首頁 >運維 >安全 >USG防火牆中的NAT配置

USG防火牆中的NAT配置

WBOY
WBOY轉載
2023-05-17 13:25:471414瀏覽

USG防火牆NAT#設定

#學習目的

  • # #掌握在USG防火牆上設定NATServer的方法

  • 掌握在USG防火牆上設定NATEasy IP的方法

##拓樸圖

        

USG防火牆中的NAT配置#「欄位」

#:

##         你是本公司的網路管理者。公司使用網路防火牆隔離成三個區域。現在要將DMZ區域中的一台伺服器(IP位址:10.0.3.3)提供的telnet服務發佈出去,對外公開的位址是10.0.10.20、24.並且內部網路Trust區域的用戶透過Easy-IP的方式訪問外部區域。其它方向的訪問被禁止。          在交換器上將G0/0/1與G0/0/21介面定義至vlan11,並將G0/0/2與G0/0/22介面定義至vlan12,且將G0/0/3與G0/0/23介面定義到vlan13.分別規劃了三個網段。

練習任務

步驟一.

#基本設定與IP

編址

#         先為三個路由器設定位址資訊。

[Huawei]sysname R1

[R1]interface g0/0/1

[R1-GigabitEthernet0/0/1]ip add 10.0.10.124

#[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1

[R1-GigabitEthernet0/0/1]interfaceloopback0

[R1-LoopBack0]ip add 10.0.1.1 24

[R1-LoopBack0]q

[Huawei]sysname R2

[R2]interface g0/0/1

[ R2-GigabitEthernet0/0/1]ip add 10.0.20.224

[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2

#[R2-GigabitEthernet0/ 0/1]interfaceloopback0

[R2-LoopBack0]ip add 10.0.2.2 24

[R2-LoopBack0]q

[Huawei]sysname R3

[R3]interface g0/0/1

[R3-GigabitEthernet0/0/1]ip add 10.0.30.324

[R3-GigabitEthernet0/0/1]desc this portconnect 到 S1 -G0/0/3

[R3-GigabitEthernet0/0/1]interfaceloopback0

[R3-LoopBack0]ip add 10.0.3.3 24

[R3-LoopBack0] q

給防火牆設定位址時,G0/0/1設定10.0.20.254/24.

[SRG]sysname FW

##13:06:03 2014/07 /08

[FW]interface g0/0/1

13:06:30 2014/07/08

[FW-GigabitEthernet0/0/1]ip add 10.0.20.25424

13:07:01 2014/07/08

[FW-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/22

# #13:07:52 2014/07/08

[FW-GigabitEthernet0/0/1]interface g0/0/0

13:08:23 2014/07/08

[FW-GigabitEthernet0/0/0]dis this

13:08:31 2014/07/08

##interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

# dhcpselect interface

 dh#server gateway-

 dhcpselect interface

 dh#server gateway-

 dhcpselect interface

 dh##168.

#return

[FW-GigabitEthernet0/0/0]undo ip add

13:08:42 2014/07/08

Info: The DHCP server configuration on thisinterface will be deleted.

[FW-GigabitEthernet0/0/0]display this

13:08:46 2014/07/08

##interface GigabitEthernet0/0/0

 alias GE0/MGMT

#return

[FW-GigabitEthernet0/0/0 ]ip add 10.0.10.25424

13:09:29 2014/07/08

[FW-GigabitEthernet0/0/0]desc this portconnect to S1-G0/0/21

13:10:05 2014/07/08

[FW-GigabitEthernet0/0/0]interface G0/0/2

13:10:15 2014/07/ 08

[FW-GigabitEthernet0/0/2]ip add 10.0.30.25424

13:10:28 2014/07/08

[FW-GigabitEthernet0/0/ 2]desc this portconnect to S1-G0/0/23

13:10:53 2014/07/08

[FW-GigabitEthernet0/0/2]q

# #交換器上需要依照需求定義vlan

[Huawei]sysname S1

[S1]vlan batch 11 to 13

Info: This operation may take a fewseconds. Please wait for a moment...done.

[S1]interface g0/0/1

[S1-GigabitEthernet0/0/1]port link-typeaccess

[S1 -GigabitEthernet0/0/1]port default vlan11

[S1]interface g0/0/2

[S1-GigabitEthernet0/0/2]port link-typeaccess

# [S1-GigabitEthernet0/0/2]port default vlan12

[S1-GigabitEthernet0/0/2]interface g0/0/3[S1-GigabitEthernet0/0/3]port link -typeaccess[S1-GigabitEthernet0/0/3]port default vlan13

###[S1-GigabitEthernet0/0/3]interface g0/0/21######[S1- GigabitEthernet0/0/21]port link-typeaccess######[S1-GigabitEthernet0/0/21]port default vlan11#########[S1-GigabitEthernet0/0/21]port default vlan11#######[S1-GigabitEthernet0/0/21]interface g0/0/22#[S1-GigabitEthernet0/0/21]interface g0/0/22# #####[S1-GigabitEthernet0/0/22]port link-typeaccess######[S1-GigabitEthernet0/0/22]port default vlan12######[S1-GigabitEthernet0/0/22 ]interface g0/0/23######[S1-GigabitEthernet0/0/23]port link-typeaccess######[S1-GigabitEthernet0/0/23]port default vlan13####### ###步驟二.######將介面設定到安全區域#######

         防火牆預設有四個區域,分別為「local」、「trust"、「untrust」、「dmz」。

         實驗中我們使用「trust」、'untrust"、「dmz」三個區域。將G0/0/0配置到untrust區域,將G0/0/0/2配置到dmz區域,將G0/0/0/1配置到trust區域。

[FW]firewall zone trust

13:45:31 2014/07/08

[FW- zone-trust]dis this

13:45:35 2014/07/08

firewall zone trust

# setpriority 85

# addinterface GigabitEthernet0/0/0

#return

[FW-zone-trust]undo add inter       

#[FW-zone-trust ]undo add interface g0/0/0

13:46:01 2014/07/08

[FW-zone-trust]add interface g0/0/1

13:46:22 2014/07/08

[FW-zone-trust]firewall zone untrust

[FW-zone-untrust]add interface g0/0/0

#[FW-zone-untrust]add interface g0/0/0

13:47:24 2014/07/08

[[FW-zone-untrust]firewall zone dmz

13:48:06 2014/07/08

[FW-zone-dmz]add interface g0/0/2

13:48:13  2014/07/08

[FW-zone-dmz]q

#         預設情況下,防火牆並不允許出local區域外的其它區域之間進行通訊。為了確保配置的準確性,我們將預設的防火牆過濾規則配置為允許所有區域之間的通訊。配置完成後在FW設備上測試連結性。

[FW]firewall packet-filter default permitall

13:51:19 2014/07/08

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue. ##[FW]ping -c 1 10.0.10.1

13:51:56 2014/07/08

 PING 10.0.10.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms

  ---10.0.10.1 ping statistics ---

pack  

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 90/90/90 ms

[FW ]ping -c 1 10.0.20.2

13:52:08 2014/07/08

 PING 10.0.20.2: 56  data bytes,press CTRL_C to breakbreak

"  from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms

  ---10.0.20.2 ping statistics ---

    1packet(s) transmitted

#    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 400/400/400 ms

[FW]ping -c 1 10.0.30.3

13:52:18 2014/07/08

 PING 10.0.30.3: 56  data bytes,press CTRL_C to break

o##Re : bytes=56 Sequence=1 ttl=255 time=410 ms

  ---10.0.30.3 ping statistics ---

    1packet(s) transmitted

#   . s) received

   0.00% packet loss

   round-trip min/avg/max = 410/410/410 ms

步驟三.設定靜態路由,實現網路的靜態設定連結性

         在R2和R3上設定預設路由,並在FW上配置明確的靜態路由,實現三個loopback0介面之間的通訊。由於R1是網路設備,無需了解內部和DMZ區域的私人網路訊息,因此無需定義預設路由。

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254

##[FW]ip

#########################################! route-static 10.0.1.0 24 10.0.10.1######13:58:26 2014/07/08#######[FW]ip route-static 10.0.2.0 24 10.0.20. ##13:58:40 2014/07/08######[FW]ip route-static 10.0.3.0 24 10.0.30.3######13:58:52 2014/07/08## ####         在防火牆上測試與10.0.1.0、10.0.2.0、10.0.3.0之間的連結性。 ######[FW]ping -c 1 10.0.1.1#####14:00:18 2014/07/08###### PING 10.0.1.1: 56  data bytes,press CTRL_C to break######   Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms######  ---10.0.1.1 ping statistics ---######卷(s) transmitted######    1packet(s) received######   0.00% packet loss#######   round-trip min/avg/max = 80/####   round-trip min/avg/max = 80/10/#   round-trip min/avg/max = 80/80/#  ## ##[FW]ping -c 1 10.0.2.2######14:00:25 2014/07/08###### PING 10.0.2.2: 56  data bytes,press CTRL_C 至 break### ###   Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms######  ---10.0.2.2 ping statistics ---#####    ######    1packet(s) received######   0.00% packet loss######   round-trip min/avg/max = 170/170/170 ms####FW[FW ]ping -c 1 10.0.3.3######14:00:29 2014/07/08###

 PING 10.0.3.3: 56  data bytes,press CTRL_C to break

   Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms#-#> 10.0.3.3 ping statistics ---

##    1packet(s) transmitted

    1packet(s) received

   0.00% packet(s) received

   0.00% packet loss#dnound /avg/max = 110/110/110 ms

         在目前設定下,所有區域之間可通訊,且不被檢查。由於NAT尚未被定義,內部和DMZ區域無法與外部區域相互存取。

步驟四.

設定區域間的安全過濾器         配置從Trust區域的部分網段10.0.2.3發往Untrust區域的資料包被放行。 Telnet request sent from the Untrust zone to DMZ target server 10.0.3.3 was allowed to pass.。

[FW]firewall session link-state check

[FW]policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound]policy0

14:06:57 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255

#14 :07:18 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]actionpermit

#14:07:31 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]q

14:07:40 2014/07/08

#[FW-policy-interzone-trust- untrust-outbound]q

14:07:40 2014/07/08

]policy interzone dmz untrust inbound

#14:09:01 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound]policy0

14:09:08 2014/07/08

[FW-policy-interzone-dmz- untrust-inbound-0]policydestination 10.0.3.3 0

14:09:37 2014/07/08

#[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service -set telnet

[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit

14:09:55 2014/07/08

[FW- policy-interzone-dmz-untrust-inbound-0]q

14:09:55 2014/07/08

步驟五

. 配置Easy-Ip,實作Trust區域到Untrust##區域的訪問。          設定使用Easy-IP,進行NAT來源位址轉換。並且將NAT與介面進行綁定。 [FW-nat-policy-interzone-trust-untrust-outbound]policy0

14:14:00 2014/07/08

[FW-nat-policy -interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.2

55

14:14:26 2014/07/08

[FW- nat-policy-interzone-trust-untrust-outbound-0]actionsource-nat

14:14:37 2014/07/08

#[FW-nat-policy-interzone-trust- untrust-outbound-0]easy-ipg0/0/0

14:14:51 2014/07/08

[FW-nat-policy-interzone-trust-untrust-outbound- 0]q

         配置完成後,以驗證Trust區域與Untrust區域之間的存取是否正常。

ping 10.0.1.1

 PING 10.0.1.1: 56  data bytes,press CTRL_C to break

   Request time out#c#Re out

   Request time out

   Request time out

   Request time out

  ---10.0.1.1 ping statistics ---

##  ---10.0.1.1 ping statistics ---

##-

    5packet(s) transmitted

    0packet(s) received

##   100.00% packet loss

## PING 10.0.1.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=220 ms#10. 1.1: bytes=56 Sequence=2 ttl=254 time=100 ms

   Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms# #Re# 1.1: bytes=56 Sequence=4 ttl=254 time=120 ms

   Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=440 ms

-10. .1.1 ping statistics ---

    5packet(s) transmitted

    5packet(s) received

   0.00% #packet loss# avg/max = 100/196/440 ms

         請注意,並在此直接測試與10.0.1.1之間的連結性,且顯示不通。擴展ping成功實現連通性,因為發送資料包時指定了來源位址為10.0.2.2。原因是,直接傳送封包到10.0.1.1時,封包的來源位址到10.0.1.1時,封包的來源位址為10.0.20.2,該位址不屬於NAT轉換的客戶端位址範圍。

步驟六.將內網伺服器10.0.3.3發佈出去

         設定內網路伺服器10.0.3.3的telnet服務,對應至位址10.0.10.20

[FW] nat server protocol tcp global10.0.10.20 telnet inside 10.0.3.3 telnet

         在R3上開啟Telnet功能,在R1上測試,測試時需注意,對外發佈的位址為10.0.10.20,所以R1對10.0.3.3存取時,存取的目標位址為10.0.10.20。

[R3]user-interface vty 0 4

[R3-ui-vty0-4]authentication-mode password

Please configure the login password(maximum length 16) :16

[R3-ui-vty0-4]set authentication password ?

 cipher  Set the password withcipher text

[R3-ui-vty0-4]set authentication passwordcip       

[R3-ui-vty0-4]set authentication passwordcipher Huawei

#[R3-ui-vty0-4]user privilege level 3

#[R3-ui-vty0-4]user privilege level 3

#[R3-ui-vty0-4]user privilege level 3

#[R3-uity0-4]user privilege level 3

#[R3-uity0-4]user privilege level 3

#[R3-uity0-4]user privilege level 3

##[ vty0-4]q

telnet 10.0.10.20

 Press CTRL_] to quit telnet mode

 Trying 10.0.10.20 ...

 Connected to 10.0.10.20 ...

Login authentication

###Password:#########

以上是USG防火牆中的NAT配置的詳細內容。更多資訊請關注PHP中文網其他相關文章!

陳述:
本文轉載於:yisu.com。如有侵權,請聯絡admin@php.cn刪除