3

[R3-ui- vty0-4]q

telnet 10.0.10.20

Press CTRL_] to quit telnet mode

Trying 10.0.10.20 ...

Connected to 10.0.10.20 ...

Login authentication

Password:

The above is the detailed content of NAT configuration in USG firewall. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete