华为防火墙NAPT---Easy-IP-------NAT Server策略及配置
程序员文章站
2022-04-09 19:41:54
...
NAPT配置方式
pc1:ip----192.168.2.100 255.255.255.0 192.168.2.1
pc2:ip ----100.1.1.10 255.255.255.0 100.1.1.1
)实验要求
PC1通过202.106.0.100地址与PC2实现通信!
2)案例实施
<R1>sys
[R1]undo info enable
[R1]int g0/0/0
[R1]ip add 202.106.0.2 24
[R1]undo sh
[R1]int g0/0/1
[R1]ip add 100.1.1.1 24
[R1]undo sh[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.1 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 202.106.0.1 24
[FW1-GigabitEthernet1/0/1]q
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.106.0.2
//配置防火墙网络参数及路由
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1-zone-untrust]quit
[FW1]security-policy
[FW1-policy-security]rule name sec_2
[FW1-policy-security-rule-sec_2]source-zone trust
[FW1-policy-security-rule-sec_2]source-address 192.168.1.0 24
[FW1-policy-security-rule-sec_2]destination-zone untrust
[FW1-policy-security-rule-sec_2]action permit
[FW1-policy-security-rule-sec_2]quit
[FW1-policy-security]quit
//配置防火墙安全策略
[FW1]nat address-group natgroup1
[FW1-address-group-natgroup1]section 0 202.106.0.100 202.106.0.100
[FW1-address-group-natgroup1]mode pat
//指定地址组的模式为pat,即NAPT模式
[FW1-address-group-natgroup1]quit
//配置NAT地址组
[FW1]nat-policy
[FW1-policy-nat]rule name natpolicy1
[FW1-policy-nat-rule-natpolicy1]source-address 192.168.1.0 24
[FW1-policy-nat-rule-natpolicy1]source-zone trust
[FW1-policy-nat-rule-natpolicy1]destination-zone untrust
[FW1-policy-nat-rule-natpolicy1]action nat address-group natgroup1
//指定动作,满足条件的数据包将依据地址组做NAPT方式转换
[FW1-policy-nat-rule-natpolicy1]quit
[FW1-policy-nat]quit
//配置防火墙NAT策略
[FW1]ip route-static 202.106.0.100 32 null 0
//配置黑洞路由
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 202.106.0.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]ip route-static 202.106.0.0 24 202.106.0.1
//配置路由器的IP地址及路由
PC1进行验证:
防火墙进行验证:
[FW1]display firewall session table //查看防火墙会话表
Current Total Sessions : 2
icmp : public --> public 192.168.1.2:12082[202.106.0.100:2058] --> 100.1.1
.2:2048
icmp : public --> public 192.168.1.2:12338[202.106.0.100:2059] --> 100.1.1
.2:2048
[FW1]display firewall server-map //查看防火墙的Server-map
Current Total Server-map : 0
//NAPT方式进行NAT地址转换时,并不会生成Server-map表
Easy-IP配置方式
实验拓补与NAT NO-PAT一样!(在NAPT基础上也可),为了初学者可以看懂,本人就重新部署网络设备了!
1)实验需求
PC1通过防火墙接口地址与PC2实现通信!
2)案例实施
<R1>sys
[R1]undo info enable
[R1]int g0/0/0
[R1]ip add 202.106.0.2 24
[R1]undo sh
[R1]int g0/0/1
[R1]ip add 100.1.1.1 24
[R1]undo sh[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.1 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 202.106.0.1 24
[FW1-GigabitEthernet1/0/1]q
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.106.0.2
//配置防火墙网络参数及路由
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1-zone-untrust]quit
[FW1]security-policy
[FW1-policy-security]rule name sec_3
[FW1-policy-security-rule-sec_2]source-zone trust
[FW1-policy-security-rule-sec_2]source-address 192.168.1.0 24
[FW1-policy-security-rule-sec_2]destination-zone untrust
[FW1-policy-security-rule-sec_2]action permit
[FW1-policy-security-rule-sec_2]quit
[FW1-policy-security]quit
//配置防火墙安全策略
[FW1]nat-policy
[FW1-policy-nat]rule name natpolicy2
[FW1-policy-nat-rule-natpolicy2]source-address 192.168.1.0 24
[FW1-policy-nat-rule-natpolicy2]source-zone trust
[FW1-policy-nat-rule-natpolicy2]destination-zone untrust
[FW1-policy-nat-rule-natpolicy2]action nat easy-ip
//配置满足条件的数据包根据地址组做出接口方式转换
[FW1-policy-nat-rule-natpolicy2]quit
[FW1-policy-nat]quit
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 202.106.0.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]ip route-static 202.106.0.0 24 202.106.0.1
//配置路由器的IP地址及路由
PC1进行验证:
[FW1]display firewall session table //查看防火墙会话表
Current Total Sessions : 2
icmp : public --> public 192.168.1.2:12082[202.106.0.1:2073] --> 100.1.1
.2:2048
icmp : public --> public 192.168.1.2:12338[202.106.0.1:2074] --> 100.1.1
.2:2048
[FW1]display firewall server-map //查看防火墙的Server-map
Current Total Server-map : 0
/Easy-IP方式进行NAT地址转换时,并不会生成Server-map表
NAT Server配置方式
1)实验拓补
实验需求
互联网用户通过202.106.0.20访问DMZ区域中的FTP服务器。
3)案例实施
<R1>sys
[R1]undo info enable
[R1]int g0/0/0
[R1]ip add 202.106.0.2 24
[R1]undo sh
[R1]int g0/0/1
[R1]ip add 100.1.1.1 24
[R1]undo sh[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.1 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 202.106.0.1 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.106.0.2
//配置防火墙网络参数及路由
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/0
[FW1-zone-dmz]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1-zone-untrust]quit
//将防火墙接口加入相应的区域中
[FW1]security-policy
[FW1-policy-security]rule name sec_4
[FW1-policy-security-rule-sec_4]source-zone untrust
[FW1-policy-security-rule-sec_4]destination-zone dmz
[FW1-policy-security-rule-sec_4]destination-address 192.168.1.0 24
[FW1-policy-security-rule-sec_4]service ftp
//配置条件为ftp协议,这属于精细NAT-server;如果是粗泛NAT-server,这步可以省略
[FW1-policy-security-rule-sec_4]action permit
[FW1-policy-security-rule-sec_4]quit
[FW1-policy-security]quit
//防火墙配置安全策略
[FW1]firewall interzone dmz untrust
[FW1-interzone-dmz-untrust]detect ftp
[FW1-interzone-dmz-untrust]quit
//.配置FTP应用层检测,默认已经开启,可以省略
[FW1]nat server natserver_ftp protocol tcp global 202.106.0.20 21 inside 192.168.1.2 21
//配置NAT server,natserver_ftp为策略名称,global后为全局地址和端口
<内部地址的端口转化为外部不同的端口>
<也可添加no-reverse参数,表示不再产生server-map表内容>
<也可以不配置端口信息>
[FW1]ip route-static 202.106.0.20 32 null 0
<配置黑洞路由>
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 202.106.0.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]ip route-static 202.106.0.20 24 202.106.0.1
//配置路由器接口地址及路由
验证效果
[FW1]display firewall session table
Current Total Sessions : 1
ftp : public --> public 100.1.1.2:49160 +-> 202.106.0.20:21[192.168.1.2:21]
[FW1]display firewall server-map
Current Total Server-map : 2
Type: Nat Server, ANY -> 202.106.0.20:21[192.168.1.2:21], Zone:---, protocol
:tcp
: public -> public
Type: Nat Server Reverse, 192.168.1.2[202.106.0.20] -> ANY, Zone:---, protocol:tcp
: public -> public, counter: 1