USG防火牆NAT#設定
#學習目的
#「欄位」
#:## 你是本公司的網路管理者。公司使用網路防火牆隔離成三個區域。現在要將DMZ區域中的一台伺服器(IP位址:10.0.3.3)提供的telnet服務發佈出去,對外公開的位址是10.0.10.20、24.並且內部網路Trust區域的用戶透過Easy-IP的方式訪問外部區域。其它方向的訪問被禁止。 在交換器上將G0/0/1與G0/0/21介面定義至vlan11,並將G0/0/2與G0/0/22介面定義至vlan12,且將G0/0/3與G0/0/23介面定義到vlan13.分別規劃了三個網段。
學
練習任務步驟一.
#基本設定與IP編址
# 先為三個路由器設定位址資訊。 [Huawei]sysname R1[R1]interface g0/0/1[R1-GigabitEthernet0/0/1]ip add 10.0.10.124#[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1[R1-GigabitEthernet0/0/1]interfaceloopback0[R1-LoopBack0]ip add 10.0.1.1 24[R1-LoopBack0]q[Huawei]sysname R2[R2]interface g0/0/1[ R2-GigabitEthernet0/0/1]ip add 10.0.20.224[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2#[R2-GigabitEthernet0/ 0/1]interfaceloopback0[R2-LoopBack0]ip add 10.0.2.2 24[R2-LoopBack0]q[Huawei]sysname R3[R3]interface g0/0/1[R3-GigabitEthernet0/0/1]ip add 10.0.30.324[R3-GigabitEthernet0/0/1]desc this portconnect 到 S1 -G0/0/3[R3-GigabitEthernet0/0/1]interfaceloopback0[R3-LoopBack0]ip add 10.0.3.3 24[R3-LoopBack0] q給防火牆設定位址時,G0/0/1設定10.0.20.254/24.[SRG]sysname FW
##13:06:03 2014/07 /08
[FW]interface g0/0/1
13:06:30 2014/07/08
[FW-GigabitEthernet0/0/1]ip add 10.0.20.25424
13:07:01 2014/07/08
[FW-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/22
# #13:07:52 2014/07/08
[FW-GigabitEthernet0/0/1]interface g0/0/0
13:08:23 2014/07/08
[FW-GigabitEthernet0/0/0]dis this
13:08:31 2014/07/08
##interface GigabitEthernet0/0/0
alias GE0/MGMT
ipaddress 192.168.0.1 255.255.255.0
# dhcpselect interface
dh#server gateway-
dhcpselect interface dh#server gateway-dhcpselect interface
dh##168.
#return
[FW-GigabitEthernet0/0/0]undo ip add
13:08:42 2014/07/08
Info: The DHCP server configuration on thisinterface will be deleted.
[FW-GigabitEthernet0/0/0]display this
13:08:46 2014/07/08
##interface GigabitEthernet0/0/0
alias GE0/MGMT
#return
[FW-GigabitEthernet0/0/0 ]ip add 10.0.10.25424
13:09:29 2014/07/08
[FW-GigabitEthernet0/0/0]desc this portconnect to S1-G0/0/21
13:10:05 2014/07/08
[FW-GigabitEthernet0/0/0]interface G0/0/2
13:10:15 2014/07/ 08
[FW-GigabitEthernet0/0/2]ip add 10.0.30.25424
13:10:28 2014/07/08
[FW-GigabitEthernet0/0/ 2]desc this portconnect to S1-G0/0/23
13:10:53 2014/07/08
[FW-GigabitEthernet0/0/2]q
# #交換器上需要依照需求定義vlan
[Huawei]sysname S1
[S1]vlan batch 11 to 13
Info: This operation may take a fewseconds. Please wait for a moment...done.
[S1]interface g0/0/1
[S1-GigabitEthernet0/0/1]port link-typeaccess
[S1 -GigabitEthernet0/0/1]port default vlan11
[S1]interface g0/0/2
[S1-GigabitEthernet0/0/2]port link-typeaccess
# [S1-GigabitEthernet0/0/2]port default vlan12
[S1-GigabitEthernet0/0/2]interface g0/0/3[S1-GigabitEthernet0/0/3]port link -typeaccess[S1-GigabitEthernet0/0/3]port default vlan13
###[S1-GigabitEthernet0/0/3]interface g0/0/21######[S1- GigabitEthernet0/0/21]port link-typeaccess######[S1-GigabitEthernet0/0/21]port default vlan11#########[S1-GigabitEthernet0/0/21]port default vlan11#######[S1-GigabitEthernet0/0/21]interface g0/0/22#[S1-GigabitEthernet0/0/21]interface g0/0/22# #####[S1-GigabitEthernet0/0/22]port link-typeaccess######[S1-GigabitEthernet0/0/22]port default vlan12######[S1-GigabitEthernet0/0/22 ]interface g0/0/23######[S1-GigabitEthernet0/0/23]port link-typeaccess######[S1-GigabitEthernet0/0/23]port default vlan13####### ###步驟二.######將介面設定到安全區域#######防火牆預設有四個區域,分別為「local」、「trust"、「untrust」、「dmz」。
實驗中我們使用「trust」、'untrust"、「dmz」三個區域。將G0/0/0配置到untrust區域,將G0/0/0/2配置到dmz區域,將G0/0/0/1配置到trust區域。
[FW]firewall zone trust
13:45:31 2014/07/08
[FW- zone-trust]dis this
13:45:35 2014/07/08
firewall zone trust
# setpriority 85
# addinterface GigabitEthernet0/0/0
#return
[FW-zone-trust]undo add inter
#[FW-zone-trust ]undo add interface g0/0/0
13:46:01 2014/07/08
[FW-zone-trust]add interface g0/0/1
13:46:22 2014/07/08
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface g0/0/0
#[FW-zone-untrust]add interface g0/0/0
13:47:24 2014/07/08
[[FW-zone-untrust]firewall zone dmz
13:48:06 2014/07/08
[FW-zone-dmz]add interface g0/0/2
13:48:13 2014/07/08
[FW-zone-dmz]q
# 預設情況下,防火牆並不允許出local區域外的其它區域之間進行通訊。為了確保配置的準確性,我們將預設的防火牆過濾規則配置為允許所有區域之間的通訊。配置完成後在FW設備上測試連結性。
[FW]firewall packet-filter default permitall
13:51:19 2014/07/08
Warning:Setting the default packetfiltering to permit poses security risks. You
are advised to configure the securitypolicy based on the actual data flows. Are
you sure you want to continue. ##[FW]ping -c 1 10.0.10.1
13:51:56 2014/07/08
PING 10.0.10.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms
---10.0.10.1 ping statistics ---
pack
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 90/90/90 ms
[FW ]ping -c 1 10.0.20.2
13:52:08 2014/07/08
PING 10.0.20.2: 56 data bytes,press CTRL_C to breakbreak
" from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms ---10.0.20.2 ping statistics --- 1packet(s) transmitted# 1packet(s) received
0.00% packet loss
round-trip min/avg/max = 400/400/400 ms
[FW]ping -c 1 10.0.30.3
13:52:18 2014/07/08
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
o##Re : bytes=56 Sequence=1 ttl=255 time=410 ms ---10.0.30.3 ping statistics --- 1packet(s) transmitted# . s) received
0.00% packet loss
round-trip min/avg/max = 410/410/410 ms
步驟三.設定靜態路由,實現網路的靜態設定連結性
在R2和R3上設定預設路由,並在FW上配置明確的靜態路由,實現三個loopback0介面之間的通訊。由於R1是網路設備,無需了解內部和DMZ區域的私人網路訊息,因此無需定義預設路由。
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
##[FW]ip
#########################################! route-static 10.0.1.0 24 10.0.10.1######13:58:26 2014/07/08#######[FW]ip route-static 10.0.2.0 24 10.0.20. ##13:58:40 2014/07/08######[FW]ip route-static 10.0.3.0 24 10.0.30.3######13:58:52 2014/07/08## #### 在防火牆上測試與10.0.1.0、10.0.2.0、10.0.3.0之間的連結性。 ######[FW]ping -c 1 10.0.1.1#####14:00:18 2014/07/08###### PING 10.0.1.1: 56 data bytes,press CTRL_C to break###### Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms###### ---10.0.1.1 ping statistics ---######卷(s) transmitted###### 1packet(s) received###### 0.00% packet loss####### round-trip min/avg/max = 80/#### round-trip min/avg/max = 80/10/# round-trip min/avg/max = 80/80/# ## ##[FW]ping -c 1 10.0.2.2######14:00:25 2014/07/08###### PING 10.0.2.2: 56 data bytes,press CTRL_C 至 break### ### Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms###### ---10.0.2.2 ping statistics ---##### ###### 1packet(s) received###### 0.00% packet loss###### round-trip min/avg/max = 170/170/170 ms####FW[FW ]ping -c 1 10.0.3.3######14:00:29 2014/07/08###PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms#-#> 10.0.3.3 ping statistics ---
## 1packet(s) transmitted 1packet(s) received 0.00% packet(s) received 0.00% packet loss#dnound /avg/max = 110/110/110 ms 在目前設定下,所有區域之間可通訊,且不被檢查。由於NAT尚未被定義,內部和DMZ區域無法與外部區域相互存取。步驟四.
設定區域間的安全過濾器 配置從Trust區域的部分網段10.0.2.3發往Untrust區域的資料包被放行。 Telnet request sent from the Untrust zone to DMZ target server 10.0.3.3 was allowed to pass.。
[FW]firewall session link-state check[FW]policy interzone trust untrust outbound[FW-policy-interzone-trust-untrust-outbound]policy014:06:57 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255#14 :07:18 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]actionpermit#14:07:31 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]q14:07:40 2014/07/08#[FW-policy-interzone-trust- untrust-outbound]q14:07:40 2014/07/08]policy interzone dmz untrust inbound#14:09:01 2014/07/08[FW-policy-interzone-dmz-untrust-inbound]policy014:09:08 2014/07/08[FW-policy-interzone-dmz- untrust-inbound-0]policydestination 10.0.3.3 014:09:37 2014/07/08#[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service -set telnet[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit14:09:55 2014/07/08[FW- policy-interzone-dmz-untrust-inbound-0]q14:09:55 2014/07/08
步驟五
. 配置Easy-Ip,實作Trust區域到Untrust##區域的訪問。 設定使用Easy-IP,進行NAT來源位址轉換。並且將NAT與介面進行綁定。 [FW-nat-policy-interzone-trust-untrust-outbound]policy0
14:14:00 2014/07/08
[FW-nat-policy -interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.2
55
14:14:26 2014/07/08
[FW- nat-policy-interzone-trust-untrust-outbound-0]actionsource-nat
14:14:37 2014/07/08
#[FW-nat-policy-interzone-trust- untrust-outbound-0]easy-ipg0/0/0
14:14:51 2014/07/08
[FW-nat-policy-interzone-trust-untrust-outbound- 0]q
配置完成後,以驗證Trust區域與Untrust區域之間的存取是否正常。
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Request time out#c#Re out
Request time out
Request time out
Request time out
---10.0.1.1 ping statistics ---
## ---10.0.1.1 ping statistics ---##-
5packet(s) transmitted
0packet(s) received
## 100.00% packet loss在R3上開啟Telnet功能,在R1上測試,測試時需注意,對外發佈的位址為10.0.10.20,所以R1對10.0.3.3存取時,存取的目標位址為10.0.10.20。
[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode password
Please configure the login password(maximum length 16) :16
[R3-ui-vty0-4]set authentication password ?
cipher Set the password withcipher text
[R3-ui-vty0-4]set authentication passwordcip
[R3-ui-vty0-4]set authentication passwordcipher Huawei
#[R3-ui-vty0-4]user privilege level 3
#[R3-ui-vty0-4]user privilege level 3#[R3-ui-vty0-4]user privilege level 3
#[R3-uity0-4]user privilege level 3#[R3-uity0-4]user privilege level 3
#[R3-uity0-4]user privilege level 3##[ vty0-4]q
Press CTRL_] to quit telnet mode
Trying 10.0.10.20 ...
Connected to 10.0.10.20 ...
Login authentication
###Password:######以上是USG防火牆中的NAT配置的詳細內容。更多資訊請關注PHP中文網其他相關文章!